Medcurity Logo
Login

HIPAA Compliance for Telehealth in 2026: A Provider’s Playbook

The 2026 HIPAA Security Rule update is the first time HIPAA’s technical safeguards have been rewritten with a video-visit, mobile-first care model in mind. For telehealth providers, that means encryption, MFA, session logging, and BAA inventory are no longer best practice — they’re the floor. Here’s the playbook.

What changed for telehealth in the 2026 HIPAA Security Rule

When HHS finalized the 2026 Security Rule revisions, three changes moved telehealth from a “we got an Enforcement Discretion pass” footnote into the center of the regulated frame:

The Public Health Emergency Enforcement Discretion that let telehealth providers use FaceTime and consumer Zoom is long gone. In 2026, OCR is treating telehealth like any other PHI workflow.

The seven HIPAA controls every telehealth provider needs in 2026

1. A current Security Risk Assessment that includes telehealth

A pre-pandemic SRA that doesn’t mention video visits, e-prescribing, remote patient monitoring, or asynchronous messaging is out of date by definition. The 2026 rule expects the SRA to enumerate every PHI workflow — telehealth included — with the specific safeguards applied to each. See the best HIPAA risk assessment tools for 2026 for what a modern SRA covers.

2. A Business Associate Agreement with the video platform

The video vendor (Zoom for Healthcare, Doxy.me, Teladoc-bundled platforms, EHR-embedded video, etc.) is a business associate the moment it touches PHI. No BAA, no telehealth visit. Annual BAA verification — not just signature at procurement — is now an expectation. See our BAA requirements guide for the clauses every BAA must contain.

3. End-to-end encryption on the video stream and the recording

In transit and at rest. Recordings stored in the EHR or in the vendor’s cloud must be encrypted, with key management documented.

4. MFA on every clinician account

Phishing-resistant MFA (TOTP app, hardware key, FIDO2) for any account that touches the EHR or the video platform. SMS MFA is allowed but degraded; OCR has called it weak in recent enforcement actions.

5. Session and access logging

Who joined the visit, from what device, what they accessed, and what they exported. The 2026 rule expects logs to survive long enough to support an after-the-fact breach investigation — typically six years.

6. Device hygiene for clinician endpoints

Personal laptops, home iPads, and non-issued phones used for telehealth need full-disk encryption, screen lock, antivirus or EDR, and a documented sanitization step when the clinician leaves. A BYOD policy without enforcement is not a control.

7. A documented breach-response runbook that covers telehealth scenarios

Common telehealth breach scenarios — wrong patient joined the room, recording shared in error, vendor outage exposed PHI, compromised clinician laptop — need playbooks, not improvisation.

Telehealth BAAs — what to verify in 2026

Annual BAA verification is the single most underrated control for telehealth providers. A signed BAA from 2021 that hasn’t been touched since is a finding waiting to happen. Verify the vendor still operates under the same legal entity, the sub-processor list is current, breach-notification timeline meets the 60-day OCR window with internal slack, the right-to-audit clause is intact, and the termination plus return-or-destroy of PHI clause is enforceable. If the vendor’s BAA is silent on AI training use of PHI, get that clarified in writing. The 2026 rule treats AI vendor data flows as standard PHI flows.

Telehealth across state lines — what HIPAA does and doesn’t cover

HIPAA is a federal floor. State telehealth privacy laws stack on top — and several states (California, Texas, Washington, New York) added recent telehealth-specific rules around recording consent, minor consent, and behavioral-health PHI. A provider licensed in five states needs five compliance overlays. Medcurity’s state-by-state HIPAA pages are starting points; pair them with state-specific telehealth licensure boards.

Special telehealth populations

Behavioral health telehealth. 42 CFR Part 2 (substance use disorder) overlays HIPAA with stricter consent requirements. The video platform must support Part 2 segregation.

Pediatric telehealth. Minor consent rules vary by state; the parent-portal access model needs an audit trail per visit.

Community health center telehealth. FQHCs and rural health clinics deliver substantial telehealth volume under HRSA grant conditions. See HIPAA compliance for community health centers and HIPAA compliance for rural health clinics for the safety-net overlays.

Telehealth startups. Series-A telehealth platforms often inherit a tangle of consumer-grade vendors. A single SRA pass usually surfaces 8–12 BAA gaps. Worth doing before the next HIPAA-aware customer asks.

What it costs to get telehealth HIPAA right in 2026

Telehealth-specific compliance is mostly a one-time setup cost (BAA inventory, MFA rollout, SRA refresh) followed by ongoing maintenance (annual BAA reverification, training, log review). For a 10-clinician telehealth practice, expect $8K–$18K in year-one setup and $4K–$9K per year ongoing — far less than the average $200K+ cost of a single OCR investigation. See HIPAA compliance cost breakdown for the full model across practice sizes.

Common telehealth compliance mistakes (2026 edition)

  1. Treating consumer Zoom, FaceTime, or Teams as compliant. Even with “HIPAA mode,” the BAA must be signed and the configuration verified.
  2. Recording visits without consent and retention policy. The recording is PHI from the moment it exists.
  3. Using personal devices without a BYOD policy. Encryption + remote-wipe + screen lock are the minimum.
  4. Skipping MFA on the EHR. Telehealth means clinicians log in from variable networks; MFA is the only credible defense.
  5. Letting the BAA inventory drift. AI scribe vendors, ambient documentation tools, and transcription services proliferate fast.
  6. Forgetting that texted appointment reminders are PHI. SMS reminders need patient authorization or a TCPA-compliant opt-in path.
  7. No documented breach playbook for “wrong patient joined.” It happens. Have the runbook.

How Medcurity supports telehealth providers

Schedule a Medcurity demo or pull our telehealth compliance starter checklist via our contact page and we’ll map your current stack against the 2026 rule in 30 minutes.

Frequently asked questions

Is FaceTime HIPAA-compliant in 2026?

No. The Public Health Emergency Enforcement Discretion that allowed consumer FaceTime expired in 2023. FaceTime has no BAA path with Apple, no enterprise logging, and no MFA. Use a HIPAA-eligible video platform with a signed BAA.

Do I need a separate BAA for AI scribe tools used during telehealth visits?

Yes. Any vendor processing the audio, transcript, or summary is a business associate and needs a BAA. Verify their data-flow disclosure includes whether PHI is used for model training.

How long do I need to retain telehealth visit recordings?

HIPAA itself doesn’t set a retention period; state law and clinical-record retention rules do. Most states require 5–10 years from the date of last visit (longer for minors). Whatever you retain must be encrypted at rest.

Does my telehealth platform’s HIPAA compliance cover my obligations?

No. The vendor is responsible for the platform; you’re responsible for your overall HIPAA program — risk assessment, training, BAAs, breach response, device hygiene, and audit-readiness. The vendor BAA is one piece of the picture.

What’s the biggest 2026 change for telehealth providers?

Encryption and MFA moved from “addressable” to effectively required. If your practice was relying on the “addressable” framing to defer those controls, the runway has closed.

Get HIPAA CompliantTrusted by 1,000+ facilities
Get Started