Does HIPAA apply to telehealth providers and video consultation platforms?

Yes. Any telehealth platform or provider that transmits, stores, or processes electronic protected health information (ePHI) — including video consultations, chat, images, and health data collected during remote sessions — is subject to HIPAA. This includes direct-to-consumer telehealth apps, enterprise telemedicine platforms, and any software that facilitates remote clinical encounters. Telehealth providers are treated as Covered Entities, and any technology vendor they work with is a Business Associate requiring a signed BAA before any ePHI is shared.

What encryption standards are required for telehealth audio and video sessions?

HIPAA requires encryption for ePHI in transit and at rest. For telehealth video sessions, this means: TLS 1.2 or higher for all data transmitted over networks, end-to-end encryption (E2EE) for audio and video streams with SRTP (Secure Real-time Transport Protocol), encryption at rest for session recordings and transcripts, and secure key management. Using HIPAA-covered platform vendors that have already executed BAAs with their infrastructure providers (AWS, Twilio, etc.) significantly simplifies compliance. Platforms that rely on consumer-grade video tools like standard Zoom or FaceTime without proper BAAs are not HIPAA-compliant.

Do telehealth providers need a BAA with their platform vendor, and what must it cover?

Yes. Any third-party platform that transmits, stores, or processes ePHI on behalf of a telehealth provider is a Business Associate under HIPAA and must sign a Business Associate Agreement before any ePHI is shared. For telehealth platforms, the BAA must explicitly cover: the specific telehealth functions the vendor performs (video hosting, session storage, EHR integration), permitted uses of ePHI, the vendor's own security safeguards and incident reporting obligations, subcontractor flow-down requirements (for cloud infrastructure, CDN, and AI transcription vendors), and ePHI return/destruction upon contract termination. Using a platform without a signed BAA is a HIPAA violation regardless of how secure the platform claims to be.

What are the most common HIPAA violations in telehealth settings?

The five violations most frequently cited in OCR telehealth enforcement actions are: (1) using non-HIPAA-compliant video platforms for clinical sessions — without signed BAAs and proper encryption; (2) sending appointment reminders, prescriptions, or lab results via unsecured text or email; (3) failing to terminate sessions and leaving session data accessible; (4) using consumer-grade storage (personal iCloud, Google Drive) for session recordings or clinical notes; and (5) inadequate access controls — allowing multiple staff to share credentials or failing to implement unique user IDs. In 2022, the FTC issued enforcement actions against several telehealth companies for these exact failures, with fines up to $1.5M.

HIPAA Compliance for Telehealth Providers — Complete Guide

Telehealth adoption has outpaced HIPAA compliance infrastructure. Video sessions, remote patient monitoring, and third-party platform vendors create compliance gaps that most telehealth operators don't know they have. This guide covers what the rules actually require — and the 7-item checklist that closes the most common gaps.

Why Telehealth Creates Unique HIPAA Exposure

Telehealth providers face HIPAA requirements that don't apply to traditional in-office care. The core problem: you're operating a technology platform, not just a clinical practice. Every piece of software that touches a patient session — your video vendor, your EHR, your messaging system, your AI transcription tool — is a potential vector for ePHI exposure. HHS OCR telehealth enforcement actions have tripled since 2021.

The 2023 CISA Healthcare Threat Landscape report found that 41% of telehealth platforms reviewed had at least one critical HIPAA gap — most commonly around vendor BAAs and session encryption. This isn't theoretical. The FTC issued enforcement actions against three telehealth companies in 2022 alone for non-compliant data practices.

Enforcement Trend

HHS OCR published a special telehealth enforcement guidance in March 2024, noting that remote care settings create "heightened risk of impermissible disclosure" and committing to targeted audits of telehealth operators through 2025.

Telehealth-Specific HIPAA Requirements

Audio/Video Encryption Standards

Telehealth video sessions must meet the same encryption standards as any other ePHI transmission under the HIPAA Security Rule Technical Safeguards (§164.312). But the implementation is specific to real-time audio and video:

All session data in transit must use TLS 1.2 or higher — TLS 1.1 and below are explicitly non-compliant
Video and audio streams must be encrypted using SRTP (Secure Real-time Transport Protocol) or equivalent
Session recordings, transcripts, and chat logs stored on any platform must be encrypted at rest (AES-256 recommended)
End-to-end encryption (E2EE) with forward secrecy is the expected standard for clinical video — not just transport-layer encryption
Key management must be documented — who has access to session encryption keys, and how are they rotated

Business Associate Agreements with Platform Vendors

This is where most telehealth operators fail. Using a video platform, an EHR vendor, a scheduling tool, or an AI transcription service — all of which process ePHI — makes each of them a Business Associate. HIPAA requires a signed BAA before any ePHI is shared.

Common telehealth vendor categories requiring BAAs:

Video consultation platform (Zoom for Healthcare, Doxy.me, etc.)
EHR or practice management system with telehealth module
Remote patient monitoring (RPM) device vendor
AI transcription or ambient clinical documentation provider
Cloud infrastructure (AWS, Google Cloud, Azure) — these vendors have standard BAAs
CDN and session relay services used by your video platform

Remote Patient Monitoring (RPM) Safeguards

RPM devices — blood pressure monitors, continuous glucose monitors, pulse oximeters — collect ePHI continuously and transmit it to your platform. HIPAA requirements for RPM include:

Device-to-platform transmission encrypted (Bluetooth LE must use BLE 4.2+ with LE Secure Connections)
Data stored in platform must meet encryption-at-rest requirements
Patient data access controls — patients must be able to access and correct their RPM data
Device firmware must be kept current — unpatched devices are a documented risk vector
RPM vendor BAA must cover the specific data types and transmission methods they handle

Running a telehealth platform?

CompliMed's free HIPAA assessment covers your video platform, RPM vendors, and session infrastructure — with a score and gap report in under 10 minutes.

Start Free Assessment → See Pricing

5 Common HIPAA Violations in Telehealth Settings

These violations appear consistently in OCR enforcement actions and FTC telehealth cases. If any apply to your operation, treat them as immediate priorities.

1
Using consumer-grade video platforms without a BAA. Standard Zoom, Google Meet, or FaceTime are not HIPAA-compliant. Even if the provider claims they're "HIPAA-eligible," you need a signed BAA before any clinical session. Consumer plans do not include BAA coverage.
2
Unsecured transmission of appointment reminders and clinical communications. Sending prescription details, lab results, or appointment confirmations via regular SMS or unencrypted email is a HIPAA violation when it contains ePHI. Secure messaging platforms with BAAs are required.
3
Session recordings stored without encryption or access controls. Storing session recordings in personal cloud storage (Google Drive, iCloud) or without role-based access controls violates the Integrity Control and Access Control safeguards.
4
No formal session termination procedures. Failing to log out of a video session leaves the connection open and session data accessible. HIPAA requires procedures for ending sessions and terminating access, even on consumer-friendly platforms.
5
AI transcription vendors with no BAA. AI-powered clinical documentation tools are increasingly common in telehealth, but most require a specific BAA addendum. The vendor's standard BAA often doesn't cover AI processing of session content — this is a documented enforcement gap.

Risk Factor

OCR's 2023 telehealth enforcement guidance specifically flagged AI transcription tools as an area of concern — noting that vendors processing session content may require flow-down BAA provisions not covered by standard agreements.

Telehealth HIPAA Compliance Checklist

Use this checklist to assess your current posture. Each item maps to a specific HIPAA Security Rule requirement. If you can't document an answer for any item, treat it as an open finding.

Platform & Vendor Controls

Signed BAAs in place with every vendor that processes telehealth session data, recordings, or patient communications
Video platform uses TLS 1.2+ for all connections and SRTP or equivalent for audio/video streams
Session recordings and transcripts stored with AES-256 encryption at rest, with documented key management
AI transcription or documentation vendor has a specific BAA addendum covering AI processing of session content
RPM device vendor BAA covers the specific data types and transmission methods the devices use

Administrative & Operational Controls

Session termination procedures documented and staff trained on closing sessions completely
Patient communications (appointment reminders, prescription notices) sent via HIPAA-compliant secure messaging — not standard SMS or email
Unique user IDs required for all staff accessing telehealth sessions or patient data from telehealth encounters
Audit logs retained for telehealth session access (minimum 6 years per HIPAA)
Security incident response plan covers telehealth-specific scenarios (unauthorized session access, data exposed via video platform)

Physical & Device Controls

RPM devices updated to latest firmware — unpatched devices documented as a risk in your risk analysis
Automatic screen lock enforced on any device used to conduct telehealth sessions
Remote wipe capability documented for all devices that access telehealth platforms

Get the telehealth compliance checklist

Stay ahead of HIPAA requirements as telehealth regulations evolve. Monthly updates, no fluff.

Cross-Linking and Related Compliance Resources

Telehealth HIPAA compliance doesn't exist in isolation. Your platform needs to satisfy the full HIPAA Security Rule, not just the telehealth-specific provisions. Use these guides to cover the gaps:

See where your telehealth compliance stands.

CompliMed scores your HIPAA posture across all telehealth requirements — platform vendors, RPM devices, session infrastructure — in under 10 minutes.

Start Free Assessment → View Pricing →

Get the telehealth compliance checklist

Join health tech vendors who stay ahead of HIPAA changes. Monthly updates, no fluff.

HIPAA Compliance for Telehealth Providers: What the Rules Actually Require

Why Telehealth Creates Unique HIPAA Exposure

Telehealth-Specific HIPAA Requirements

Audio/Video Encryption Standards

Business Associate Agreements with Platform Vendors

Remote Patient Monitoring (RPM) Safeguards

Running a telehealth platform?

5 Common HIPAA Violations in Telehealth Settings

Telehealth HIPAA Compliance Checklist

Platform & Vendor Controls

Administrative & Operational Controls

Physical & Device Controls

Get the telehealth compliance checklist

Cross-Linking and Related Compliance Resources

Keep Learning

See where your telehealth compliance stands.

Get the telehealth compliance checklist