Cybersecurity: 24/7/365
Cybersecurity: 24/7/365
4MEDNET delivers managed IT, cybersecurity, HIPAA compliance, and AI automation solutions built exclusively for healthcare practices.
During the pandemic, the Office for Civil Rights (OCR) issued a notice of enforcement discretion that allowed healthcare providers to use any available telehealth platform — FaceTime, Skype, Zoom, WhatsApp — without risk of HIPAA penalties. That discretion ended on May 11, 2023. Full enforcement is back.
If your practice is still using a consumer video platform for telehealth visits, every visit since May 2023 is a potential HIPAA violation. The penalties start at $141 per violation and scale to $2.13 million per violation category per year.
During the enforcement discretion period (March 2020 to May 2023), OCR would not impose penalties for good-faith use of non-compliant telehealth platforms. This was an emergency measure to expand access to care during COVID-19. It was never a permanent policy change.
When enforcement discretion ended, the original HIPAA rules resumed in full. These rules require that any technology used to transmit ePHI must meet specific security standards. The platform must encrypt data in transit and at rest. The vendor must sign a Business Associate Agreement. Access controls must limit who can join a session. Audit logs must record session details.
OCR gave providers a 90-day transition window after enforcement discretion ended. That window closed on August 9, 2023. Since then, OCR has been investigating complaints and conducting audits with telehealth compliance as a priority area.
The HIPAA Security Rule applies to telehealth the same way it applies to every other system that handles ePHI. The core requirements are:
End-to-end encryption. Video and audio streams must be encrypted from the provider's device to the patient's device. The encryption must use current standards — AES-256 for data at rest and TLS 1.2 or higher for data in transit. The platform vendor should be able to provide documentation of their encryption implementation.
Business Associate Agreement. The telehealth platform vendor must sign a BAA with your practice. The BAA establishes that the vendor will protect ePHI according to HIPAA standards and accept liability for breaches on their end. No BAA means no compliance — regardless of how secure the platform claims to be.
Access controls. Only the provider and the patient should be able to access the telehealth session. This means unique meeting links (not recurring room IDs), waiting rooms that require provider approval, and the ability to lock sessions once all participants have joined.
Audit controls. The platform must log session metadata — who connected, when, duration, and any recordings. These logs support HIPAA's audit requirements and help investigate potential unauthorized access.
Automatic session termination. Sessions should end or lock after a period of inactivity. If a provider steps away from the screen, the session should not remain open indefinitely.
A 2024 analysis found that 68% of telehealth platforms marketed to healthcare providers did not meet all HIPAA requirements. The distinction between compliant and non-compliant is straightforward:
HIPAA-compliant platforms (BAA available):
NOT HIPAA-compliant (no BAA available):
A platform being encrypted does not make it HIPAA-compliant. Signal, for example, has strong end-to-end encryption. But Signal does not offer a BAA, does not provide audit logs, and does not provide the administrative controls HIPAA requires. Encryption is necessary but not sufficient.
Not every telehealth visit requires video. Audio-only visits are appropriate for many follow-ups, medication checks, and chronic disease management appointments. CMS continues to reimburse audio-only telehealth for established patients in many circumstances.
Audio-only telehealth still requires HIPAA compliance. A standard phone call over the public switched telephone network (PSTN) is generally considered compliant because HIPAA does not require encryption of voice calls over traditional phone lines. However, Voice over IP (VoIP) calls that transmit over the internet do require encryption.
If your practice uses a VoIP phone system, verify that calls are encrypted in transit. If you are using a consumer VoIP service for patient calls, it may not meet HIPAA standards. Your phone system vendor should be able to provide encryption documentation and a BAA.
The DEA extended telehealth prescribing flexibilities through December 31, 2026. Under these rules, DEA-registered practitioners can prescribe Schedule II-V controlled substances via telehealth without a prior in-person examination, provided certain conditions are met.
After December 31, 2026, the Ryan Haight Act's in-person examination requirement is expected to resume for initial controlled substance prescriptions. Practices that prescribe controlled substances via telehealth should plan for this transition now. This means ensuring that telehealth scheduling systems can flag patients who require an in-person visit for their next controlled substance renewal.
The DEA prescribing rules are separate from HIPAA compliance. A telehealth visit can be fully HIPAA-compliant and still violate DEA prescribing rules if the in-person requirements are not met. Both compliance frameworks apply simultaneously.
Most states require informed consent for telehealth visits. While specific requirements vary by state, best practices include:
Some states require providers to be licensed in the state where the patient is located, not just where the provider is located. Interstate licensing compacts (like the IMLC for physicians and the NLC for nurses) have expanded access, but coverage is not universal. Verify your state's requirements before seeing out-of-state patients.
A compliant telehealth setup requires more than just choosing the right platform. The provider's environment matters too:
Private space. Conduct telehealth visits in a closed room where other patients and unauthorized staff cannot overhear. Open office layouts and shared workstations are not appropriate for telehealth visits.
Secure network. The provider's device should be connected to the practice's clinical network — not the guest WiFi. The network should be segmented and protected by a firewall. If providers conduct telehealth from home, they need a VPN connection back to the practice network or a dedicated secure connection.
Updated devices. Telehealth devices must run current operating systems with all security patches applied. A laptop running Windows 10 that stopped receiving security updates in October 2025 is not a compliant device for telehealth.
Waiting room controls. Enable the virtual waiting room feature on your telehealth platform. The provider should admit each patient individually. This prevents patients from accidentally joining the wrong session.
Recording policies. If your practice records telehealth sessions, the recording must be stored in a HIPAA-compliant location — not the provider's local hard drive. Notify patients before recording begins. Some states require two-party consent for recording.
OCR has signaled that telehealth compliance is an enforcement priority. Common violations that trigger investigations include:
The HIPAA risk assessment for your practice should include telehealth as a category. Document which platform you use, its security features, the BAA status, and how providers access it. This documentation is your first line of defense during an audit.
Book a free telehealth compliance review to evaluate your practice's telehealth setup against current HIPAA requirements. We will review your platform, network configuration, and documentation to identify gaps and recommend fixes. Explore our HIPAA compliance services and support plans, or read about HIPAA-compliant email configuration for your practice.
Managed IT, cybersecurity, HIPAA compliance, and AI automation for healthcare practices. We keep your technology secure so you can focus on patient care.
4MEDNET.COM - Copyright 2026. All rights reserved.
