Telehealth Compliance: HIPAA Requirements for Virtual Care

Telehealth has become a permanent component of medical practice operations. What began as a necessity during the COVID-19 pandemic has evolved into an expected service offering for patients and a viable care delivery model for providers. However, the regulatory flexibility that existed during the public health emergency has largely expired or been replaced by permanent rules that require full HIPAA compliance. Practices that continue to use consumer-grade video platforms, neglect telehealth-specific risk assessments, or fail to update their policies for virtual care delivery are exposed to significant regulatory risk. This guide covers the HIPAA requirements that apply to telehealth and the steps your practice should take to ensure compliant virtual care delivery.

Technology Platform Requirements

The HIPAA Security Rule applies to all ePHI, including information transmitted during telehealth encounters. This means your telehealth platform must implement the technical safeguards required by the Security Rule. At a minimum, the platform must provide end-to-end encryption for video and audio streams, access controls that require authentication for all participants, audit logging that records session metadata (who connected, when, duration), automatic session termination after a defined period of inactivity, and data transmission security (TLS 1.2 or higher). Consumer platforms like standard FaceTime, Skype, and Facebook Messenger do not meet these requirements. Your telehealth vendor must also sign a Business Associate Agreement, as it is transmitting and potentially storing ePHI. Verify that the BAA specifically covers telehealth services and that the vendor's data handling practices are documented.

Patient Consent and Notice

Before conducting a telehealth visit, patients should receive information about how the technology works, the privacy and security measures in place, the potential risks inherent in electronic communication (such as the possibility of technical failure or unauthorized interception), and their right to decline telehealth in favor of an in-person visit. Many states have specific informed consent requirements for telehealth, separate from HIPAA, that may require written or verbal consent documented in the medical record. Your Notice of Privacy Practices should be updated to address telehealth-specific uses and disclosures of PHI. Ensure patients understand how recordings (if any) are handled and who else might be present in the room on either end of the connection.

Provider-Side Security

The physical and technical environment from which providers conduct telehealth visits must be secure. Providers should conduct visits from a private location where conversations cannot be overheard by unauthorized individuals. Using a personal device introduces additional risks — ensure that personal devices used for telehealth have encryption enabled, strong authentication, remote wipe capability, and current security patches. Providers should not conduct telehealth sessions over unsecured public Wi-Fi networks. Screen sharing features should be used with caution to avoid inadvertently displaying another patient's information. If the provider uses a home office, the same physical safeguard considerations that apply to a clinical setting apply there — a locked room, a screen that is not visible from a window, and a mechanism to prevent unauthorized access by household members.

Documentation Requirements

Telehealth encounters must be documented to the same standard as in-person visits. In addition to the standard clinical documentation, telehealth visit notes should include the type of technology used (video, audio-only, or asynchronous), confirmation that the patient consented to the telehealth encounter, the location of the patient at the time of the visit (required for billing purposes in many states and by many payers), the location of the provider, the identity verification method used to confirm the patient's identity, and any technical issues that occurred during the visit and how they were addressed. This documentation supports not only HIPAA compliance but also billing compliance, as payers increasingly scrutinize telehealth claims for completeness.

Risk Assessment for Telehealth

Your practice's Security Risk Assessment must account for the specific risks introduced by telehealth. These include risks associated with the telehealth platform itself (vendor security practices, data storage locations, vulnerability management), risks from the transmission of ePHI over the internet, risks from provider endpoint devices (especially personal devices used in home settings), risks from patient endpoint devices and environments (patients may be in non-private locations without the provider's knowledge), and risks associated with recordings, transcriptions, or session data stored by the platform. If your SRA was conducted before your practice began offering telehealth, it must be updated to address these additional risk factors. Treat the telehealth modality as a new system in your ePHI environment and evaluate it with the same rigor as your EHR or practice management system.

State Telehealth Regulations

Beyond HIPAA, telehealth is subject to a complex web of state regulations that vary significantly by jurisdiction. These may include requirements for the provider to hold a license in the state where the patient is located, specific informed consent language, prescribing restrictions for telehealth encounters, requirements for establishing a provider-patient relationship before prescribing, audio-only visit restrictions or permissions, and Medicaid telehealth coverage rules. Your telehealth compliance program must account for the laws of every state in which your patients are located during visits, not just your practice's home state. This is an area where the regulatory landscape continues to evolve rapidly.

How GuardWell Compliance Helps

GuardWell supports telehealth compliance by incorporating telehealth-specific requirements into your practice's HIPAA compliance framework. The platform includes telehealth policy templates, a telehealth vendor assessment checklist, telehealth-specific risk assessment questions integrated into the SRA workflow, and consent form templates that address state-specific requirements. GuardWell tracks your telehealth platform vendor as a business associate with BAA status monitoring and helps ensure your practice's overall compliance program reflects the expanded risk surface that virtual care delivery creates.