HIPAA for telehealth practices
Telehealth creates compliance obligations most virtual providers never address — platform BAAs, remote device security, cross-state licensing intersections, and session recording storage. Patient Protect was built for clinicians who deliver care through a screen.
The real risk
Zoom, Doxy.me, SimplePractice, Spruce — a signed BAA is mandatory, but most clinicians never verify encryption settings, recording storage locations, or session metadata handling. The COVID-era enforcement discretion ended. OCR is actively auditing telehealth compliance.
Clinicians conducting sessions from home laptops, tablets, and personal phones introduce risks no brick-and-mortar practice faces. Shared family devices, unencrypted Wi-Fi, screen visibility to household members — each is a potential breach vector OCR evaluates during audits.
Recorded telehealth sessions, chat transcripts, and asynchronous messages are ePHI that must be encrypted at rest, access-controlled, and retained per your retention policy. Many clinicians store recordings in consumer cloud storage with no BAA and no access audit trail.
Telehealth clinicians often serve patients across state lines. Each state may layer additional privacy requirements on top of federal HIPAA. A single compliance gap doesn't just affect one jurisdiction — it can trigger enforcement actions in every state where you treat patients.
What HIPAA requires
Platform Security
Signed BAAs with every telehealth platform, scheduling tool, and communication service. End-to-end encryption for video, audio, and messaging. Documented security configurations for each platform.
Remote Environment Controls
Policies for home office and remote work environments — device encryption, screen lock requirements, private session spaces, and restrictions on shared or personal devices used for clinical care.
Recording & Storage
Encryption at rest for all session recordings and chat transcripts. Access controls limiting who can view recordings. Retention and destruction policies aligned with state and federal requirements.
Workforce Training
Telehealth-specific HIPAA training covering remote session security, device handling, patient identity verification, and incident reporting for virtual care environments.
How Patient Protect helps
SRA wizard covers video platform security, remote device policies, session recording storage, and cross-state practice — not a generic in-office questionnaire repurposed for virtual care.
Track BAAs with Zoom, Doxy.me, SimplePractice, scheduling tools, payment processors, and every other vendor in your telehealth stack. Expiration alerts and e-sign built in.
Replace personal texts, email, and consumer chat apps with BAA-gated messaging. Patient communication stays inside your compliance perimeter — no matter where you're practicing from.
Pre-built policies for home office security, BYOD device management, and remote session protocols. Customize for your practice and document workforce acknowledgment automatically.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
| RecommendedPatient Protect$39/ month to start | Compliancy Group$99+/mo | AccountableHQPer-employee | AbydeNot listed | Total HIPAANot listed | |
|---|---|---|---|---|---|
| Core Compliance | |||||
| Risk AssessmentSatisfies §164.308(a)(1) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Policy TemplatesVersioned, workforce acknowledgment | ✓ | ✓ | ✓ | ✓ | ✓ |
| Staff TrainingDelivery, tracking, and documentation | ✓ | ✓ | ✓ | ✓ | ✓ |
| BAA ManagementFull lifecycle, e-sign, PDF | ✓ | ✓ | ✓ | ✓ | ~ |
| Where Others Stop | |||||
| Secure MessagingBAA-gated, ePHI-compliant | ✓ | ✕ | ✕ | ✕ | ✕ |
| Digital ReferralsSend, track, and audit across offices | ✓ | ✕ | ✕ | ✕ | ✕ |
| Real-Time Security PromptsLive alerts for risks and violations | ✓ | ✕ | ✕ | ✕ | ✕ |
| Live DiagnosticsReal-time compliance visibility | ✓ | ✕ | ✕ | ✕ | ✕ |
| ePHI Audit TrailWho accessed what, and when | ✓ | ✓ | ~ | ✓ | ✓ |
| Dynamic Risk ScoringAuto-prioritized, self-updating queue | ✓ | ✓ | ✓ | ~ | ~ |
| Monthly Price | $39to start | $99+ | Per-employee | Not listed | Not listed |
Swipe to compare →
Based on publicly available feature lists and pricing as of 2026. Secure messaging and digital referrals absent from every major compliance competitor.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
Yes. Any clinician who transmits ePHI electronically — including through video sessions, patient messaging, or electronic prescriptions — is subject to the full HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. The COVID-era enforcement discretion has ended; OCR is actively auditing telehealth providers.
A platform is HIPAA compliant only if it offers a signed BAA, end-to-end encryption, and proper access controls. Zoom (healthcare plan), Doxy.me, and several EHR-integrated platforms offer BAAs — but compliance also depends on how you configure and use them. Patient Protect's risk assessment evaluates your actual setup, not just the vendor's marketing claims.
You can, but only with proper safeguards — full-disk encryption, passcode lock, separate user profiles, and documented BYOD policies. OCR evaluates whether personal devices used for clinical care meet the same security standards as dedicated clinical systems. Patient Protect includes remote device policy templates and training modules for exactly this scenario.
Traditional compliance consultants charge $4,000–$10,000 per year for telehealth practices, often more for multi-state providers. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, platform BAA tracking, remote work policies, staff training, and continuous compliance monitoring.
Next step
See your real exposure in five minutes. Free risk assessment — no login required.
