HIPAA for telehealth practices

HIPAA Compliance for Telehealth Clinicians

Telehealth creates compliance obligations many virtual providers still need to address — platform BAAs, remote device security, cross-state licensing intersections, and session recording storage. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer built for clinicians who deliver care through a screen.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for telehealth clinicians.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Telehealth practices operate under HIPAA as covered entities through standard electronic transactions, with specific overlays from the DEA's telemedicine final rule (effective 2026 post-PHE), state-by-state telehealth licensure compacts (IMLC for medical, PSYPACT for psychology, ASLP-IC for SLP/audiology, others), and state-specific telehealth practice rules. The post-PHE landscape restored most pre-pandemic prescribing limits with specific telehealth-permitted exceptions. State medical boards govern licensure and practice standards; state pharmacy boards govern e-prescribing requirements; state insurance commissioners govern parity-of-coverage rules for telehealth services.

OCR enforcement patterns

OCR's telehealth enforcement record has expanded as the post-PHE landscape took shape. Recurring patterns include disclosure errors when a telehealth platform is shared across multiple covered entities, recording without consent, audio-only services used outside permitted scenarios, and missing in-person evaluation for controlled-substance prescribing where DEA rules require it. The FTC's BetterHelp settlement and GoodRx settlement (both 2023) under the Health Breach Notification Rule signaled regulatory attention on telehealth and consumer-health data sharing that complements HIPAA enforcement.

Specialty-specific standards beyond HIPAA

DEA EPCS for any controlled-substance prescribing. The DEA telemedicine final rule and its specific exceptions (one-day supply, etc.). State telehealth licensure compacts. Audio-only restrictions in many state telehealth frameworks. State-specific consent requirements for telehealth visits. CMS reimbursement rules for telehealth services post-PHE. State controlled-substance e-prescribing requirements that may exceed federal DEA minimums.

Common compliance gaps

Common in telehealth compliance reviews: licensure-state mismatch where the patient's state of residence differs from the prescriber's licensure state, audio-only services used outside permitted DEA or state framework, recording-of-visits without clear consent infrastructure, missing in-person evaluation for controlled-substance prescribing, multi-state breach notification matrix not pre-built, telehealth platform BAA assumed but not verified, and inadequate identity verification at the start of clinical encounters.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA's six-year minimum; state telehealth-specific retention varies widely. DEA EPCS retention requirements are separate and longer for controlled-substance prescribing audit trails (typically two to five years depending on rule). State medical boards may require longer retention for telehealth visits than for in-person visits in some jurisdictions. Multi-state telehealth operations face the highest retention floor of any operating jurisdiction's law.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to telehealth cliniciansbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A telehealth that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis covering the full telehealth-specific stack
Risk analysis under §164.308(a)(1)(ii)(A) covering the telehealth platform itself (Doxy.me, Zoom Healthcare, Teladoc-build, custom build), e-prescribing service, lab interfaces, intake/scheduling system, secure messaging, payment processor, EHR if separate, recording-storage if visits are recorded.
Build a multi-state operational and breach matrix
Per-state licensure status, e-prescribing requirements, breach notification timelines, AG-notification thresholds, and remediation requirements. Patient Protect pre-loads the matrix; updates flow as states modify their telehealth or breach laws.
Establish post-PHE controlled-substance prescribing compliance
The DEA's 2026 telemedicine final rule restored most pre-PHE limits with specific telehealth-permitted exceptions. Compliance requires prescriber registration, in-person evaluation where required, audit trail integration with EPCS, and ongoing monitoring as DEA modifies the rule.
Sign BAAs across the telehealth-specific vendor ecosystem
Telehealth platform, e-prescribing service, lab partners, intake/scheduling, secure messaging, payment processor, recording-storage, IT support, cloud backup. Each is a BA under §160.103.
Train clinicians and staff on telehealth-specific compliance scenarios
Identity verification before clinical content, multi-state licensure disclosure, controlled-substance prescribing limits, recording consent, audio-only-when-required scenarios, secure messaging discipline. Training under §164.530(b)(1) calibrated for the telehealth model.

The real risk

Where telehealth clinicians are most exposed.

Your telehealth platform vendor may not cover you

Zoom, Doxy.me, SimplePractice, Spruce — a signed BAA is mandatory, but most clinicians never verify encryption settings, recording storage locations, or session metadata handling. The COVID-era enforcement discretion ended. OCR is actively auditing telehealth compliance.

Home offices and personal devices are uncontrolled environments

Clinicians conducting sessions from home laptops, tablets, and personal phones introduce risks no brick-and-mortar practice faces. Shared family devices, unencrypted Wi-Fi, screen visibility to household members — each is a potential breach vector OCR evaluates during audits.

Session recordings and chat logs create long-lived ePHI

Recorded telehealth sessions, chat transcripts, and asynchronous messages are ePHI that must be encrypted at rest, access-controlled, and retained per your retention policy. Many clinicians store recordings in consumer cloud storage with no BAA and no access audit trail.

Multi-state practice multiplies regulatory exposure

Telehealth clinicians often serve patients across state lines. Each state may layer additional privacy requirements on top of federal HIPAA. A single compliance gap doesn't just affect one jurisdiction — it can trigger enforcement actions in every state where you treat patients.

What HIPAA requires

Regulatory requirements specific to telehealth clinicians.

Platform Security

Signed BAAs with every telehealth platform, scheduling tool, and communication service. End-to-end encryption for video, audio, and messaging. Documented security configurations for each platform.

Remote Environment Controls

Policies for home office and remote work environments — device encryption, screen lock requirements, private session spaces, and restrictions on shared or personal devices used for clinical care.

Recording & Storage

Encryption at rest for all session recordings and chat transcripts. Access controls limiting who can view recordings. Retention and destruction policies aligned with state and federal requirements.

Workforce Training

Telehealth-specific HIPAA training covering remote session security, device handling, patient identity verification, and incident reporting for virtual care environments.

Your state, your rules

State-specific HIPAA rules for telehealth clinicians.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

How Patient Protect helps

Built for telehealth clinicians, not hospital systems.

Telehealth-specific risk assessment

SRA wizard covers video platform security, remote device policies, session recording storage, and cross-state practice — not a generic in-office questionnaire repurposed for virtual care.

Platform vendor BAA tracking

Track BAAs with Zoom, Doxy.me, SimplePractice, scheduling tools, payment processors, and every other vendor in your telehealth stack. Expiration alerts and e-sign built in.

Secure patient messaging

Replace personal texts, email, and consumer chat apps with BAA-gated messaging. Patient communication stays inside your compliance perimeter — no matter where you're practicing from.

Remote work policy templates

Pre-built policies for home office security, BYOD device management, and remote session protocols. Customize for your practice and document workforce acknowledgment automatically.

Multi-state licensure and breach notification matrix

Telehealth operations across 30+ states face a state-by-state matrix of licensure compacts, breach notification timelines, and AG-notification thresholds. The platform pre-loads each state's requirements; the alternative is reading 50 statutes after an incident with the timeline already running.

Post-PHE controlled substance prescribing compliance

The DEA's telemedicine final rule (effective 2026) restored most pre-PHE prescribing limits with specific telehealth-permitted exceptions. Patient Protect tracks prescriber-by-prescriber compliance with the registration, in-person evaluation, and audit-trail requirements that controlled-substance telehealth now requires.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for telehealth clinicians.

Is telehealth subject to HIPAA?

Yes. Any clinician who transmits ePHI electronically — including through video sessions, patient messaging, or electronic prescriptions — is subject to the full HIPAA Security Rule, Privacy Rule, and Breach Notification Rule. The COVID-era enforcement discretion has ended; OCR is actively auditing telehealth providers.

What telehealth platforms are HIPAA compliant?

A platform is HIPAA compliant only if it offers a signed BAA, end-to-end encryption, and proper access controls. Zoom (healthcare plan), Doxy.me, and several EHR-integrated platforms offer BAAs — but compliance also depends on how you configure and use them. Patient Protect's risk assessment evaluates your actual setup, not just the vendor's marketing claims.

Can I use my personal phone or laptop for telehealth?

You can, but only with proper safeguards — full-disk encryption, passcode lock, separate user profiles, and documented BYOD policies. OCR evaluates whether personal devices used for clinical care meet the same security standards as dedicated clinical systems. Patient Protect includes remote device policy templates and training modules for exactly this scenario.

What does HIPAA compliance cost for a telehealth practice?

Traditional compliance consultants charge $4,000–$10,000 per year for telehealth practices, often more for multi-state providers. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, platform BAA tracking, remote work policies, staff training, and continuous compliance monitoring.

Are audio-only telehealth visits HIPAA-compliant?

Audio-only telehealth (telephone-only) is permitted under HIPAA when the practice has appropriate safeguards — the call must occur on a HIPAA-compliant infrastructure, identity verification must occur before clinical content, and PHI must not be left on insecure voicemail systems. CMS extended audio-only Medicare reimbursement post-PHE for behavioral health and limited other categories; the HIPAA framework applies regardless of reimbursement category.

Does HIPAA require video for telehealth visits?

No. HIPAA is technology-agnostic — it requires safeguards proportionate to the risk, not specific media. Many state telehealth licensure frameworks require video for specific service types (controlled-substance prescribing, certain mental health services), but that's a state-law requirement layered on top of HIPAA, not a HIPAA requirement itself.

How do multi-state telehealth operations handle breach notification?

Each state where the breach affects residents has its own notification timeline, AG-notification threshold, and required disclosure content. A breach affecting residents of 30 states triggers 30 different notification clocks the moment it's detected. The practical implication: pre-load every operating-state's requirements into the breach response protocol so the response can ship parallel notifications rather than sequential ones.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Therapists Chiropractors Optometrists Physical Therapists Medical Practices Dermatology Pediatrics Psychiatry Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Your telehealth practice has compliance gaps beyond what your platform covers.

See your real exposure in five minutes. Free risk assessment — no login required.