Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

HIPAA Compliance

HIPAA Violations in Telehealth: What OCR Is Actively Enforcing in 2026

OCR ended COVID-era telehealth enforcement discretion in 2023. Five violations define most of the exposure for telehealth providers right now — consumer platform use, session recording storage, home office device failures, and more.

Patient Protect Editorial Team·May 27, 2026·8 min read
OCR enforcement actions targeting telehealth HIPAA violations including video platform and remote access issues

HIPAA Violations in Telehealth: What OCR Is Actively Enforcing in 2026

The COVID-19 public health emergency ended May 11, 2023. The enforcement discretion that permitted non-compliant telehealth ended the same day. Every telehealth session conducted since then must comply with HIPAA in full.

OCR has signaled active enforcement interest in telehealth compliance. The combination of widespread adoption of non-compliant practices during the pandemic — consumer video platforms, personal cloud storage for recordings, unencrypted home devices — and the clear end of enforcement protection creates the conditions for a significant enforcement wave.

The five violations that define most of the current telehealth exposure are not hypothetical. They are patterns that OCR investigations of telehealth providers consistently reveal.

Violation 1: Consumer Video Platforms Without BAAs

Citation: §164.312(e)(2)(ii) and §164.308(b)(1)

This is the most widespread current HIPAA violation in telehealth — and the most clearly defined.

Standard Zoom, Google Meet free tier, FaceTime, WhatsApp, Skype, and Microsoft Teams free tier: none of these platforms offer HIPAA-compliant BAAs for clinical use. A clinician conducting telehealth sessions on any of these platforms is transmitting ePHI through an unsecured channel without a Business Associate Agreement — two separate violations in every session.

The COVID-era enforcement discretion covered this. The enforcement discretion ended. There is no ambiguity about the current legal status.

The "I've been using it for years" problem:

Some clinicians continue using consumer platforms because they have worked without incident for years. This logic does not interact with HIPAA's enforcement framework in a useful way. The absence of an OCR investigation to date does not mean the practice is compliant — it means the violation has not yet been investigated. A patient complaint, a breach notification, or a random audit can change that at any time.

The Zoom confusion:

Zoom offers multiple plan tiers. Only Zoom for Healthcare includes BAA coverage and HIPAA-compliant configuration. A clinician on a standard Business or Pro plan — even if they purchased it specifically for telehealth — is not on a HIPAA-compliant platform. The plan tier matters. The BAA execution matters. Having Zoom on your device does not constitute HIPAA compliance.

What to do:

Identify which platforms you are currently using for clinical sessions. For any consumer platform or any platform where you have not executed a BAA, transition to a compliant alternative and execute the BAA before your next session.

Violation 2: Session Recordings Stored in Personal Cloud Storage

Citation: §164.312(a)(2)(iv) and §164.308(b)(1)

This is the most consequential delayed-action violation in telehealth — consequential because it has been accumulating since the beginning of the pandemic for providers who recorded sessions.

A session recording is ePHI. A session recording stored in personal Google Drive, iCloud, or standard Dropbox is unsecured ePHI — stored without encryption assurance, without a BAA with the storage provider, and without access controls appropriate to the sensitivity of the content.

For mental health telehealth providers, the sensitivity of stored recordings is extreme. A recording of a therapy session may contain disclosures of trauma, mental health diagnoses, suicidal ideation, relationship details, and other information that the patient shared in the context of a clinical relationship with an expectation of confidentiality. Storing those recordings in a personal iCloud account — which may be accessible across family devices, which may be subject to Apple's data practices — is a serious and ongoing breach exposure.

The migration obligation:

Recordings stored in non-compliant locations represent a current, ongoing compliance problem. They are not remediated by simply stopping the practice of storing new recordings in personal cloud storage. The existing recordings must be migrated to compliant storage or deleted, and the migration or deletion must be documented.

This is not a pleasant task. For providers who have been recording for years, it may be a significant undertaking. It is nevertheless required.

What to do:

Inventory all session recordings and where they are stored. Establish a HIPAA-compliant storage location — Google Workspace with BAA, Microsoft 365 with BAA, or storage integrated into your telehealth platform. Migrate existing recordings. Document the migration. Delete from non-compliant storage after confirming migration success.

Violation 3: Unencrypted Home Devices

Citation: §164.312(a)(2)(iv) and §164.310(d)

The device a clinician uses to conduct telehealth sessions is an ePHI system. It stores session data, browser history from the telehealth platform, downloaded clinical notes, and potentially session recordings. If that device is not encrypted, every piece of stored ePHI is unsecured.

The home environment amplifies this risk. A clinic device is in a controlled environment with physical security. A home device may be a shared family computer, a personal laptop that travels to coffee shops, or a tablet used by multiple household members for non-clinical purposes.

The shared family device problem:

Using a shared family computer for telehealth sessions creates exposure in multiple directions:

  • Other family members may access browser history, downloaded files, or session data
  • The device is not under clinical access controls
  • Device loss or theft exposes patient data alongside personal family data
  • Antivirus, patching, and security configuration are typically consumer-level, not clinical-level

The encryption reality:

Modern operating systems have robust encryption built in and available at no cost — BitLocker for Windows, FileVault for macOS, built-in encryption for iOS and Android. For most devices, enabling encryption takes minutes. The failure to enable it on a device used for clinical telehealth is an operational oversight with significant compliance consequences if the device is ever lost, stolen, or accessed by an unauthorized person.

What to do:

Verify full-disk encryption is enabled on every device used for telehealth sessions. If using a shared family device, establish a dedicated clinical user account with separate login credentials and enable encryption. Better: use a device dedicated to clinical work that is not shared with family members.

Violation 4: No Security Risk Analysis Covering Telehealth Infrastructure

Citation: §164.308(a)(1)(ii)(A)

Telehealth introduced new ePHI systems and data flows that most SRAs conducted before 2020 do not address. A clinician who conducted an SRA in 2019 and started telehealth practice in 2020 has an SRA that does not cover their current compliance environment.

The specific gaps in pre-telehealth SRAs:

  • No assessment of the telehealth platform and its security configuration
  • No assessment of home office physical safeguards
  • No assessment of home network security
  • No assessment of personal devices used for sessions
  • No assessment of session recording storage
  • No assessment of multi-state practice compliance exposure

When an OCR investigation examines a telehealth provider's SRA, the absence of telehealth-specific coverage is a finding regardless of whether the SRA is otherwise complete and current.

The "I didn't know the SRA needed to cover telehealth" problem:

HIPAA's SRA requirement covers all ePHI systems and data flows — not the systems that existed when the SRA was first conducted. Adding a new clinical delivery channel (telehealth) is a significant environmental change that triggers an SRA update requirement. The fact that the change happened during an emergency does not eliminate the update obligation.

What to do:

Update your SRA to cover your telehealth environment specifically. If you have not conducted an SRA since before telehealth, conduct a new one that covers your full current environment. Document the coverage explicitly in the SRA.

Violation 5: Multi-State Practice Exposure

Citation: HIPAA plus state health privacy laws

This is the least-discussed but fastest-growing compliance risk for telehealth providers: the state-level health privacy frameworks that layer on top of HIPAA for providers serving patients across state lines.

Washington's My Health MY Data Act (2024) is the most expansive example. It applies to a broader category of health data than HIPAA, imposes consent requirements for data collection and use that exceed HIPAA's framework, and creates a private right of action that HIPAA does not.

California's CMIA and CPRA impose requirements beyond federal HIPAA for health data, including expanded breach notification requirements and patient rights that exceed the federal standard.

The telehealth multiplication:

An in-person provider serves patients in one location, subject to one state's law. A telehealth provider may serve patients in ten states, each potentially with different health privacy requirements. The compliance obligation scales with the geographic reach of the practice.

For providers who crossed state lines during the pandemic — often because patients moved or because telehealth enabled geographic expansion — the compliance landscape may now include states whose health privacy requirements they have never assessed.

What to do:

For each state where you currently serve patients, assess whether that state has health privacy requirements that exceed HIPAA. If it does, update your privacy policies, informed consent processes, and BAA review procedures to address the state-specific requirements. For practices actively expanding to new states, make the state privacy assessment part of the expansion process before serving the first patient in that state.

The Enforcement Reality

The compliance situation for telehealth in 2026 is this: a large population of providers adopted non-compliant practices during the pandemic, the enforcement protection that covered those practices has ended, and OCR has signaled active enforcement interest.

The violations are not subtle. Using FaceTime for therapy sessions is clearly non-compliant. Storing recordings in personal iCloud is clearly non-compliant. Using an unencrypted family computer for clinical sessions is clearly non-compliant.

The enforcement risk is real. The remediation path is clear. The window for self-directed correction — before an investigation begins — is open but not unlimited.

See how Patient Protect addresses the full telehealth compliance environment →

Read the complete telehealth compliance guide →

See real enforcement cases and fine amounts →

Track breach intelligence in your area →

Based on OCR enforcement guidance and public data as of April 2026. Provided for informational purposes only. Does not constitute legal advice.

Next step

What would an OCR investigator find on your website?

Free 30-second scan — tracking pixels, security gaps, missing policies. See what's visible before they do.

Scan your site — 30 secondsSee pricing — from $39/mo

Stay informed

Get HIPAA Pulse delivered.

Breach alerts, enforcement updates, and compliance intelligence — every two weeks.

© 2026 Patient Protect LLC. All rights reserved. Content may not be reproduced, scraped, or used to train AI models without written permission. Terms · DMCA