The COVID-19 Public Health Emergency (PHE) was a serious concern for healthcare providers worldwide. It significantly transformed healthcare delivery and accelerated telehealth adoption across medical practices.
During the PHE, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) exercised enforcement discretion and did not impose penalties on covered entities for certain non-compliance with HIPAA requirements related to telehealth.
According to the information on HHS’s HIPAA and Telehealth page, this discretion expired on May 11, 2023, in response to the end of the COVID-19 PHE. Additionally, related institutions were given a 90-day transition period to implement HIPAA compliance for telehealth, which also ended on August 9, 2023.
In the present day, HIPAA compliance is a general requirement for telehealth encounters involving covered entities and business associates. In this guide, we will discuss the following to explain HIPAA compliance for telehealth for your education:
- Security Rule
- Privacy Rule
- Current OCR guidance applicable to telehealth platforms
HIPAA Security Rule and Telehealth
Safeguarding electronic protected health information (ePHI) is mandatory and is typically ensured under the HIPAA Security Rule. This rule establishes national standards, and according to the HHS Security Rule Guidance Materials page, business associates and entities covered under this rule must follow the:
- Technical safeguards
- Administrative safeguards
- Physical safeguards
These safeguards, or HIPAA compliance measures for telehealth, help protect the confidentiality, availability, and integrity of PHI stored or transmitted through telehealth platforms.
Risk Analysis
The HHS considers effective risk management a vital component of complying with the Security Rule. Therefore, every healthcare practice must have a documented risk analysis covering telehealth:
- Workflows
- Vendors
- Platforms
Additionally, the HHS offers tools and guidance meant to assist entities when implementing budget-friendly or cost-effective safeguards.
Transit Encryption
Encryption is strongly recommended for HIPAA compliance in telehealth. It protects ePHI during transmission across telehealth platforms. This helps ensure ePHI is not intercepted without authorization. According to the December 27, 2024, HHS NPRM fact sheet, the Security Rule received its first major revision in a decade.
The proposed update eliminates the distinction between ‘addressable’ and ‘required’ implementation specifications, making encryption requirements more stringent if finalized.
Business Associate Agreements (BAAs)
According to HHS’s audio-only telehealth guidance, a BAA is needed with any telehealth vendor creating, maintaining, or handling PHI. However, there is an exception, given that the vendor acts as a “mere conduit” during transmission of data.
For instance, it can be a standard telephone service provider that might not store transcripts and recordings. If a vendor actively records or processes ePHI more than simple transmission, they will require a BAA.
Audit Logging and Access Controls
To ensure HIPAA compliance in telehealth by adhering to the Security Rule and the latest NPRM guidelines, organizations must implement:
- Audit trails
- Automatic logoffs
- Unique user identification
These safeguards should apply to all ePHI access activities and should be exercised by all covered bodies.
HIPAA Privacy Rule Telehealth
The HIPAA Privacy Rule is integral to understanding HIPAA compliance in telehealth. The rule requires reasonable safeguards to be in place to protect PHI from unwanted disclosures or use, even when telehealth services are provided.
The HHS specifically requires providers to deliver telehealth services from a private setting. Likewise, patients should also be encouraged to participate in telehealth visits from a private setting whenever possible.
Important Note: If privacy limitations exist during a telehealth session, providers should inform patients of potential risks whenever feasible.
Key Privacy Rule Requirements
The following is a comprehensive breakdown of the HIPAA Privacy Rule requirements for telehealth:
Patient Rights
Patients have several rights according to the Privacy Rule, which include the right to:
- Access their telehealth records
- Request amendments
- Receive an accounting of disclosures
Quick Insight: Patient rights are the same for both in-person encounters and telehealth services.
Notice of Privacy Practices
For HIPAA compliance in telehealth, patients must receive a Notice of Privacy Practices from covered entities describing the use and disclosure of PHI. Additionally, reviewing the notice is necessary if a practice begins offering telehealth services.
The review acts as a double-check to ensure remote communication technologies’ compliance with HIPAA rules. The notice should also reflect the involvement of third-party vendors or communication technologies used in telehealth services.
Minimum Necessary Standard
Patient data is sensitive and requires careful handling. Therefore, providers should limit the disclosure of PHI to the minimum necessary information required for the telehealth interaction.
Authorization Requirements
Similar to in-person care, disclosing or utilizing PHI during telehealth requires a patient’s written authorization, unless the PHI is being used for the following:
- Treatment
- Payment
- Operations
These authorization requirements help ensure compliance with HIPAA privacy standards during telehealth encounters.
HIPAA Compliance Considerations for Telehealth
In addition to the Security and Privacy Rules mentioned above, two other OCR-issued guidances play a vital role in HIPAA compliance for telehealth:
Configuration Options
In telehealth, HIPAA compliance depends on various factors, which include:
- Whether a platform will sign a BAA
- Whether the platform supports end-to-end encryption
- Whether it provides access and audit controls or not
- Whether or not it can be configured to stop unwanted data collection.
So, safe to say that no platform can be inherently HIPAA-compliant by its name alone. Instead, it must fulfill the standards set.
Online Tracking Tech
According to the HHS bulletin on online tracking technologies, entities that wish to comply with HIPAA requirements must ensure that technologies tracking online activities do not improperly disclose PHI to unauthorized third parties.
The Federal Trade Commission (FTC) and OCR have warned healthcare organizations about the privacy and security risks associated with online tracking technologies used on patient-facing websites and portals.
HIPAA Compliance Challenges in Telehealth
Despite established regulations, ensuring HIPAA compliance in telehealth can be fairly challenging for practices. The following is a comprehensive breakdown of some of the most common challenges healthcare professionals and patients may encounter.
Breach Notification Complexity
Under the HIPAA Breach Notification Rule, patients who are affected must be notified by covered entities, HHS, and the media if an unsecured ePHI is compromised.
Note: Media notification requirements generally apply when a breach affects more than 500 residents of a single state or jurisdiction. Additionally, a telehealth-specific breach, for instance, if a vendor manages PHI without a valid BAA in place, can lead to an OCR investigation like other PHI breaches.
Changing Regulations
For instance, the December 2024 NPRM proposed stricter requirements involving:
- Stricter encryption
- Enhanced access controls
- Expanded risk analysis requirements
Although the comment period ended on March 7, 2025, the rule has not been finalized. Therefore, practices should expect stricter regulations.
Multi-State Telehealth
Telehealth rules may vary slightly from state to state. For example, the state-level health data privacy laws for California, Nevada, and Connecticut require additional protocols besides HIPAA compliance for telehealth.
This is especially relevant for sensitive services such as reproductive care or behavioral health, where additional requirements may include:
- Consent
- Notice
- Data-segmentation obligations
Patient Environment
Telehealth services are performed for remote patients, which is why providers cannot control the patients’ environment (during a session). According to guidance from HHS, providers may encourage patients to participate from a private location, although they cannot fully control the patient’s environment.
Vendor BAA Gaps
Several platforms adopted during the COVID-19 PHE were under enforcement discretion, without signed BAAs. However, after August 9, 2023, vendors without an executed BAA should be avoided to ensure HIPAA compliance in telehealth.
Ensure HIPAA Compliance for Telehealth with NeuraBill
HIPAA compliance and accurate telehealth billing often overlap operationally because both involve handling protected patient information and payer requirements.
Managing PHI outside HIPAA regulations can result in OCR enforcement, which may result in compliance investigations, penalties, or reimbursement disputes.
Practices that struggle with HIPAA compliance in telehealth and billing workflows may benefit from NeuraBill’s medical billing and coding services.
Their professionals are pro at:
- Claim submission
- Modifier compliance
- Payer-specific telehealth rules
With their assistance, you can focus on care delivery rather than HIPAA compliance.
