Telehealth and HIPAA
Telehealth has transformed healthcare delivery, but virtual visits still involve PHI. Video sessions, messaging, and stored recordings must all comply with HIPAA. During the COVID-19 public health emergency, HHS relaxed enforcement for good-faith use of non-HIPAA-compliant tools. As enforcement normalizes, telehealth platforms must ensure full compliance.
Video Platform Requirements
Telehealth video platforms must provide:
- End-to-end or strong encryption for video and audio
- Unique user authentication
- Session controls (waiting rooms, host controls)
- Business Associate Agreement (BAA)
- Audit logging of session metadata
Popular HIPAA-compliant options include Zoom for Healthcare, Doxy.me, and platforms that integrate with EHR systems and offer BAAs.
Secure Messaging
Standard SMS and consumer messaging apps (e.g., WhatsApp for personal use) are not HIPAA-compliant. Use secure messaging platforms designed for healthcare that offer encryption, BAAs, and access controls. Never send PHI via unencrypted email.
Recording and Storage
If you record telehealth sessions, ensure recordings are encrypted, access-controlled, and retained according to your policies and state law. Obtain patient consent for recording when required. Include recording retention and deletion in your HIPAA policies.
Patient Access and Portability
Patients have the right to access their health information. If your platform stores PHI, provide a secure way for patients to request and receive their data. Plan for data portability in your architecture.
Conclusion
HIPAA-compliant telehealth requires secure video, encrypted messaging, proper BAAs, and careful handling of recorded sessions. Choose vendors that sign BAAs and build compliance into your platform from the start.
Building a telehealth solution? See our healthcare software expertise or get in touch for HIPAA-compliant development.
