HIPAA AgentHIPAA Agent
Deploy Your Agent
← Back to Guides
💻
Intermediate18 min read

Telehealth Compliance Guide

Ensuring HIPAA compliance for virtual visits, remote patient monitoring, and digital communications.

Platform RequirementsPatient ConsentTechnical SafeguardsDocumentationBest Practices

Telehealth and HIPAA

Telehealth has become an essential part of healthcare delivery. Whether you're conducting video visits, using remote patient monitoring, or communicating digitally with patients, HIPAA compliance remains critical.

Key Compliance Considerations

1. Platform Selection

Not all video conferencing tools are HIPAA compliant. Ensure your platform:

Required Features:

  • End-to-end encryption
  • Access controls
  • Audit logging
  • Business Associate Agreement available

HIPAA-Compliant Platforms:

  • Doxy.me
  • Zoom for Healthcare
  • Microsoft Teams (with BAA)
  • Google Meet (with BAA)
  • Teladoc
  • Amwell
  • SimplePractice
  • VSee

NOT Compliant (for patient care):

  • Standard Zoom
  • FaceTime
  • Skype (consumer version)
  • Facebook Messenger
  • WhatsApp
  • Standard Google Hangouts

Note: During COVID-19 public health emergency, enforcement discretion was applied. This has expired—use compliant platforms now.

2. Business Associate Agreements

You need BAAs with:

  • Video platform providers
  • EHR vendors (if integrated)
  • Cloud storage providers
  • Any third party handling PHI

Before using any platform:

  1. Verify they'll sign a BAA
  2. Review their security practices
  3. Understand their compliance certifications

3. Technical Safeguards

Implement appropriate security measures:

Encryption:

  • Video/audio encrypted in transit
  • Stored recordings encrypted at rest
  • Minimum 128-bit encryption

Access Controls:

  • Unique user IDs
  • Strong password requirements
  • Waiting rooms/meeting locks
  • Two-factor authentication (recommended)

Audit Trails:

  • Log all sessions
  • Track who accessed what
  • Maintain logs per retention policy

4. Patient Consent

Informed Consent Should Cover:

  • Nature of telehealth services
  • Potential risks (technology failures, privacy)
  • Patient responsibilities
  • Emergency procedures
  • Recording policies
  • Alternative options

Sample Consent Elements:

TELEHEALTH INFORMED CONSENT

I understand that:

1. Telehealth involves electronic communication of my health
   information.

2. There are potential risks including technology failures,
   unauthorized access, and limitations of the technology.

3. I have the right to withdraw consent at any time.

4. My provider will take reasonable steps to protect my information.

5. There may be circumstances where in-person care is necessary.

6. [If applicable] Sessions may be recorded for [purpose].

I consent to receive telehealth services from [Provider Name].

Patient Signature: _____________ Date: _____________

5. Privacy Considerations

Provider Environment:

  • Private location for sessions
  • No unauthorized individuals present
  • Screen positioned away from others
  • Background checked for PHI visibility

Patient Environment:

  • Advise patients on privacy
  • Suggest private location
  • Verify patient identity
  • Confirm they can speak freely

Waiting Room Procedures:

  • Use virtual waiting rooms
  • Verify patient identity before admitting
  • Don't leave patients waiting with open access

Documentation Requirements

Session Documentation

Document telehealth visits as you would in-person visits:

  • Date and time of session
  • Participants (patient, others present)
  • Platform used
  • Technical issues encountered
  • Clinical documentation
  • Consent obtained

Technical Documentation

Maintain records of:

  • Platform compliance verification
  • BAAs with technology vendors
  • Security configurations
  • Staff training on telehealth

Best Practices

Before the Visit

  1. Verify patient identity

    • Ask security questions
    • Confirm date of birth
    • Visual confirmation

  2. Confirm consent

    • Telehealth consent on file
    • Review any changes

  3. Test technology

    • Check audio/video
    • Verify internet connection
    • Have backup plan ready

  4. Prepare environment

    • Private space
    • Good lighting
    • Professional background

During the Visit

  1. Maintain professionalism

    • Same standards as in-person
    • Appropriate attire
    • Full attention

  2. Ensure privacy

    • Verify patient is in private location
    • Ask if they can speak freely
    • Be aware of your surroundings

  3. Handle technical issues

    • Have phone backup ready
    • Know how to troubleshoot
    • Document any problems

  4. Document thoroughly

    • Same detail as in-person
    • Note telehealth modality
    • Record any limitations

After the Visit

  1. Secure recordings (if any)

    • Encrypt storage
    • Limit access
    • Define retention period

  2. Complete documentation

    • Finalize notes promptly
    • Include telehealth-specific details

  3. Follow-up

    • Schedule next appointment
    • Provide visit summary
    • Ensure patient questions answered

Remote Patient Monitoring

Additional Considerations

Device Security:

  • Encrypted data transmission
  • Secure device configuration
  • Patient education on device use

Data Management:

  • Define what data is collected
  • Establish transmission schedules
  • Create alert thresholds
  • Document response procedures

Patient Education:

  • How to use devices
  • When to seek immediate care
  • Privacy of device data
  • Troubleshooting basics

Digital Communications

Patient Portals

HIPAA Compliant Approach:

  • Secure messaging through EHR portal
  • Patient authenticates to access
  • Messages encrypted
  • Audit trail maintained

Email with Patients

If you must use email:

  • Get patient consent
  • Use encryption
  • Minimize PHI in subject lines
  • Don't include sensitive information
  • Document consent to email

Better Alternative:

  • Use secure patient portal messaging
  • Encrypted email services

Text Messaging

Standard SMS is NOT secure:

  • Unencrypted
  • Can be intercepted
  • Remains on carrier servers

Compliant Alternatives:

  • Secure messaging apps
  • Patient portal messaging
  • Encrypted texting platforms

COVID-19 Flexibilities - What's Changed

During the public health emergency, HHS allowed:

  • Use of non-compliant platforms
  • Reduced enforcement for good faith efforts

Current Status (Post-PHE):

  • Return to standard enforcement
  • Use compliant platforms
  • Maintain full safeguards

Staff Training for Telehealth

Train staff on:

  • Platform operation
  • Security features
  • Patient verification
  • Privacy practices
  • Troubleshooting
  • Documentation requirements
  • Emergency procedures

Telehealth Compliance Checklist

Platform Requirements

  • Platform is HIPAA compliant
  • BAA signed with vendor
  • Encryption verified
  • Access controls configured
  • Audit logging enabled

Policies and Procedures

  • Telehealth policy documented
  • Consent forms updated
  • Documentation templates ready
  • Emergency procedures defined

Technical Setup

  • Equipment tested
  • Network security verified
  • Backup methods ready
  • Staff trained on technology

Privacy and Security

  • Provider environment secure
  • Patient verification procedures
  • Recording policies defined
  • Data retention established

HIPAA Agent helps you maintain telehealth compliance with vendor assessment tools, consent form templates, and compliance checklists tailored to your telehealth services.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Deploy Your Agent

Related Guides

📋
Complete HIPAA Compliance Checklist
Beginner · 15 min read
🔍
Security Risk Assessment Guide
Intermediate · 25 min read
📄
HIPAA Policy Templates Guide
Intermediate · 20 min read