HIPAA AgentHIPAA Agent
Cyber Liability Insurance
Log inBook Free Consultation
Display Settings
← Back to Guides
💻
Intermediate18 min read

Telehealth Compliance Guide

Ensuring HIPAA compliance for virtual visits, remote patient monitoring, and digital communications.

Platform RequirementsPatient ConsentTechnical SafeguardsDocumentationBest Practices

Telehealth and HIPAA

Telehealth has become an essential part of healthcare delivery. Whether you're conducting video visits, using remote patient monitoring, or communicating digitally with patients, HIPAA compliance remains critical.

Key Compliance Considerations

1. Platform Selection

Not all video conferencing tools are HIPAA compliant. Ensure your platform:

Required Features:

  • End-to-end encryption
  • Access controls
  • Audit logging
  • Business Associate Agreement available

HIPAA-Compliant Platforms:

  • Doxy.me
  • Zoom for Healthcare
  • Microsoft Teams (with BAA)
  • Google Meet (with BAA)
  • Teladoc
  • Amwell
  • SimplePractice
  • VSee

NOT Compliant (for patient care):

  • Standard Zoom
  • FaceTime
  • Skype (consumer version)
  • Facebook Messenger
  • WhatsApp
  • Standard Google Hangouts

Note: During COVID-19 public health emergency, enforcement discretion was applied. This has expired—use compliant platforms now.

2. Business Associate Agreements

You need BAAs with:

  • Video platform providers
  • EHR vendors (if integrated)
  • Cloud storage providers
  • Any third party handling PHI

Before using any platform:

  1. Verify they'll sign a BAA
  2. Review their security practices
  3. Understand their compliance certifications

3. Technical Safeguards

Implement appropriate security measures:

Encryption:

  • Video/audio encrypted in transit
  • Stored recordings encrypted at rest
  • Minimum 128-bit encryption

Access Controls:

  • Unique user IDs
  • Strong password requirements
  • Waiting rooms/meeting locks
  • Two-factor authentication (recommended)

Audit Trails:

  • Log all sessions
  • Track who accessed what
  • Maintain logs per retention policy

4. Patient Consent

Informed Consent Should Cover:

  • Nature of telehealth services
  • Potential risks (technology failures, privacy)
  • Patient responsibilities
  • Emergency procedures
  • Recording policies
  • Alternative options

Sample Consent Elements:

TELEHEALTH INFORMED CONSENT

I understand that:

1. Telehealth involves electronic communication of my health
   information.

2. There are potential risks including technology failures,
   unauthorized access, and limitations of the technology.

3. I have the right to withdraw consent at any time.

4. My provider will take reasonable steps to protect my information.

5. There may be circumstances where in-person care is necessary.

6. [If applicable] Sessions may be recorded for [purpose].

I consent to receive telehealth services from [Provider Name].

Patient Signature: _____________ Date: _____________

5. Privacy Considerations

Provider Environment:

  • Private location for sessions
  • No unauthorized individuals present
  • Screen positioned away from others
  • Background checked for PHI visibility

Patient Environment:

  • Advise patients on privacy
  • Suggest private location
  • Verify patient identity
  • Confirm they can speak freely

Waiting Room Procedures:

  • Use virtual waiting rooms
  • Verify patient identity before admitting
  • Don't leave patients waiting with open access

Documentation Requirements

Session Documentation

Document telehealth visits as you would in-person visits:

  • Date and time of session
  • Participants (patient, others present)
  • Platform used
  • Technical issues encountered
  • Clinical documentation
  • Consent obtained

Technical Documentation

Maintain records of:

  • Platform compliance verification
  • BAAs with technology vendors
  • Security configurations
  • Staff training on telehealth

Best Practices

Before the Visit

  1. Verify patient identity

    • Ask security questions
    • Confirm date of birth
    • Visual confirmation

  2. Confirm consent

    • Telehealth consent on file
    • Review any changes

  3. Test technology

    • Check audio/video
    • Verify internet connection
    • Have backup plan ready

  4. Prepare environment

    • Private space
    • Good lighting
    • Professional background

During the Visit

  1. Maintain professionalism

    • Same standards as in-person
    • Appropriate attire
    • Full attention

  2. Ensure privacy

    • Verify patient is in private location
    • Ask if they can speak freely
    • Be aware of your surroundings

  3. Handle technical issues

    • Have phone backup ready
    • Know how to troubleshoot
    • Document any problems

  4. Document thoroughly

    • Same detail as in-person
    • Note telehealth modality
    • Record any limitations

After the Visit

  1. Secure recordings (if any)

    • Encrypt storage
    • Limit access
    • Define retention period

  2. Complete documentation

    • Finalize notes promptly
    • Include telehealth-specific details

  3. Follow-up

    • Schedule next appointment
    • Provide visit summary
    • Ensure patient questions answered

Remote Patient Monitoring

Additional Considerations

Device Security:

  • Encrypted data transmission
  • Secure device configuration
  • Patient education on device use

Data Management:

  • Define what data is collected
  • Establish transmission schedules
  • Create alert thresholds
  • Document response procedures

Patient Education:

  • How to use devices
  • When to seek immediate care
  • Privacy of device data
  • Troubleshooting basics

Digital Communications

Patient Portals

HIPAA Compliant Approach:

  • Secure messaging through EHR portal
  • Patient authenticates to access
  • Messages encrypted
  • Audit trail maintained

Email with Patients

If you must use email:

  • Get patient consent
  • Use encryption
  • Minimize PHI in subject lines
  • Don't include sensitive information
  • Document consent to email

Better Alternative:

  • Use secure patient portal messaging
  • Encrypted email services

Text Messaging

Standard SMS is NOT secure:

  • Unencrypted
  • Can be intercepted
  • Remains on carrier servers

Compliant Alternatives:

  • Secure messaging apps
  • Patient portal messaging
  • Encrypted texting platforms

COVID-19 Flexibilities - What's Changed

During the public health emergency, HHS allowed:

  • Use of non-compliant platforms
  • Reduced enforcement for good faith efforts

Current Status (Post-PHE):

  • Return to standard enforcement
  • Use compliant platforms
  • Maintain full safeguards

Staff Training for Telehealth

Train staff on:

  • Platform operation
  • Security features
  • Patient verification
  • Privacy practices
  • Troubleshooting
  • Documentation requirements
  • Emergency procedures

Telehealth Compliance Checklist

Platform Requirements

  • Platform is HIPAA compliant
  • BAA signed with vendor
  • Encryption verified
  • Access controls configured
  • Audit logging enabled

Policies and Procedures

  • Telehealth policy documented
  • Consent forms updated
  • Documentation templates ready
  • Emergency procedures defined

Technical Setup

  • Equipment tested
  • Network security verified
  • Backup methods ready
  • Staff trained on technology

Privacy and Security

  • Provider environment secure
  • Patient verification procedures
  • Recording policies defined
  • Data retention established

How HIPAA Agent Helps with Telehealth Compliance

Telehealth introduces unique compliance challenges that most practices are not equipped to handle on their own. Every video visit, secure message, and remote monitoring session creates ePHI that must be encrypted, logged, and protected according to HIPAA standards. The platforms you use, the consent you collect, and the documentation you maintain all factor into your compliance posture, and a gap in any of these areas puts your practice at risk.

HIPAA Agent provides telehealth-specific compliance coverage across scanning, policy generation, and staff training. Rather than treating telehealth as an afterthought, HIPAA Agent evaluates your telehealth infrastructure alongside your broader compliance program to ensure nothing is missed.

Key Features

  • 83-tool external scan includes telehealth-specific security checks that evaluate the encryption, authentication, and security headers of your telehealth platform's web infrastructure
  • Policy generation with telehealth considerations covering platform requirements, patient consent procedures, provider environment standards, and technical safeguards for virtual visits
  • Staff training modules that cover telehealth privacy and security including patient verification during video visits, secure messaging protocols, and managing PHI in remote work environments
  • Encryption verification for video conferencing and messaging platforms to confirm that your telehealth vendors meet HIPAA transmission security requirements
  • Telehealth compliance evidence documentation that produces audit-ready records of your platform assessments, consent procedures, and training completion
  • BAA tracking for telehealth vendors so you never operate on a platform without a signed Business Associate Agreement

All telehealth compliance features are included with Concierge ($299/mo billed annually). Start with a free HIPAA Agent Compliance Score™ to see how your practice's telehealth infrastructure measures up.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Book a Free ConsultationTry Free Demo

Related Guides

📋
Complete HIPAA Compliance Checklist 2026
Beginner · 25 min read
🔍
Security Risk Assessment Guide
Intermediate · 25 min read
📄
HIPAA Policy Templates Guide
Intermediate · 20 min read
Telehealth Compliance Guide - Free HIPAA Compliance Guide