Telehealth has permanently changed how patients access care. Video consultations, remote monitoring, patient portals, secure messaging, and virtual triage are now part of everyday healthcare delivery. For patients, this can mean faster access, fewer journeys, and more flexible care. For healthcare providers and digital health organisations, it also creates a more complex compliance environment.

The Health Insurance Portability and Accountability Act, known as HIPAA, still applies when care is delivered remotely. The Privacy Rule and Security Rule do not disappear because the consultation happens through a screen. In fact, HIPAA compliance for telehealth can be more demanding in some areas because protected health information moves through third-party platforms, clinicians may work from home, and patients may join appointments from private or shared spaces.

In-person care usually takes place in a controlled clinical environment. Telehealth often takes place across several environments at once: the provider’s device, the patient’s home, the telehealth platform, the internet connection, the electronic health record, and any storage or messaging systems linked to the appointment.

This guide explains how telehealth privacy rules differ from traditional care, what HIPAA telehealth requirements mean in practice, and how healthcare and digital health teams can build a sustainable compliance programme.

What does HIPAA specifically require from telehealth providers?

HIPAA applies to covered entities and business associates. In a telehealth context, this may include healthcare providers, health plans, telehealth platform operators, cloud vendors, remote monitoring services, and other suppliers that create, receive, maintain, or transmit protected health information on behalf of a covered entity.

Does HIPAA apply to all types of telehealth service — or only certain delivery models?

HIPAA can apply to different forms of telehealth, including video consultations, audio-only appointments, remote patient monitoring, secure messaging, image sharing, digital intake forms, and patient portal communications. The key question is not only the technology used, but whether protected health information is being handled by a covered entity or business associate.

For example, a doctor using a video platform to discuss symptoms, treatment, test results, or prescriptions is handling PHI. A remote monitoring provider receiving patient readings may also be handling PHI. A telehealth platform storing appointment recordings, chat messages, or patient-uploaded documents may be creating or maintaining PHI on behalf of a healthcare provider.

How the HIPAA Privacy Rule applies to patient information in virtual care settings

The HIPAA Privacy Rule controls how PHI may be used and disclosed. In telehealth, this means providers must still protect patient confidentiality, apply appropriate access controls, use or disclose information only for permitted purposes, and follow the minimum necessary standard where relevant.

A virtual consultation should be treated with the same seriousness as an in-person appointment. Staff should avoid discussing patient details where others can hear, should confirm patient identity when needed, and should make sure any notes, files, or messages are handled through approved systems.

How the HIPAA Security Rule applies to electronic PHI transmitted in telehealth

The HIPAA Security Rule focuses on electronic protected health information, often called ePHI. Telehealth creates and transmits ePHI constantly. Video, chat, digital forms, images, recordings, clinical notes, appointment links, and platform logs may all involve electronic patient information.

HIPAA ePHI remote care obligations therefore require administrative, physical, and technical safeguards. These include risk analysis, access management, workforce training, device security, encryption where appropriate, audit controls, and secure authentication.

The COVID-19 enforcement discretion period — what changed permanently and what reverted

During the COVID-19 public health emergency, the Office for Civil Rights announced enforcement discretion for certain good-faith uses of non-public-facing remote communication technologies. This helped providers deliver care quickly during a crisis.

However, that emergency approach was not a permanent replacement for HIPAA compliance. Telehealth teams should not rely on pandemic-era assumptions such as “any video tool will do.” Providers now need to use compliant platforms, proper safeguards, and appropriate vendor agreements.

How do HIPAA requirements differ between telehealth and in-person care?

The same HIPAA principles apply, but the risk environment changes. In-person care usually happens in a clinic, hospital, or practice setting. Telehealth depends on remote devices, home networks, third-party platforms, and patient-controlled spaces.

Patient environment risks — what clinicians must consider about the patient’s home setting

Patients may join a consultation from a bedroom, workplace, car, public area, or shared home. Other people may be nearby. A clinician cannot control the patient’s environment in the same way they can control an exam room.

Providers should encourage patients to join from a private location where possible. They may also ask whether the patient is comfortable speaking freely. This is especially important for sensitive appointments involving mental health, reproductive health, domestic abuse, substance use, or complex diagnoses.

Provider environment risks — home offices, shared spaces, and remote working under HIPAA

Clinicians and support staff working remotely must also protect PHI. A home office should not expose patient information to family members, visitors, housemates, or unauthorised devices.

Good practice includes using headphones, locking screens, keeping paper notes secure, avoiding shared computers, using approved networks or virtual private networks where required, and ensuring conversations cannot be overheard. Remote healthcare HIPAA obligations should be built into staff policies and training, not left to individual judgement.

Notice of Privacy Practices in a virtual care context — how and when to provide it

Patients should be given access to the organisation’s Notice of Privacy Practices. In telehealth, this may be provided through a patient portal, appointment confirmation email, website, intake form, or digital registration process.

The notice should be easy to find and written in clear language. It should explain how patient information may be used and disclosed, including in virtual care settings where relevant.

Recording and storing telehealth consultations — retention, access, and authorisation requirements

Recording a telehealth session creates additional privacy and security risk. The recording may include video, audio, clinical details, images, documents, and identifiable patient information.

Before recording, organisations should check whether recording is clinically necessary, whether patient consent or authorisation is required, how the recording will be stored, who can access it, how long it will be retained, and how it will be deleted. Recordings should not be stored casually on local devices, personal drives, or unapproved cloud accounts.

Third-party platforms and the Business Associate Agreement obligation

Telehealth platforms often process PHI on behalf of healthcare providers. If a vendor creates, receives, maintains, or transmits PHI for a covered entity, a Business Associate Agreement telehealth requirement may apply.

The agreement should set out permitted uses and disclosures, safeguards, breach reporting duties, subcontractor controls, and return or destruction of PHI when the relationship ends. A platform claiming to be “secure” is not enough. The organisation should confirm whether the vendor will sign an appropriate Business Associate Agreement.

Which telehealth platforms are HIPAA-compliant and how do you choose the right one?

There is no single official list of HIPAA-compliant telehealth platforms. Compliance depends on how the platform is designed, configured, contracted, and used.

What makes a video conferencing platform HIPAA-compliant — the technical requirements

HIPAA video consultation compliance requires appropriate safeguards for ePHI. A suitable platform should support secure access, encryption, user authentication, access controls, audit logs, session controls, and administrative management.

It should also allow the organisation to control who can join appointments, how links are shared, whether sessions can be recorded, and where data is stored.

Business Associate Agreements for telehealth vendors — what they must contain

A Business Associate Agreement should clearly define the vendor’s responsibilities. It should explain how PHI can be used, how it must be protected, what happens if there is a breach, whether subcontractors are involved, and how data will be returned or destroyed.

IT, compliance, legal, and procurement teams should review vendor terms before deployment. A common mistake is letting clinical teams adopt a video tool quickly without checking the contract or data flows.

End-to-end encryption, access controls, and audit logging — what to look for

Telehealth data security should include strong technical controls. Look for encryption in transit and at rest where appropriate, multi-factor authentication, role-based access, audit logging, secure waiting rooms, meeting locks, unique appointment links, and controls over recordings and downloads.

Audit logs are especially important because they help show who accessed information, when, and from where. Without logs, investigating incidents becomes much harder.

Consumer platforms vs healthcare-grade software — understanding the compliance gap

Many consumer communication tools are designed for convenience, not healthcare compliance. They may lack Business Associate Agreements, healthcare-specific access controls, retention settings, audit trails, or administrative oversight.

Healthcare-grade telehealth software is usually designed with PHI workflows in mind. However, even healthcare-grade tools must be configured properly. A compliant platform used carelessly can still create risk.

How should telehealth teams handle PHI during and after virtual consultations?

Telehealth creates more data points than many people realise. PHI may appear in video, audio, chat, uploaded files, screen sharing, forms, recordings, and clinical notes.

Chat messages sent during a video consultation — are they classified as PHI?

Chat messages may be PHI if they include identifiable patient information connected to health, treatment, payment, or care. A patient typing symptoms, medication names, insurance details, or images into a chat may be creating PHI.

Telehealth teams should decide whether chat is enabled, whether chat transcripts are stored, whether they become part of the medical record, and who can access them.

Screen sharing and incidental disclosure risks in a virtual appointment environment

Screen sharing can be useful, but it can also disclose more than intended. A clinician may accidentally show another patient’s record, an inbox, internal notes, or unrelated files.

Staff should close unnecessary windows, use only approved systems, and share specific application windows rather than entire desktops where possible. Training should include safe screen-sharing habits.

Patient-submitted images, documents, and files — handling attachments securely

Patients may upload photographs, forms, test results, insurance cards, identification documents, or clinical images. These files may contain PHI and should be handled through secure channels.

Avoid asking patients to send sensitive documents through personal email, unsecured messaging apps, or informal channels unless the organisation has assessed and approved that method. Files should be stored in approved systems with appropriate access controls.

Recording clinical consultations — patient consent requirements, storage, and access controls

Recording should not be a default setting unless there is a clear policy and lawful purpose. Patients should understand whether a session is being recorded and why.

If recordings are retained, they should be protected like other PHI. This means secure storage, limited access, retention rules, deletion procedures, and auditability.

What security safeguards must telehealth organisations implement under HIPAA?

HIPAA security is not only an IT responsibility. It combines people, processes, and technology.

Administrative safeguards — policies, workforce training, and access management

Administrative safeguards include risk analysis, privacy and security policies, incident response procedures, workforce training, vendor management, and access governance.

Telehealth teams should be trained on remote care scenarios, not just general HIPAA rules. Training should cover video appointments, remote work, patient identity checks, file sharing, recordings, chat, and breach escalation.

Physical safeguards — device security for clinicians working remotely

Physical safeguards apply even outside the clinic. Staff working from home should protect laptops, tablets, phones, paper notes, and any devices used to access ePHI.

Devices should be locked when not in use, stored securely, and protected against theft or unauthorised viewing. Staff should avoid using shared family devices for telehealth work.

Technical safeguards — encryption standards, multi-factor authentication, and audit controls

Technical safeguards help protect ePHI from unauthorised access. Telehealth organisations should use strong passwords, multi-factor authentication, role-based permissions, secure networks, encryption where appropriate, audit controls, session timeouts, and regular access reviews.

IT teams should also review integrations between the telehealth platform, electronic health record, scheduling system, billing system, and cloud storage. A weak integration can expose PHI even if the video platform itself is secure.

Breach response in a telehealth environment — what to do and who to notify

Telehealth breaches may involve unauthorised access to sessions, stolen devices, misdirected files, compromised accounts, exposed recordings, or vendor incidents.

The organisation should have a clear breach response process. Staff must know how to report concerns quickly. The privacy or security team should assess what happened, what PHI was involved, whether notification is required, and how to prevent recurrence.

FAQs

Are text message or SMS consultations with patients covered by HIPAA?

Yes, they can be. If a text message contains PHI and is sent by or on behalf of a covered entity, HIPAA may apply. Organisations should use approved communication tools and explain risks to patients where relevant. Standard SMS may create privacy and security concerns, so teams should follow internal policy before using it for clinical communication.

What should a telehealth team do if a session is accessed or recorded without authorisation?

The team should report the incident immediately through the organisation’s privacy or security process. The organisation should assess what happened, whether PHI was exposed, who accessed or recorded the session, whether notification is required, and what corrective actions are needed.

Does HIPAA apply to telehealth services provided to patients located outside the United States?

HIPAA applies to covered entities and business associates subject to HIPAA, regardless of whether a particular patient is temporarily outside the United States. However, services provided internationally may also trigger other privacy, licensing, data transfer, and local healthcare laws. Organisations should seek appropriate legal and compliance advice for cross-border telehealth.

Conclusion

Telehealth compliance is not simply a matter of applying old processes to a new delivery channel. The same HIPAA principles apply, but the risks are different. PHI moves through platforms, home offices, cloud services, remote devices, patient uploads, chat messages, and recordings. Each creates privacy and security questions that traditional clinic-based workflows were not designed to answer.

A strong telehealth compliance programme should address platform selection, Business Associate Agreements, remote work safeguards, patient privacy notices, session security, file handling, recording rules, staff training, and breach response. It should also bring clinical, IT, compliance, and operational teams together.

Organisations that get this right protect patients, strengthen trust, and reduce regulatory risk. They also create a more reliable foundation for virtual care as telehealth continues to grow.

Is your telehealth team fully equipped to meet HIPAA’s privacy and security requirements? Build your team’s confidence with our HIPAA Privacy and Security for Telehealth Teams course, designed specifically for remote and hybrid healthcare environments.

For wider support, explore HIPAA Privacy Rule For Healthcare Front Desk And Admin Staff, Cyber Incident Response & Data Breach Management, and Cloud Privacy & Data Security Essentials.