HIPAA Compliance Checklist for Telehealth Providers

The PHE enforcement discretion that allowed FaceTime, Skype, and consumer Zoom expired in May 2023. You must use a platform that signs a BAA and provides end-to-end encryption. Options include Zoom for Healthcare, Doxy.me, Teladoc Health, Amwell, SimplePractice Telehealth, and VSee.

Not all 'encrypted' platforms use end-to-end encryption. Verify that video, audio, chat, and file-sharing features within the platform are encrypted in transit and that the vendor cannot access unencrypted content. Request documentation from the vendor.

Your SRA must cover the telehealth platform, patient portal, scheduling system, provider devices (home offices, mobile), network security, and any third-party integrations. Remote provider locations introduce risks that in-office environments do not.

If you record telehealth sessions for quality assurance or clinical documentation, you must obtain explicit patient consent in advance. Thirty-eight states have specific recording consent laws (one-party vs. two-party). HIPAA requires the recording to be treated as PHI — encrypted, access-controlled, and included in your retention policy.

Providers must be licensed in the state where the patient is located at the time of the visit. The Interstate Medical Licensure Compact (IMLC) covers 42 states for physicians. Psychologists have PSYPACT (41 jurisdictions). Verify your license covers every state where you see patients remotely.

For telehealth-only practices, the officer must understand both clinical privacy requirements and the technical security of remote delivery platforms. Document the designation in writing.

Providers conducting telehealth from home must ensure the session is private (no family members or visitors overhearing), the screen cannot be viewed by unauthorized persons, and the device is encrypted with a strong password. Develop a remote workplace security policy.

Unlike in-person visits, telehealth carries impersonation risk. Verify patient identity at the start of each session using at least two identifiers (name + date of birth, or photo ID on camera). Document your verification method.

Laptops, tablets, and smartphones used for virtual visits must have full-disk encryption enabled. This applies to both practice-owned and BYOD devices. A lost unencrypted device is a reportable breach.

Training must cover platform security features, proper session setup (private location, headphones, locked screen), what to do if a session is interrupted or overheard, and how to handle technical failures that expose PHI.

Every vendor in the telehealth stack needs a BAA: video platform, patient portal, scheduling software, EHR, secure messaging, cloud storage, and any analytics tools that process PHI. Audit your entire vendor list.

Telehealth breaches may involve session interception, unauthorized screen sharing, or platform vulnerabilities. Define investigation steps specific to virtual care, including how to determine if a session was compromised and notification timelines.

Informed consent for telehealth should explain technology risks (connection failures, privacy limitations of the patient's environment), data storage practices, emergency procedures if the patient needs in-person care, and the patient's right to refuse virtual treatment.

Providers should use secure, private Wi-Fi networks — never public Wi-Fi. If a VPN is available, require its use. Configure firewalls to restrict unnecessary traffic on devices used for patient care.

Telehealth technology evolves rapidly. Any platform migration, feature update, or new integration should trigger a policy review. Annual reviews should verify that all BAAs are current, encryption standards meet current recommendations, and state licensing is maintained.