HIPAA Compliance When Transitioning to Telehealth: Checklist and Best Practices

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

HIPAA Compliance When Transitioning to Telehealth: Checklist and Best Practices

Kevin Henry

HIPAA

September 24, 2025

8 minutes read
Share this article
HIPAA Compliance When Transitioning to Telehealth: Checklist and Best Practices

HIPAA Compliance Overview

Telehealth expands access to care, but it also extends your responsibility to safeguard Protected Health Information. HIPAA applies wherever care is delivered, so your virtual workflows must protect Electronic Protected Health Information (ePHI) the same way your in‑office systems do.

Start with the core rules: the HIPAA Privacy Rule governs how PHI may be used or disclosed, while the HIPAA Security Rule requires administrative, physical, and technical safeguards for ePHI. The Breach Notification Rule sets obligations when unsecured PHI is compromised. Together, these rules shape policy, technology, and day‑to‑day behavior in telehealth.

Checklist

  • Identify all telehealth data flows touching PHI and ePHI (video, chat, messaging, images, RPM feeds).
  • Apply the minimum necessary standard and role‑based access to limit who can see what.
  • Document policies for remote care, privacy practices, and sanction procedures.
  • Map vendors handling ePHI and secure a Business Associate Agreement before use.
  • Retain required HIPAA documentation and revisions for at least six years.

Telehealth Security Measures

Security must meet patients where they are—home Wi‑Fi, mobile devices, and third‑party platforms. Focus on strong identity, encrypted communications, hardened endpoints, and continuous monitoring to protect sessions end to end.

Platform and session safeguards

  • Require TLS 1.2+ for all telehealth sessions; enable encryption at rest for stored ePHI.
  • Use unique meeting links, waiting rooms, and provider‑controlled admit features.
  • Disable recording by default; if recording is necessary, restrict access and set retention limits.

Access and identity controls

  • Enforce unique user IDs, strong passwords, and multi‑factor authentication for all remote access.
  • Implement least‑privilege, role‑based permissions and session timeouts.
  • Review access rights routinely and terminate promptly when roles change.

Endpoint and device hardening

  • Use full‑disk encryption, automatic locking, and mobile device management on workforce devices.
  • Keep operating systems and apps patched; block risky browser extensions and USB storage.
  • Require private spaces, headsets, and screen privacy filters to prevent shoulder‑surfing.

Network and environment

  • Use secure, segmented networks and VPNs for administrative access to ePHI systems.
  • Filter malicious traffic with next‑gen firewalls and DNS protection.
  • Back up critical systems with tested, immutable backups and defined recovery objectives.

Monitoring and audit

  • Enable audit logs for logins, data access, and administrative actions across EHR, telehealth, and storage.
  • Aggregate logs in a SIEM; alert on anomalies like unusual access times or bulk exports.
  • Review logs routinely and document findings and remediation.

Consent in telehealth has two layers: clinical informed consent for the service itself and HIPAA permissions for how PHI is used or disclosed. Obtain and document both in ways that fit your workflow and state requirements.

Elements to cover

  • Nature of telehealth, technology used, benefits, limitations, and alternatives.
  • Privacy and security risks (e.g., home environment, networks, recording policy).
  • Emergency plans if technology fails and how to reschedule or escalate care.

Documentation standards

  • Capture written or verbal consent; for verbal, note date, time, participants, and content in the EHR.
  • Provide or reference the Notice of Privacy Practices; obtain a HIPAA authorization for uses beyond treatment, payment, and health care operations.
  • Re‑obtain consent if technology, risks, or policies materially change.
  • Automate pre‑visit consent via patient portals or intake forms with identity verification.
  • Use standardized, plain‑language scripts; offer translated versions as needed.
  • Audit a sample of encounters monthly to confirm proper consent capture.

Staff Training Requirements

The HIPAA Privacy Rule and HIPAA Security Rule require workforce training tailored to roles. Telehealth adds scenarios—remote workspaces, video etiquette, and platform features—that standard training often misses.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Core topics

  • Recognizing PHI and ePHI; minimum necessary; permitted vs. prohibited disclosures.
  • Secure telehealth practices: verifying identity, controlling screen share, handling chat and attachments.
  • Remote workstation security, phishing awareness, and reporting suspicious activity.

Role‑based and ongoing

  • Provide specialized modules for schedulers, clinicians, IT admins, and billing teams.
  • Reinforce with micro‑learning, simulated phishing, and policy acknowledgments.
  • Maintain training records, competency checks, and sanction logs.

Risk Assessment Strategies

A documented Risk Analysis is the backbone of telehealth compliance. It identifies where ePHI resides, the threats and vulnerabilities affecting it, and the likelihood and impact of adverse events—then drives prioritized mitigation.

How to conduct a Risk Analysis

  • Inventory assets: platforms, EHR, messaging, storage, RPM devices, staff devices, and data flows.
  • Identify threats and vulnerabilities: misconfiguration, weak auth, home networks, lost devices, vendor gaps.
  • Evaluate likelihood and impact; assign risk levels; document assumptions and evidence.
  • Produce a risk management plan with owners, timelines, and acceptance criteria.

Telehealth‑specific focus areas

  • Video platform settings, meeting controls, and recording policies.
  • Bring‑your‑own‑device exposure and compensating controls.
  • Third‑party integrations (e‑prescribing, labs, transcription) and data minimization.

Operationalize and iterate

  • Track corrective actions to completion; verify effectiveness.
  • Reassess after major changes, new vendors, or security events.
  • Report risk metrics to leadership and update policies accordingly.

Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate. You must execute a Business Associate Agreement (BAA) with each such vendor before using the service in production.

Who typically needs a BAA

  • Telehealth platform providers, cloud storage and backup services, EHR and patient portal vendors.
  • Transcription, translation, analytics, and contact center vendors handling PHI.
  • Subcontractors of your vendors who also touch ePHI.

BAA essentials

  • Permitted uses/disclosures, safeguard obligations, and breach/incident reporting timelines.
  • Subcontractor flow‑down requirements and right to audit or obtain compliance attestations.
  • Termination, return/secure destruction of PHI, and cooperation in investigations.

Due diligence tips

  • Review security whitepapers and independent assessments; validate encryption, access controls, and logging.
  • Confirm data location, retention defaults, and options to disable recordings or exports.
  • Test vendor controls in your environment before wide rollout.

Incident Response Planning

Incidents happen—lost devices, misdirected messages, or compromised accounts. A tested plan minimizes harm, speeds recovery, and ensures compliance with the Breach Notification Rule when a breach of unsecured PHI occurs.

Prepare

  • Define roles, decision trees, and on‑call contacts; pre‑draft patient and regulator notifications.
  • Catalog critical systems and data to prioritize containment and recovery.
  • Run tabletop exercises covering telehealth scenarios (e.g., hijacked meeting link, exposed chat logs).

Detect and analyze

  • Use alerts from EHR, telehealth, IAM, and email security to spot anomalies.
  • Conduct a breach risk assessment: what PHI was involved, who received it, whether it was actually viewed, and mitigation steps taken.
  • Decide quickly if the event is a reportable breach or a security incident without compromise.

Contain, eradicate, recover

  • Revoke credentials, force MFA resets, and disable exposed links or APIs.
  • Wipe or quarantine affected devices; restore from clean, verified backups.
  • Document timelines, actions, and evidence to support post‑mortems and required notifications.

Breach Notification Rule essentials

  • Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
  • Notify HHS as required; for 500+ individuals in a state/jurisdiction, also notify prominent media.
  • Log breaches affecting fewer than 500 individuals and submit annually as required.
  • Coordinate with state laws and payers that may impose additional timelines or content requirements.

Conclusion

Successful telehealth programs weave policy, technology, and behavior into a single privacy‑first experience. By aligning your workflows to the HIPAA Privacy Rule and HIPAA Security Rule, executing strong BAAs, conducting rigorous Risk Analysis, and rehearsing incident response under the Breach Notification Rule, you protect patients and your organization while enabling convenient, high‑quality virtual care.

FAQs.

What are the key HIPAA requirements for telehealth?

Apply the HIPAA Privacy Rule to govern permissible uses/disclosures and the HIPAA Security Rule to protect ePHI with administrative, physical, and technical safeguards. Execute a Business Associate Agreement with any vendor handling ePHI, perform a documented Risk Analysis with ongoing risk management, train your workforce, and follow the Breach Notification Rule if unsecured PHI is compromised.

Provide informed consent covering the nature of telehealth, benefits, risks, alternatives, and your privacy practices. Capture written or clearly documented verbal consent in the EHR, verify identity at the start of the visit, and re‑obtain consent if material changes occur. Use a standardized script and pre‑visit intake to streamline the process and ensure consistency.

What security measures ensure HIPAA compliance in telehealth?

Use encrypted connections, MFA, and role‑based access; harden and manage endpoints with full‑disk encryption and patching; configure telehealth platforms with unique meeting links, waiting rooms, and recordings disabled by default; centralize audit logging and alerts; and back up critical systems with tested recovery plans.

How should incidents be reported under HIPAA rules?

Activate your incident response plan, investigate, and conduct a breach risk assessment. If it’s a reportable breach of unsecured PHI, notify affected individuals without unreasonable delay and within 60 days, notify HHS as required, and for large breaches also notify relevant media. Document actions taken and incorporate lessons learned into policies and training.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles