Post‑COVID Telehealth HIPAA Rules: What Changed After the Public Health Emergency

The COVID‑19 Public Health Emergency (PHE) ended on May 11, 2023, closing the chapter on broad pandemic flexibilities and resetting expectations for HIPAA compliance in telehealth. Since then, federal policy has evolved: HIPAA Enforcement Discretion expired with a short transition period, while Congress extended many Medicare telehealth flexibilities—first through December 31, 2024, and later through December 31, 2027. This guide explains what changed, what stayed, and what you must do now to meet HIPAA Compliance Requirements while sustaining access to virtual care. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

End of HIPAA Enforcement Discretion

During the PHE, OCR exercised Enforcement Discretion, allowing the good‑faith use of non‑public‑facing apps (for example, mainstream video tools) for telehealth without penalties for certain HIPAA noncompliance. That policy expired at 11:59 p.m. on May 11, 2023, when the PHE ended. As of that date, full HIPAA Privacy, Security, and Breach Notification Rules again apply to telehealth—without the broad flexibility that characterized the PHE. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

OCR also reaffirmed separate guidance for Telehealth Privacy and Security in audio‑only contexts, clarifying when phone‑based care is permissible and which HIPAA safeguards apply. Providers must now align all virtual encounters—video or audio‑only—with standard HIPAA rules. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

Transition Period Requirements

OCR provided a 90‑day transition period—from May 12 through 11:59 p.m. on August 9, 2023—to help providers shift from PHE‑era tools to HIPAA‑appropriate platforms. After August 9, 2023, penalties may apply for noncompliance related to telehealth. If you continued using a consumer app past that date without proper safeguards or a Business Associate Agreement (BAA) where required, you assumed enforcement risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

Practical steps included: moving to platforms willing to sign BAAs; updating security risk analyses; enabling access controls and audit logs; refreshing workforce training; and tightening vendor oversight. These actions are no longer optional—they are baseline expectations under the HIPAA Security Rule. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))

Medicare Telehealth Flexibilities

What Congress did for 2023–2024

The Consolidated Appropriations Act, 2023 extended several Medicare Telehealth Flexibility provisions through December 31, 2024. Key elements included removing geographic and originating‑site restrictions (letting patients receive telehealth from home), expanding eligible practitioner types, allowing FQHCs and RHCs to serve as distant‑site providers, delaying certain in‑person visit requirements for telemental health, and permitting Audio‑Only Telehealth Visits in defined circumstances. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/cms-waivers-flexibilities-and-transition-forward-covid-19-public-health-emergency?utm_source=openai))

What changed after 2024

Subsequent legislation—the Consolidated Appropriations Act, 2026—extended core Medicare telehealth authorities through December 31, 2027. Statutory updates continued waivers of geographic and originating‑site limits, maintained expanded practitioner eligibility, kept FQHC/RHC distant‑site status, delayed in‑person requirements for behavioral health into 2028, and preserved audio‑only allowances under Section 1834(m)(9). ([congress.gov](https://www.congress.gov/bill/119th-congress/house-bill/7148/text))

Bottom line: While HIPAA enforcement returned to pre‑PHE rigor in 2023, Medicare coverage flexibilities for telehealth largely continued—and now run through the end of 2027—helping sustain access and reimbursement as providers standardize compliant technologies. ([congress.gov](https://www.congress.gov/bill/119th-congress/house-bill/7148/text))

HIPAA Compliance Obligations

Post‑PHE, telehealth must meet the same HIPAA Compliance Requirements as in‑person care supported by electronic systems. At a minimum, you should:

• Complete and document a risk analysis and risk management plan covering telehealth workflows, devices, and data flows. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Use vendors that will sign BAAs when they create, receive, maintain, or transmit PHI; flow down requirements to subcontractors. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions?utm_source=openai))
• Implement administrative, physical, and technical safeguards (for example, unique user IDs, access control, audit logs, integrity controls, transmission security). ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Train your workforce on updated telehealth policies, authentication practices, and privacy etiquettes (for example, confirming patient identity and environment). ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Follow OCR’s audio‑only guidance when care is delivered by phone or VoIP; the Security Rule applies when electronic media transmit ePHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html?utm_source=openai))

Telehealth Technology Standards

HIPAA is risk‑based and technology‑neutral, but your telehealth stack should reflect current security best practices mapped to the Security Rule. Focus on capabilities rather than brand names:

• Encryption in transit and at rest with modern protocols; secure key management; and breach‑safe harbor considerations when data are properly encrypted. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/health-information-technology/cloud-computing/index.html?utm_source=openai))
• Strong identity and access management (unique IDs, multi‑factor where feasible, role‑based permissions) and robust session timeouts. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Comprehensive audit logging for access and activity, plus regular log review and incident response testing. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Device and endpoint controls for clinicians and staff (patching, disk encryption, MDM where appropriate), including home‑based workstations used for telehealth. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))
• Data minimization and retention policies that match clinical, legal, and payer needs—especially for recorded sessions, chat transcripts, and images. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))

For implementation guidance and mappings to the NIST Cybersecurity Framework and SP 800‑53 controls, use NIST SP 800‑66 Revision 2 as your primary reference to operationalize Telehealth Privacy and Security. ([csrc.nist.gov](https://csrc.nist.gov/pubs/sp/800/66/r2/final?utm_source=openai))

Impact on Healthcare Providers

Operationally, the end of Enforcement Discretion meant sunsetting consumer video apps unless a compliant configuration and BAA exist, renegotiating vendor contracts, updating workflows (consent, scheduling, rooming), and re‑training staff. Clinically, Medicare’s extended coverage stabilized virtual care access, supporting patient choice and continuity—especially for behavioral health and rural patients—while you invest in mature, secure platforms. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

Financially, expect ongoing billing and coding updates as CMS refines telehealth policy through annual rulemaking and statutory changes. Keep governance and compliance teams aligned with IT and revenue cycle to monitor changes and update policies promptly. ([congress.gov](https://www.congress.gov/bill/119th-congress/house-bill/7148/text))

Future Regulatory Outlook

Through December 31, 2027, most Medicare telehealth authorities remain in place, including audio‑only allowances and broadened originating‑site rules. Stakeholders continue to push for permanent reforms, while CMS uses annual Physician Fee Schedule rulemaking to refine coverage and supervision policies. Expect additional guidance on coding, modifiers, and platform transparency as directed by statute. ([congress.gov](https://www.congress.gov/bill/119th-congress/house-bill/7148/text))

FAQs.

What are the key HIPAA changes post-COVID telehealth?

OCR’s pandemic‑era Enforcement Discretion ended on May 11, 2023, and the 90‑day transition closed on August 9, 2023. Since August 10, 2023, full HIPAA rules apply to telehealth: use HIPAA‑appropriate platforms, execute BAAs with vendors handling PHI, maintain required safeguards, and follow OCR’s audio‑only telehealth guidance. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html))

How does the expiration of the PHE affect telehealth compliance?

The Public Health Emergency Expiration removed the broad compliance leeway. You must conduct a telehealth‑specific risk analysis, ensure encryption and access controls, keep audit logs, train staff, and manage vendors via BAAs. Medicare coverage flexibilities persist by statute, but they do not relax HIPAA obligations. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/cms-waivers-flexibilities-and-transition-forward-covid-19-public-health-emergency?utm_source=openai))

What Medicare telehealth flexibilities are extended through 2024?

Under the Consolidated Appropriations Act, 2023, Medicare extended key flexibilities through December 31, 2024: no geographic or originating‑site limits (home allowed), expanded practitioner eligibility, FQHC/RHC distant‑site authority, delayed in‑person requirements for certain telemental health, and allowance for specified audio‑only services. Later laws extended many of these further, but the 2024 extensions stem from the 2023 Act. ([cms.gov](https://www.cms.gov/newsroom/fact-sheets/cms-waivers-flexibilities-and-transition-forward-covid-19-public-health-emergency?utm_source=openai))