Telehealth and COVID: HIPAA Privacy Rule Best Practices for Covered Entities

Telehealth surged during COVID-19, and temporary policy flexibilities helped care teams keep patients connected. As those flexibilities have ended, you must align your virtual care program with the HIPAA Privacy Rule while maintaining a smooth patient experience. This guide distills practical steps for covered entities to protect protected health information and operate confidently.

HIPAA Privacy Rule Applicability to Telehealth

The HIPAA Privacy Rule is modality-agnostic: whether care is in person, video, or phone, the same rules for uses and disclosures of protected health information (PHI) apply. Telehealth encounters generate PHI beyond the clinical note—think device metadata, chat transcripts, images, and call recordings—so your policies must explicitly address these data flows.

• Apply the minimum necessary standard to scheduling, triage, and follow-ups; share only what staff need to perform their role.
• Rely on treatment, payment, and health care operations (TPO) where appropriate; obtain authorization for uses outside TPO (for example, marketing).
• Verify patient identity and location at the start of each visit and document it in the record.
• Issue and maintain an accurate Notice of Privacy Practices that describes telehealth data handling.
• Execute business associate agreements when vendors create, receive, maintain, or transmit PHI on your behalf.

Enforcement Discretion During COVID-19

Beginning March 17, 2020, OCR announced enforcement discretion for the good-faith provision of telehealth using non‑public facing remote communication technologies. During that period, providers could use popular tools (for example, FaceTime or standard video chat) without penalties for HIPAA noncompliance, provided patients were informed of potential privacy risks and reasonable safeguards were enabled.

• Permitted: non‑public facing apps used in good faith; not permitted: public‑facing platforms (e.g., TikTok, Twitch, open livestreams).
• The federal COVID‑19 public health emergency ended May 11, 2023. OCR allowed a transition period through August 9, 2023; after that, enforcement discretion no longer applied.
• Post‑transition, all telehealth operations must meet full HIPAA requirements, including vendor BAAs and configured security controls.

Transition to Full HIPAA Compliance

If you enabled consumer tools during the pandemic, formalize compliance with a structured plan. Start with a telehealth‑specific gap assessment and build a timeline that prioritizes higher‑risk workflows (recordings, texting, and cloud telephony) for remediation.

• Perform a documented risk analysis focused on telehealth and implement risk management actions across people, process, and technology.
• Replace or harden tools; secure messaging, video, and voice services should support encryption, access controls, audit logging, and reliable retention/deletion.
• Execute or renew business associate agreements, including breach notification terms, subcontractor flow‑downs, and data location commitments.
• Train your workforce on scripts, identity verification, and “minimum necessary” handling during virtual encounters and follow‑ups.
• Test incident response and rehearse breach notification steps, aligning your timelines with state data breach notification obligations.

Use of HIPAA-Compliant Telehealth Platforms

Technical capabilities to prioritize

• Strong encryption in transit and at rest, with modern ciphers and key management for recordings and chat content.
• Unique user IDs, role‑based access, and multi‑factor authentication for staff; session timeouts and device‑level protections.
• Comprehensive audit logs covering logins, access, changes, and exports, retained per policy for investigations.
• Granular recording controls (off by default), watermarking, and retention schedules defined in policy.
• Clear business associate agreements specifying permitted uses, security responsibilities, breach reporting, and subcontractor oversight.

Operational safeguards

• Pre‑visit privacy checks: confirm patient location, preferred contact method, and consent for messages or callbacks.
• Standardize telehealth security safeguards such as private spaces, headsets, “screen‑clean” practices, and PHI‑aware screen sharing.
• Harden endpoints via MDM, patching, anti‑malware, and zero‑trust or VPN for remote staff.
• Define retention and deletion for recordings, screenshots, and chat transcripts consistent with medical‑record laws and policy.

Privacy Considerations for Audio-Only Telehealth

The Privacy Rule always applies to audio‑only visits. Whether the Security Rule applies depends on the medium. Traditional landline calls may fall under HIPAA Security Rule exemptions, while calls over mobile phones, VoIP, or apps involve electronic PHI and therefore require Security Rule safeguards. Regardless of medium, treat call recordings, voicemails, and cloud call logs as PHI with controlled access and retention.

• Verify identity with two identifiers; confirm a safe speaking environment and who else is present.
• Use secure enterprise telephony; obtain BAAs with cloud voice providers and configure logging appropriately.
• Adopt a voicemail and texting policy: limit details, avoid sensitive diagnoses, and offer secure alternatives when feasible.
• Document patient preferences for unencrypted communications when applicable and educate on residual risks.

Patient Privacy Rights and Controls

Telehealth must preserve patient rights: access to records within 30 days, the ability to direct records to a third party, request amendments, request restrictions, ask for confidential communications, and receive an accounting of disclosures. Build these into your digital front door with clear instructions and streamlined processes.

• Offer portal and phone workflows for requests; verify identity, track deadlines, and communicate status transparently.
• Honor reasonable confidential communication requests (alternative numbers, secure messaging, or mailing addresses).
• Explain how third‑party apps chosen by patients may fall outside HIPAA and what privacy controls remain available.

Vendor Management and Risk Assessment

Telehealth depends on vendors—video, voice, chat, e‑prescribing, and remote monitoring—so rigorous governance is essential. Treat vendor oversight as a living program that blends procurement, legal, security, and compliance.

• Conduct due diligence: security questionnaires, independent attestations, penetration test summaries, and data‑flow diagrams.
• Map PHI categories handled by each vendor and ensure business associate agreements flow down to subcontractors.
• Perform and update a risk analysis; remediate with encryption, access controls, logging, and monitoring proportional to risk.
• Set breach escalation paths and test joint incident response; align HIPAA timelines with state data breach notification requirements.
• Define data residency, retention, and deletion in contracts; verify capabilities during onboarding and annually.

Conclusion

Telehealth can be both patient‑centered and privacy‑strong. By grounding your program in the Privacy Rule, adopting secure platforms, clarifying audio‑only responsibilities, empowering patient rights, and enforcing vendor and risk management discipline, you sustain trust and compliance beyond the pandemic era.

FAQs

What were the HIPAA enforcement discretion guidelines during COVID-19?

From March 17, 2020 through August 9, 2023, OCR exercised enforcement discretion for good‑faith telehealth using non‑public facing tools. Providers could use popular apps with reasonable safeguards and patient notice about privacy risks. After the transition period ended, full HIPAA compliance—including configured security controls and vendor BAAs—resumed for all telehealth operations.

How should covered entities manage telehealth vendor compliance?

Perform risk analysis on each vendor, execute business associate agreements with subcontractor flow‑downs, and verify security controls (encryption, access, logging, retention). Require prompt breach reporting, test joint incident response, and align contractual timelines with state data breach notification duties. Reassess vendors annually and document remediation.

Are audio-only telehealth services subject to HIPAA Security Rule?

It depends on the technology. Traditional landline calls may be outside the Security Rule, reflecting HIPAA Security Rule exemptions. Audio‑only services delivered over electronic media—mobile networks, VoIP, or apps—create or transmit ePHI and must meet Security Rule safeguards. The Privacy Rule applies in all cases.

What best practices protect patient privacy in telehealth?

• Use HIPAA‑ready platforms with encryption, MFA, and audit logs; disable recording by default.
• Verify identity, location, and who can hear the visit; apply the minimum necessary standard.
• Adopt scripts for voicemail/texting; store the least data needed and delete on schedule.
• Secure endpoints and networks; train staff and monitor for unusual access.
• Maintain vendor BAAs, update your risk analysis regularly, and prepare for state data breach notification and HIPAA breach reporting.