Telehealth and HIPAA Compliance for Providers in 2025

HIPAA Enforcement Discretion Expiration

OCR’s COVID‑era HIPAA enforcement discretion for telehealth ended at 11:59 p.m. on May 11, 2023, with a 90‑day transition period that expired August 9, 2023. Since then, full HIPAA compliance applies to remote care, including business associate agreements (BAAs), security controls, and proper risk analysis for any platform you use. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html?utm_source=openai))

Key actions for 2025: use platforms that sign BAAs, enable encryption in transit, restrict access with unique IDs and 2‑factor authentication, log/audit remote sessions, and update your security risk analysis to reflect telehealth workflows and vendors.

Be cautious with online trackers. A federal court vacated OCR’s 2024 “online tracking technologies” bulletin to the extent it treated a visitor’s IP address on unauthenticated pages as PHI; however, HIPAA still governs tracking on authenticated pages (e.g., portals), and sharing PHI with third parties without a valid permission or BAA remains prohibited. ([aha.org](https://www.aha.org/news/news/2024-06-20-judge-rules-favor-aha-vacating-hhs-online-tracking-bulletin-unlawful-and-beyond-agency-authority?utm_source=openai))

Medicare Telehealth Policy Updates

Congress extended many Medicare telehealth coverage flexibilities through September 30, 2025. Until then, most non‑behavioral services may be delivered to patients in their homes with no geographic restrictions; a broad set of practitioners can furnish telehealth; and audio‑only is allowed for certain non‑behavioral services. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/billing-and-reimbursement/medicare-payment-policies?utm_source=openai))

Safety‑net providers: FQHCs and RHCs may serve as distant‑site providers for non‑behavioral telehealth through September 30, 2025, paid at national average PFS rates through December 31, 2025. Teaching‑physician virtual presence is also extended in 2025. Plan now for potential policy changes after October 1, 2025 if Congress does not act again. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates?utm_source=openai))

Behavioral Health Telehealth Reimbursements

Behavioral health telehealth retains permanent flexibilities: the patient’s home is an eligible originating site; FQHCs/RHCs can be distant sites; and audio‑only delivery is permitted in defined situations. Marriage and Family Therapists and Mental Health Counselors are permanently eligible Medicare distant‑site providers. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/billing-and-reimbursement/medicare-payment-policies?utm_source=openai))

In‑person visit requirements tied to telemental health are waived through September 30, 2025 (and for FQHCs/RHCs until January 1, 2026). Confirm payer‑specific rules and document when audio‑only is used because the patient cannot or does not consent to video. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates?utm_source=openai))

Controlled Substance Telemedicine Prescribing

DEA and HHS extended the COVID‑19 telemedicine flexibilities for prescribing schedule II–V controlled substances without a prior in‑person exam through December 31, 2025, under defined conditions. Maintain EPCS, check PDMPs as required, and document telemedicine encounters carefully. ([federalregister.gov](https://www.federalregister.gov/documents/2024/11/19/2024-27018/third-temporary-extension-of-covid-19-telemedicine-flexibilities-for-prescription-of-controlled?Utm_campaign=20250116&Utm_content=&utm_medium=email&utm_source=openai))

In 2025, DEA issued a final rule specific to buprenorphine and proposed a special registration framework, but effective dates were delayed; the temporary flexibilities remain the operative standard as of September 2025. Monitor DEA’s telemedicine rulemakings and your state rules, which may impose stricter conditions. ([aha.org](https://www.aha.org/news/headline/2025-01-15-hhs-dea-release-rules-related-telemedicine-prescribing-controlled-substances?utm_source=openai))

State-Level Privacy Protections

Beyond HIPAA, state reproductive health data laws now shape telehealth privacy. Washington’s My Health My Data Act (MHMDA) broadly regulates consumer health data, bans geofencing around health facilities, and allows a private right of action; most obligations took effect March 31, 2024 (June 30, 2024 for small businesses). ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))

Nevada’s SB 370 (effective March 31, 2024) imposes consent, notice, and security duties for “consumer health data” and restricts geofencing; it is enforced as an unfair or deceptive practice. Connecticut’s law prohibits geofencing near mental, reproductive, or sexual health facilities. California AB 352 requires segmentation and access limits for sensitive services (abortion, contraception, gender‑affirming care) and restricts out‑of‑state disclosures. Align your privacy notices, consents, and vendor contracts accordingly. ([legiscan.com](https://legiscan.com/NV/bill/SB370/2023?utm_source=openai))

FTC Health Breach Notification Rule

Since July 29, 2024, the updated FTC Health Breach Notification Rule covers many health apps and direct‑to‑consumer tools outside HIPAA, treats unauthorized disclosures as “breaches,” and tightens timing and content of notices (including concurrent FTC notice for incidents affecting 500+ people). Telehealth programs that operate consumer‑facing apps must assess HBNR applicability alongside HIPAA. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/16/part-318?utm_source=openai))

Enforcement has teeth: recent FTC cases against GoodRx and Premom illustrate risk when tracking tools or vendors leak health data without valid consent or notice. Build breach‑response playbooks that map data flows, third‑party SDKs, and API calls to ensure prompt and accurate notifications where required. ([ftc.gov](https://www.ftc.gov/news-events/news/press-releases/2024/04/ftc-finalizes-changes-health-breach-notification-rule?utm_source=openai))

Emerging AI Compliance in Telehealth

Agentic AI healthcare systems—automation that independently triages, schedules, drafts notes, or guides care—must be deployed within HIPAA’s safeguards, BAAs, and documented risk management. In certified health IT, ONC’s HTI‑1 rule replaces “CDS” with the “Decision Support Interventions” criterion on January 1, 2025, adding transparency about training data, intended use, and performance/fairness attributes for predictive tools. ([mondaq.com](https://www.mondaq.com/unitedstates/healthcare/1410638/hhs-onc-hti-1-final-rule-introduces-new-transparency-requirements-for-artificial-intelligence-in-certified-health-it?utm_source=openai))

By December 31, 2025, developers must update certified modules to revised standards; further privacy/security requirements for DSI are slated in HTI‑2, with later effective timelines. Section 1557’s 2024 rule also bars discrimination via clinical algorithms and requires accessible telehealth for people with disabilities and limited English proficiency—practical imperatives for Medicaid telehealth and “digital accessibility Medicaid telehealth” efforts. ([healthit.gov](https://www.healthit.gov/topic/certification-ehrs/onc-certification-criteria-health-it-regulatory-update-deadline?utm_source=openai))

Conclusion

In 2025, durable HIPAA obligations, time‑limited Medicare telehealth coverage flexibilities, evolving DEA telemedicine prescribing rules, stringent state reproductive health data laws, and the revised FTC Health Breach Notification Rule converge. Treat privacy, security, equity, and accessibility as core design criteria—especially as you scale agentic AI healthcare systems—so telehealth remains compliant, trustworthy, and patient‑centered. ([ada.gov](https://www.ada.gov/resources/2024-03-08-web-rule/?utm_source=openai))

FAQs.

What platforms comply with HIPAA for telehealth in 2025?

HIPAA compliance depends on configuration and contracts, not brand names. Use platforms that will sign a BAA; support encryption, identity/access controls, audit logging, and secure storage; and can be configured to disable unnecessary data collection (e.g., trackers). Because HIPAA enforcement discretion ended in 2023, verify each vendor’s BAA and security posture before use. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html?utm_source=openai))

How does Medicare cover telehealth services this year?

Through September 30, 2025, Medicare allows most non‑behavioral telehealth to the patient’s home without geographic limits, supports a broad provider list, and permits audio‑only in defined cases. Many behavioral health flexibilities are permanent, and FQHCs/RHCs have special rules and payment through year‑end 2025. Watch for potential changes after October 1, 2025. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/billing-and-reimbursement/medicare-payment-policies?utm_source=openai))

Are in-person visits required for behavioral telehealth visits?

For Medicare, the in‑person visit requirement tied to telemental health is waived through September 30, 2025 (and for FQHCs/RHCs until January 1, 2026). Audio‑only behavioral health telehealth is permitted in defined circumstances. Check Medicaid and commercial payer policies, which can vary. ([telehealth.hhs.gov](https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates?utm_source=openai))

What are the state privacy laws affecting telehealth data?

Several states regulate “consumer health data” beyond HIPAA. Washington’s MHMDA and Nevada’s SB 370 impose consent, notice, and security duties and restrict geofencing; Connecticut bans geofencing around reproductive/mental health facilities; California AB 352 requires segmenting and limiting disclosures of sensitive services data. Map your data and vendors to each applicable law. ([atg.wa.gov](https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy?utm_source=openai))