Telehealth HIPAA Waivers Have Expired: What It Means and How to Stay Compliant

The federal flexibilities that once allowed rapid telemedicine adoption are over. With the telehealth HIPAA waivers expired, you must operate under full HIPAA Privacy, Security, and Breach Notification requirements. This guide translates the change into concrete actions so you can protect patients, reduce risk, and pass HIPAA Compliance Audits.

Use HIPAA-Compliant Telehealth Platforms

What changed now that waivers ended

Consumer video apps that lacked healthcare safeguards were temporarily tolerated. Post-expiration, you need platforms designed for regulated care—tools that contractually and technically protect ePHI and support Telehealth Data Protection across the full encounter lifecycle.

Platform requirements to prioritize

• Business Associate Agreement with the vendor that clearly covers permitted uses, safeguards, and breach duties.
• End-to-End Encryption for sessions in transit and robust encryption at rest for stored artifacts and logs.
• Unique user accounts, strong authentication, role-based access controls, and configurable waiting rooms/lobbies.
• Comprehensive audit logging (logins, joins, file shares, chat exports, administrative changes).
• Configurable data retention, default “no recording,” and controls that block unauthorized downloads and screenshots where possible.
• Administrative settings that enforce Telehealth Security Protocols across all users, including forced updates and session timeouts.

Implementation checklist

• Inventory your current tools; retire any platform that will not sign a Business Associate Agreement.
• Validate encryption, access controls, audit logs, and data residency in a security review before go-live.
• Lock settings: require meeting passcodes, disable “join before host,” limit screen share, and restrict file transfers.
• Integrate with your EHR for scheduling, documentation, and encounter metadata capture.
• Conduct a quick gap assessment against your Telehealth Security Protocols and remediate prior to your next audit cycle.

Obtain Explicit Patient Consent

What counts as valid consent

Consent must be informed, affirmative, and documented. Patient Consent Forms should explain telehealth’s nature, risks, benefits, privacy limits, technology used, potential charges, and what happens if technology fails. Use plain language and provide alternatives when appropriate.

Practical ways to capture and store consent

• Electronic signature within your portal or a secure e-form sent via authenticated link.
• Verbal consent at the start of the visit, documented verbatim in the note with date/time and witness if possible.
• Re-consent when you materially change platforms, workflows, or data-sharing practices.

Documentation essentials

• Record the consent type (e-sign, verbal), timestamp, and the exact statement patients agreed to.
• Link consent to the specific encounter and store it in the EHR for easy retrieval during HIPAA Compliance Audits.
• For minors or proxies, document authority to consent and verify identities for all parties.

Implement Secure Patient Authentication

Identity Authentication Methods

Use layered verification that balances risk and usability. Combine knowledge factors (DOB plus a unique passphrase), possession factors (one-time passcodes via authenticator app or SMS), and, when appropriate, inherence factors (biometrics). Step up security for sensitive services or high-risk scenarios.

Before and during the session

• Remote identity proofing for new patients (e.g., secure capture of a government ID plus a live selfie check).
• Unique meeting links and passcodes tied to the appointment; disable generic or reusable rooms.
• Enable waiting rooms, verify patient identity on entry, and lock the session after participants join.

Provider-side safeguards

• Enforce multi-factor authentication on all clinician accounts and admin consoles.
• Use managed, encrypted devices; block local recording unless expressly approved.
• Log all access attempts and alert on anomalies (e.g., unusual IPs or times).

Maintain Detailed Telehealth Documentation

What every note should include

• Consent status, identity verification steps, and the telehealth modality used (video, audio-only, asynchronous).
• Platform name/version, date/time, locations of patient and provider, and all participants present.
• Clinical content supporting medical necessity, diagnoses, orders, safety checks, and follow-up plans.
• Technical issues encountered and backup methods used (e.g., switch to phone).

Telehealth Data Protection in records

• Store notes and related artifacts in encrypted systems with role-based access.
• Avoid routine recording; if recording is clinically necessary, restrict access, label as PHI, and apply a retention schedule.
• Capture system logs separately for security monitoring without embedding raw logs in the chart.

Retention and retrieval

• Apply the same retention rules as comparable in-person care, plus any payer-specific requirements.
• Index documentation to enable rapid retrieval during HIPAA Compliance Audits and incident investigations.

Understand Business Associate Agreements

Who needs a Business Associate Agreement

Any vendor that creates, receives, maintains, or transmits ePHI for your organization needs a Business Associate Agreement. This often includes telehealth platforms, cloud storage, transcription/AI scribe tools, e-fax, call centers, language services, and analytics providers.

What a strong BAA should cover

• Permitted uses/disclosures of ePHI and explicit prohibitions (e.g., analytics without de-identification).
• Administrative, physical, and technical safeguards, including End-to-End Encryption where appropriate.
• Subcontractor “flow-down” obligations and prior approval for offshore processing if applicable.
• Security incident and Breach Notification timelines, evidence requirements, and cooperation duties.
• Right to audit/assess, data return or destruction at termination, and limits on data retention.

Due diligence tips

• Map data flows to ensure all PHI touchpoints are covered by a BAA.
• Request security attestations (e.g., SOC 2 Type II, HITRUST) and recent penetration test summaries.
• Validate Identity Authentication Methods, access controls, and configuration options in your own environment.

Update Privacy and Security Policies

Policy areas to refresh now

• Approved platforms list, device requirements, encryption standards, and meeting configuration baselines.
• Telehealth Security Protocols for scheduling, identity verification, chat/file sharing, and emergency procedures.
• Data handling rules for recordings, screenshots, transcripts, and chat logs.
• Vendor management, incident response, risk analysis, and risk management for telehealth workflows.

Operationalize the updates

• Assign a telehealth compliance lead to coordinate IT, compliance, and clinical stakeholders.
• Run tabletop exercises for outages, misdirected PHI, and suspected account compromise.
• Schedule periodic internal HIPAA Compliance Audits focused on telehealth controls and documentation quality.

Train Staff on HIPAA Compliance

What to include in training

• Privacy Rule and Security Rule basics translated into telehealth scenarios and checklists.
• Identity verification scripts, consent collection steps, and documentation standards.
• Secure workspace practices: camera framing, muting, screen privacy, and avoiding PHI exposure at home.
• Phishing awareness, password hygiene, and how to report incidents quickly.

Make it stick

• Deliver short, role-based modules with scenario drills and periodic refreshers.
• Track completion, test comprehension, and remediate with coaching when needed.

Conclusion

With the waivers gone, compliance is not optional. Choose platforms that support End-to-End Encryption and sign a Business Associate Agreement, capture explicit consent, authenticate patients securely, document thoroughly, update your policies, and train relentlessly. These steps harden Telehealth Data Protection and position you to pass HIPAA Compliance Audits with confidence.

FAQs

What platforms are considered HIPAA-compliant for telehealth?

A platform is considered HIPAA-ready when it signs a Business Associate Agreement and provides required safeguards: End-to-End Encryption for sessions, strong access controls, audit logs, configurable security settings, and disciplined data retention. Verify these features in your environment and memorialize responsibilities in the BAA.

How can providers obtain valid patient consent for telehealth?

Use Patient Consent Forms written in plain language and capture consent either via secure e-signature before the visit or verbal consent documented at the start. Include telehealth risks, privacy considerations, technology used, backup plans, costs, and alternatives. Time-stamp and store consent in the EHR and re-consent when material changes occur.

What are the risks of non-compliance after HIPAA waiver expiration?

Risks include unauthorized disclosure of PHI, reportable breaches, fines, corrective action plans, payer disputes, reputational harm, and service disruptions. Non-compliance also increases cyber risk if platforms lack proper controls. A structured program—policies, training, audits, and secure technology—significantly reduces exposure.

How should telehealth documentation be maintained to meet HIPAA standards?

Document consent status, identity verification, modality, platform used, participants, locations, time, and complete clinical content. Store in your EHR with encryption and role-based access. Avoid default recordings; if captured, apply strict retention and access controls. Maintain logs and be able to retrieve records quickly for HIPAA Compliance Audits.