HIPAA Compliance for Telehealth: What Developers Building Virtual Care Platforms Need to Get Right

Telehealth usage exploded during COVID and never came back down. What did come back was regulatory enforcement. The temporary HIPAA enforcement discretion that allowed providers to use consumer-grade video tools ended, and OCR is now actively investigating telehealth-related complaints.

If you're building or maintaining a telehealth platform, the compliance requirements are the same as any system handling ePHI -- but the attack surface is dramatically different.

Why Telehealth Has a Unique Risk Profile

Traditional healthcare IT operates within controlled environments -- hospital networks, on-premise servers, managed workstations. Telehealth breaks all of those assumptions:

• Patient endpoints are uncontrolled -- Patients connect from personal devices on home Wi-Fi networks you can't secure
• Provider endpoints vary wildly -- A physician might use a hospital workstation, a home laptop, or a tablet between patient rooms
• Video and audio streams contain PHI -- The conversation itself is protected health information, not just the data in your database
• Session recordings create new PHI stores -- If you record sessions, those recordings need the same protections as any other ePHI
• Screen sharing exposes PHI -- A provider sharing their EHR screen during a telehealth visit transmits PHI through your video infrastructure

The Technical Requirements

Encryption -- No Exceptions

Every telehealth session must be encrypted end-to-end:

• Video/audio streams -- TLS 1.2+ for signaling, SRTP (Secure Real-time Transport Protocol) for media streams. WebRTC provides this by default if configured correctly, but verify your SRTP implementation.
• Chat/messaging -- TLS 1.2+ minimum for any text-based communication during sessions
• File sharing -- Any documents, images, or files shared during a session must be encrypted in transit
• Session recordings -- AES-256 encryption at rest. If you store recordings, they're ePHI and need the same protection as your patient database.

The HIPAA safe harbor still applies: if a breach occurs but the data was encrypted to NIST standards and the key wasn't compromised, it's not a reportable breach.

Access Controls for Multi-Role Platforms

Telehealth platforms typically serve multiple user types with different access needs:

Provider
-- Can initiate/join sessions with their patients
-- Can view session recordings for their patients
-- Can access clinical notes
-- Cannot access other providers' sessions

Patient
-- Can join sessions they're invited to
-- Can view their own session history
-- Cannot access other patients' data

Administrative Staff
-- Can schedule sessions
-- May see scheduling metadata (time, provider, patient name)
-- Cannot access session content or recordings

Technical Support
-- Can troubleshoot connection issues
-- Should NOT have access to session content
-- Needs access to technical logs (stripped of PHI)

The minimum necessary standard applies: each role should only access the PHI required for their function.

Audit Logging

Every telehealth platform needs comprehensive audit trails:

• Session access logs -- Who joined each session, when they joined, when they left
• Recording access -- Who viewed or downloaded session recordings
• Failed access attempts -- Especially important for detecting unauthorized access to sessions
• Configuration changes -- Who modified encryption settings, access controls, or session policies
• Data export -- Any bulk export of session data or recordings

These logs need tamper protection, 6-year retention, and regular review. They're your evidence in an OCR investigation.

Business Associate Agreements

Your telehealth infrastructure likely involves multiple third parties:

• Video infrastructure provider (Twilio, Vonage, Zoom SDK) -- Need BAA
• Cloud hosting (AWS, GCP, Azure) -- Need BAA
• CDN for media delivery -- Need BAA if media streams pass through it
• Transcription services -- Need BAA (and this is where many platforms slip up)
• AI/ML services -- If you're using AI for clinical notes or summaries from session content, you need a BAA with that provider
• Analytics platforms -- Need BAA if any session metadata constitutes PHI

The BAA chain must be complete before any PHI flows through these services.

Common Telehealth Compliance Failures

Using consumer video tools without a BAA

FaceTime, standard Zoom (not Zoom for Healthcare), Google Meet (without the healthcare add-on), and WhatsApp video are not HIPAA-compliant for telehealth. The enforcement discretion that allowed this during COVID is over.

Not encrypting session recordings

Some platforms encrypt live streams but store recordings in unencrypted S3 buckets or local storage. Recordings are ePHI and need encryption at rest.

Ignoring the waiting room

Virtual waiting rooms where patients wait for their provider are part of the session. If multiple patients can see each other's names or the fact that they're waiting for a particular specialist, that's a PHI exposure.

No session timeout

A telehealth session left open on a provider's screen in a shared workspace exposes PHI. Implement automatic session termination after inactivity periods appropriate to the clinical context.

Weak patient authentication

Sending a join link via email with no additional authentication means anyone with the link can join a session. Implement identity verification -- even something as simple as requiring patients to enter their date of birth before joining.

Building Compliance Into the Architecture

The most successful telehealth platforms treat HIPAA compliance as an architectural requirement, not a feature bolted on later. This means:

1. Encrypt by default -- Make it impossible to create an unencrypted session
2. Least privilege by default -- New roles start with zero access and must be explicitly granted
3. Log everything -- Build audit logging into every data access path from day one
4. Automate BAA tracking -- Know which vendors touch PHI and whether their BAAs are current
5. Test your controls -- Penetration testing specifically targeting telehealth session security

The Compliance Foundation

All of these telehealth-specific requirements should trace back to your Security Risk Analysis. The SRA identifies where ePHI exists in your environment (including telehealth sessions and recordings), what threats apply, and what controls are needed.

For a comprehensive view of how telehealth compliance fits into your broader HIPAA program: HIPAA Compliance Solutions

And the compliance checklist that covers telehealth alongside all other technical safeguards: HIPAA Compliance Checklist 2026

---

Joe Gellatly is CEO of Medcurity, a HIPAA compliance platform that helps healthcare organizations manage risk assessments, compliance programs, and security documentation.