HIPAA and Telehealth

HIPAA and Health Privacy Laws

The Center for Connected Health Policy (CCHP) provides an excellent overview of how telehealth intersects with HIPAA and health privacy laws.

 

---

What Do I Need to Do to Ensure Compliance? 

HIPAA compliance requires a combination of administrative, technical and physical safeguards. Technology alone does not make a system HIPAA compliant!

Understanding how HIPAA applies to telehealth is essential. Any information that can identify an individual is considered Protected Health Information (PHI). HIPAA defines 18 identifiers, including names, phone numbers, email addresses, birthdates, IP addresses, device identifiers, photos and more.

If You Are Part of an Organization

• Work closely with your risk, privacy, security and compliance teams.
• Only use approved platforms, devices, accounts and workflows when communicating with patients, caregivers or other providers.
• Using personal accounts or unapproved applications may violate HIPAA and could expose you to personal liability.

If You Are an Independent Provider or Small Practice

You are responsible for your own HIPAA compliance.  Steps include:

• Conducting a comprehensive HIPAA risk assessment of your telehealth setup
• Considering a consultant to perform a privacy and security review
• Evaluating risks across all telehealth practice locations (office, home, mobile, etc)
• Performing separate risk assessments for each setting or workflow

The resources below can help guide you through these requirements.

---

Tools and Resources

General HIPAA & Telehealth Compliance

• HIPAA & Telehealth : A Stepwise Guide to Compliance:
  • English Version
  • Spanish Version
  • Navajo Version
• HIPAA Guidelines on Telemedicine
• HIPAA and Telehealth FAQs
• Guide to Privacy and Security of Electronic Health Information
• HIPAA Compliance Roadmap
• HIPAA Security Risk Assessment Tool
• NIST Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide

VOIP and Audio-Only Telehealth

• Guidance on HIPAA Rules for Audio-Only Telehealth
• VOIP and HIPAA
• HIPAA Considerations When Using VOIP

Patient Communication & Education

• Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth

Business Associates & BAAs

• Guidance on Business Associates
• Sample Business Associate Agreement Provisions

Online Tracking Technologies

• Office of Civil Rights and Federal Trade Commission Letter

Texting and HIPAA

• HIPAA Regulations for SMS
• Is Texting in Violation of HIPAA?
• What Are the HIPAA Rules Regarding Text Messaging
• CMS Guidance on Texting Patient Information and Patient Orders Among Members of the Heatlh Care Team
• Toolkit on Texting for Public Health: Emergency Communication, Health Promotion, and Beyond
  • Draft Policy Template

---

HIPAA Security Proposed Rule: What You Need to Know  

For the first time in 20 years, the U.S. Department of Health and Human Services (HHS) has proposed major updates to the HIPAA Security Rule to strengthen protections around electronic PHE (ePHI) in the face of rising cyber threats.  This Notice of Proposed Rulemaking (Proposed Rule) reflects the dramatic increase in breaches and ransomware attacks affecting healthcare between 2018 and 2023.

Key Proposed Requirements Include:

• Maintaining an up-to-date inventory of all technology assets
• Conducting annual enterprise-wide risk analyses
• Implementing stronger patch and update management
• Using multi-factor authentication across systems
• Encrypting all ePHI
• Performing regular vulnerability scans and penetration testing
• Enhancing oversight of business associates handling ePHI

Because telehealth platforms and remote care tools manage large amounts of ePHI, these changes could have a significant impact on telehealth operations.

Additional Compliance Expectations in the Proposed Rule:

• A 72-hour disaster recovery plan
• Annual compliance audits
• Strengthened incident response procedures
• Business associates must notify covered entities within 24 hours of activating any contingency plan
• Solicitation of comments on emerging technologies—including AI, quantum computing, virtual/augmented reality—and their implications for HIPAA

Comments on the proposed rule closed on March 7, 2025. More than 4,700 comments were submitted, but the rule has not yet been finalized due to the change in administration and the resulting regulatory freeze.

For details, read the full text of the Notice of Proposed Rulemaking