HIPAA Compliance Requirements for Telehealth: How to Adapt Your Policies and Procedures

The COVID-19 pandemic sparked a global embrace of video consultations, remote monitoring, and mobile health apps. Within months, awareness, approval, and utilization of telehealth grew fivefold¹. But for many organizations, that rapid rollout was only possible because the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) exempted telehealth from Health Insurance Portability and Accountability Act (HIPAA) enforcement.

Under the waiver, providers could use everyday video communication tools like FaceTime and Zoom to deliver care without fear of penalty for HIPAA noncompliance. Ordinarily, those platforms would require strict technical safeguards, business associate agreements (BAAs), and documented privacy policies before they could be used to transmit patient data.

When that waiver expired in 2023, telehealth usage had stabilized at more than double pre-pandemic levels². As a result, covered entities and business associates faced a series of uphill battles:

• Existing infrastructure often contained significant data privacy and security vulnerabilities.
• Providers and administrators had become accustomed to waiver-era practices.
• The speed of telehealth innovation and adoption created significant confusion around what is and is not covered by HIPAA.

This article explores these challenges and reveals the policies and procedures that compliance teams are now using to overcome them. 

How Telehealth Creates New Risks for HIPAA Compliance

HIPAA was introduced in 1996, when most patient data existed in paper records. As digital systems like Electronic Health Records (EHRs) gained prominence, healthcare data privacy and security fundamentally changed. New systems required new regulations; the HIPAA Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act were introduced to fill those gaps.

These regulations are the bedrock upon which telehealth programs are built. They mandate robust restrictions on how electronic protected health information (ePHI) is created, stored, shared, and disposed of. The challenge is that the Security Rule and HITECH Act were designed for a digital ecosystem controlled exclusively by the health system.

Telehealth changes the landscape. Each patient’s device becomes part of the digital ecosystem, requiring the same privacy and security safeguards as the hospital’s EHR system. At the same time, most telehealth programs rely on a network of third-party applications; some estimates suggest that up to 68% of them fail to meet HIPAA requirements³. 

That leaves compliance teams with a serious challenge: how can you adapt HIPAA policies to a digital ecosystem that grows fast and, in many cases, exists outside your organization?

The answer is by developing and adapting new policies; let’s look at exactly what they should cover.

For more details about how HIPAA impacts telehealth, read our comprehensive guide here.

5 Essential Policy Areas of HIPAA Compliance Within Telehealth

According to the 4th National HIPAA Compliance Survey, half of all healthcare organizations have 16 or fewer HIPAA policies⁴. That’s considered inadequate to cover standard HIPAA requirements, let alone telehealth programs that spread across far more complex digital ecosystems.

Our team has identified five key areas where most healthcare compliance teams should review and improve their HIPAA policies to reduce telehealth-related risk: 

Privacy Policies & Patient Rights

HIPAA requires providers to disclose its data privacy and security policies when interacting with patients. Most organizations have mapped these disclosures onto standard touchpoints like in-person appointments and online booking. Yet, many organizations lack standardized policies about when and how these disclosures are done during video appointments or within telehealth apps.

Updates to existing policies

• Notice of Privacy Practices (NPPs): Update to account for all digital delivery methods, including email, patient portal, or in-app acknowledgment. Explicitly reference telehealth-specific data flows such as session recordings, remote monitoring data, and third-party platform involvement.
• Consent procedures: Update to ensure patients are informed about data storage practices, recording capabilities, and who may access session content before the visit begins.
• Role-based access policies: Stress-test against the minimum necessary standard as telehealth environments typically involve more dispersed access points than clinic-based care.

New policies required

• Telehealth patient rights workflow: A documented process for patients to request record access, submit amendments, and raise complaints through telehealth-compatible channels such as secure messaging or portal-based forms. This needs the same auditability as in-person equivalents.

2. Security Safeguards

The security vulnerabilities introduced during the waiver period are, for most organizations, the most technically complex to remediate. Telehealth infrastructure was often assembled quickly, across multiple vendors and device types, with limited security assessment. The result is a fragmented environment where administrative, physical, and technical controls may be inconsistent, undocumented, or simply absent.

Updates to existing policies

• Administrative controls: Confirm a designated Security Officer has explicit responsibility for telehealth systems, and that workforce access policies reflect the tools and platforms currently in use rather than a pre-pandemic baseline.
• Risk analyses: Update to include telehealth-specific threat vectors, such as unsecured home networks, personal devices used for clinical work, and third-party platform integrations that may not have been in scope during the last assessment.
• Physical safeguards: Extend to remote working environments, including screen privacy requirements and device management expectations for staff delivering care outside a clinical setting.

New policies required

• Platform vetting policy: A documented set of criteria and a review process for assessing whether a telehealth tool meets HIPAA technical safeguard requirements before adoption, covering minimum standards for encryption, multi-factor authentication, audit logging, and automated alerting for anomalous access.
  Note: While many telehealth platforms are not subject to HIPAA requirements, they must still meet high standards for data security and privacy. 

3. BAAs

Telehealth often involved dozens of third-party vendors, many of which were onboarded under the pandemic-era waiver. Some lack proper BAAs, while others may simply require more extensive audits to identify potential data privacy and security risks.

Updates to existing policies

• Vendor inventory: Update vendor management policies to require an active, maintained inventory of all telehealth-related vendors, with BAA status tracked as a live compliance field rather than a one-time checkbox.
• BAA content review: Confirm all existing agreements include permitted uses and disclosures of PHI, security obligations aligned with the HIPAA Security Rule, and breach notification terms that meet regulatory timelines.
• Scope reassessment: Any BAA that predates a vendor’s current service scope should be reviewed and updated. For example, any platform that incorporates AI-assisted features must demonstrate that those features adequately protect ePHI.

New policies required

• BAA review trigger policy: A documented requirement to reassess BAAs whenever a vendor changes its services, a platform is upgraded or replaced, or a new integration is added.

4. Incident Response & Breach Notification

Telehealth introduces categories of incidents that many existing response plans were not written to handle: unauthorized session access, patient data exposed through unsecured video links, and breaches originating from a business associate’s platform rather than internal systems. If the incident response plan was last updated before the telehealth expansion, it almost certainly has gaps.

Updates to existing policies

• Incident classification: Update to provide clear definitions of a reportable breach versus a minor security incident in telehealth contexts.
• Escalation protocol: Review to ensure cross-functional roles are clearly assigned across IT, legal, clinical leadership, and communications, with containment procedures that account for third-party platform involvement where direct control may be limited.

New policies required

• Post-breach review process: Introduce a documented root cause analysis and corrective action protocol triggered after any reportable incident.

5. Workforce Training & Accountability

During the waiver period, many staff adopted telehealth tools and practices without formal training or HIPAA awareness courses. Even providers and administrators with strong HIPAA knowledge may not understand how data is handled within telehealth apps or understand what is required to protect patients during remote care.

Updates to existing policies

• Role-specific training content: Update to include telehealth-specific modules for each staff group: clinical staff on session privacy and patient consent; administrative staff on data handling and access controls; IT staff on platform security requirements and incident escalation.
• Annual refresher training: Tie to regulatory updates and, where possible, to incidents the organization has experienced.
• Onboarding requirements: Explicitly cover telehealth systems and governing policies, rather than treating them as an extension of general IT induction.

New policies required

• BYOD policy: Bring Your Own Device (BYOD) policies covering minimum requirements for personal devices used in telehealth delivery. This includes enrollment standards, encryption requirements, remote wipe capability, and restrictions on personal app usage during clinical sessions.
• Disciplinary framework: A clearly documented and consistently applied set of consequences for policy violations, essential both for genuine accountability and for demonstrating compliance readiness to auditors.

Publish Up-to-Date HIPAA Policies Without Draining Your Resources

Most compliance teams already recognize that policies and procedures are crucial to standardize and enhance compliance. However, the process of writing, reviewing, and implementing them can easily take months and cost six figures. Many organizations simply do not have the capacity to do this.

One solution is to tackle the project piecemeal: identify the most urgent HIPAA risks, draft new policies, and slowly improve your posture over time. However, this method still takes extensive resources and leaves you with incomplete policies that can create conflict and confusion later on.

A more effective option for many organizations is to leverage our policy and procedure library. With access to hundreds of customizable policy templates, you can create robust HIPAA policies without the manual legwork. As new risks emerge, you can easily adapt the policies to your specific procedures.

Want to adapt your HIPAA program to address evolving telehealth risk?

Book a Demo

1. https://www.hcinnovationgroup.com/population-health-management/telehealth/article/21147065/the-telehealth-tidal-wave-has-arrived-will-it-come-crashing-down
   ↩︎
2. ​​https://www.epicresearch.org/articles/telehealth-utilization-higher-than-pre-pandemic-levels-but-down-from-pandemic-highs
   ↩︎
3. https://www.hipaavault.com/resources/telehealth-security-crisis-fail-hipaa-requirements/ ↩︎
4. https://www.compliance.com/resources/hipaa-compliance-in-2025-key-survey-findings-and-risk-mitigation-strategies/ ↩︎

Subscribe to blog