Blog Post

Telehealth Security 101: A Practical Guide to HIPAA Requirements

February 2026

Telehealth has the potential to expand and accelerate access to medical support across the country. With better patient outcomes and lower costs, digital care has proven to be more than just a pandemic-era lifeline. Yet five years after COVID-19 pushed telehealth into the mainstream, many providers still wonder: 

How can remote care systems protect patient data while maintaining HIPAA compliance?

This article answers that question and explores the administrative, technical, and physical safeguards your telehealth program needs to meet HIPAA Security Rule requirements at all times.

HIPAA Compliance for Telehealth: An Overview

What is the Difference Between Telehealth and Telemedicine?

While the two terms are often used interchangeably, they are not identical:

  • Telehealth is the umbrella term for any remote healthcare service, including clinical and non-clinical services
  • Telemedicine is the specific provision of diagnostics and treatment via remote systems

Telehealth is, therefore, a more expansive group of practices and presents an even greater risk to HIPAA compliance. 

How Does HIPAA Impact Telehealth?

HIPAA is intended to ensure patients’ health, treatment, and payment data, known collectively as protected health information (PHI), is secure and private. The requirements established under the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule must be followed by:

  • Covered Entities: Any healthcare provider offering telehealth—from remote consultations to providing patients with wearable devices to support ongoing health monitoring—must comply with HIPAA requirements related to telehealth. 
  • Business Associates: Any third-party provider that offers telehealth services to a covered entity must enter a business associate agreement (BAA) that stipulates responsibilities related to data privacy and security. Such third parties could include patient portal developers, third-party contractors offering specialized telehealth care, or wearable manufacturers.

Which Areas of Telehealth Are Most Relevant to HIPAA?

While all areas of HIPAA apply to telehealth, digital environments introduce heightened risks to breaches. As a result, many telehealth compliance issues center on the HIPAA Security Rule, which supports the protection of electronic PHI (ePHI) through administrative, physical, and technical safeguards.

These safeguards create requirements across multiple areas of telehealth:

Remote Communication Platforms

Video platforms, messaging apps, and phone calls used for telehealth must incorporate:

  • Administrative Safeguards: Clear authorization policies that determine who is allowed to use the telehealth platform and for what purpose 
  • Technical Safeguards: End-to-end encryption and access controls to limit access to potentially sensitive information 
  • Physical Safeguards: Private spaces for providers to take calls that ensure unauthorized colleagues cannot accidentally overhear sensitive information

Remote Patient Monitoring

Wearable devices, health tracking apps, and other remote monitoring systems must comply with  HIPAA requirements, including: 

  • Administrative Safeguards: Robust policies governing ePHI storage and access authorization
  • Technical Safeguards: Encryption and integrity controls to enable smooth and secure transmission of real-time health data
  • Physical Safeguards: Device management protocols, such as data wiping requirements and inventory checks, to ensure devices are safe and secure

Patient Portals

Telehealth apps, such as online therapy platforms and patient portals, must protect ePHI through comprehensive safeguards, including:

  • Administrative Safeguards: Security management processes that regularly assess potential data security risks
  • Technical Safeguards: Authentication systems to verify user identities before granting access 
  • Physical Safeguards: Secure workstation policies to ensure only authorized individuals can access devices used for ePHI storage

Of course, these examples represent only a portion of the safeguards required for telehealth HIPAA compliance. A truly secure organization must implement a wide range of safeguards to proactively reduce risk and build patient confidence.

Why Data Security Matters for Telehealth

While all healthcare organizations must protect data, telehealth often requires even greater protection. Many patients are still adjusting to the idea of using video calls or digital apps to access advice. As a result, they may be more acutely aware of the risks involved in sharing their sensitive health information.

For example, in-person psychiatric assessments might make a patient feel concerned about sharing their experiences. However, they can be immediately reassured by a professional whose physical presence and bedside manner can build trust. Typing those same symptoms into an app likely feels far more vulnerable, especially given that data security policies are typically long and dense, meaning many patients are not certain how their data is managed or protected.

Robust data privacy and security, as mandated by HIPAA, are essential to build that trust in digital-first solutions. This will help to expand usage and make healthcare more efficient for patients and providers. But the best way to illustrate why is to look at the costs of not protecting patient data.

What Are the Costs of a HIPAA Violation Within Telehealth?

HIPAA violations can lead to a range of negative outcomes, including:

  • Severe financial penalties from the Office of Inspector General (OIG)—with the most severe cases costing over $2 million per violation.
  • Legal action from patients whose data has been compromised, which can involve both legal fees and potential settlement costs.
  • Reputational damage and lost patient trust, as data privacy cases often become public. 

Telehealth platforms may also face enforcement from other regulatory bodies. For example, companies such as Cerebral and GoodRx Holdings Inc. have made million-dollar settlements with the Federal Trade Commission (FTC) due to data privacy violations. 

5 Factors That Create HIPAA Risk for Telehealth Providers

As telehealth has expanded over the last decade, our experts noted several recurring risk factors:

1. Unsecured Video Platforms

    Many providers assume that popular consumer video platforms are automatically HIPAA-compliant, but this is rarely the case without proper configuration and a signed BAA. Even platforms that offer HIPAA-compliant versions may default to insecure settings. 

    Before deploying any video platform for patient consultations, organizations should verify that end-to-end encryption is enabled, the vendor has signed a BAA, and the platform meets current technical safeguard requirements.

    2. Weak Access Controls

      Remote work environments often blur the lines of who can access sensitive patient information. Without robust authentication mechanisms—such as multi-factor authentication and role-based access controls—unauthorized individuals may gain access to ePHI through compromised credentials or shared login information.

      The challenge intensifies when providers use telehealth platforms that lack granular permission settings. Every user should have access only to the minimum necessary information to perform their role. Regular access audits can help identify dormant accounts, excessive permissions, or unusual access patterns that may indicate security vulnerabilities.

      3. Use of Personal Devices

        The shift to remote consultations has led many healthcare professionals to use personal smartphones, tablets, and computers for patient interactions. These devices often lack the security configurations required for HIPAA compliance, including device encryption, remote wipe capabilities, and updated security patches.

        Personal devices also create risks when family members share devices or when providers use the same device for both personal and professional activities. To mitigate these risks, organizations must establish clear bring-your-own-device (BYOD) policies that require security baselines, separation of personal and work data, and regular compliance checks to ensure patient information remains protected.

        4. Cloud Data Storage

          Cloud storage offers convenience and scalability for telehealth providers, but it also introduces significant compliance challenges. Not all cloud providers offer HIPAA-compliant services, and those that do often require specific configuration settings and signed BAAs before they can be used to store ePHI.

          Data residency presents another layer of complexity. Cloud data may be stored across multiple geographic locations, potentially crossing state or international boundaries where different privacy laws apply. Providers must verify where their data is stored, how it’s encrypted both in transit and at rest, and whether their cloud vendor’s data centers meet physical safeguard requirements outlined in the HIPAA Security Rule.

          5. Lack of Staff Awareness

            Workforce training is a common weakness within HIPAA compliance programs, with 13% of organizations offering no HIPAA awareness training at all. This gap is particularly dangerous in telehealth environments. Providers and staff are often using new platforms and systems and cannot be expected to “just know” how to navigate data privacy when using patient portals or video platforms.

            Regular training is essential to reinforce HIPAA requirements and adapt to evolving circumstances—from emerging cybersecurity threats to changing telehealth billing requirements. However, for many organizations, this can be prohibitively expensive and logistically challenging.At Compliance Resource Center, we make HIPAA training simpler, faster, and more cost-efficient through a flexible delivery model. With in-person, remote, and hybrid-training options, you can provide every employee with robust telehealth data security training—regardless of how, when, or where they prefer to learn.

            At Compliance Resource Center, we make HIPAA training simpler, faster, and more cost-efficient through a flexible delivery model. With in-person, remote, and hybrid-training options, you can provide every employee with robust telehealth data security training—regardless of how, when, or where they prefer to learn.

            Subscribe to blog

            Build an effective compliance program with expert hotlines, sanctions screening, training, and more.

            Speak to an Expert