HIPAA for Telehealth Clinicians

Every telehealth session involves PHI transmitted over a network, stored in a system, and potentially recorded - each of which carries specific HIPAA requirements. Your obligations as a telehealth clinician are not relaxed because care is delivered remotely.

Scenario: You start a telehealth session for a new patient using the standard Zoom account the practice already had. No BAA exists with Zoom because the practice purchased a consumer Business account, not Zoom for Healthcare. Every session you conduct over that account is an unauthorized disclosure of ePHI to Zoom. The platform transmits PHI during every session - it is a business associate, and 45 CFR § 164.308(b)(1) requires a BAA before the first transmission. The fix is switching to a healthcare-tier account with a BAA before delivering another session.

Platform Selection and BAA Requirements

Under 45 CFR § 164.308(b)(1), your clinic must execute a BAA with any business associate that creates, receives, maintains, or transmits PHI on its behalf. A telehealth video platform transmits PHI during every session - it is a business associate.

What a telehealth platform BAA must address:

• The vendor’s obligations to safeguard PHI under the Security Rule
• Permitted uses and disclosures of PHI
• Requirements to report breaches to your clinic
• Provisions for returning or destroying PHI upon contract termination
• Prohibition on using PHI for the vendor’s own purposes (advertising, platform improvement without explicit authorization)

Consumer vs. enterprise platform tiers: Many common platforms (Zoom, Microsoft Teams, Google Meet) offer healthcare-specific tiers that include BAAs. The consumer tier of the same platform does not. Before using any platform for telehealth, verify: Does the vendor offer a BAA for healthcare use? Is your account configured at the tier that includes the BAA? Are security features (end-to-end encryption, waiting rooms, recording controls) enabled?

The HHS enforcement discretion policy that allowed consumer platforms during the COVID-19 public health emergency has expired. The standard BAA requirement applies.

Recording Consent Requirements

Recording a telehealth session creates a permanent audio/video PHI record. Before recording:

Obtain patient consent. Recording a patient without consent is an unauthorized capture of PHI. Consent should be documented in the patient’s chart before the first recorded session, renewed if the scope of recording changes, and specific about what will be recorded and how it will be used - clinical reference, billing review, and training each require separate disclosure.

Check state law. Many states require two-party consent for audio or video recording - meaning both parties must affirmatively consent. This is stricter than HIPAA. States including California, Florida, Illinois, and Michigan require two-party consent. Check your state’s recording consent law before recording any session.

Store recordings securely. A telehealth recording is ePHI and must be: stored in a HIPAA-compliant environment with the same controls as any other ePHI; access-controlled (only authorized clinical staff); audit-logged (who viewed the recording and when); retained per the clinic’s medical records retention schedule; and securely deleted when retention expires.

Location Security: Provider and Patient

Your Location Requirements

Deliver telehealth from a secure, private location. Under 45 CFR § 164.310(b), your clinic must implement policies on proper workstation use for workstations accessing ePHI.

For telehealth, this means: conduct sessions where household members, colleagues, or bystanders cannot overhear the patient; use a background or physical setup that does not reveal information about other patients (no visible charts or whiteboards on screen); ensure the screen displaying patient information is not visible to anyone behind or beside you; and use headphones when there is ambient noise risk.

What not to do: Delivering a telehealth session from a coffee shop, open office, or any public or semi-public space is not compliant - regardless of how secure the connection is. The session itself is a clinical encounter where the patient expects confidentiality.

Patient Location - What You Can and Cannot Control

You cannot control the patient’s environment, and HIPAA does not require you to. Inform patients at the start of the session that the call involves sensitive health information and encourage them to choose a private location. Document that this disclosure was made. If a patient chooses to take the call in a public space and PHI is discussed, the privacy risk rests with their choice - provided you documented the privacy disclosure.

Device Security Requirements

Under 45 CFR §§ 164.312(a) and 164.310(b), devices you use to deliver telehealth must meet the same security standards as any device accessing ePHI:

• Encryption at rest: Device storage must be encrypted
• Automatic logoff: Session must terminate after inactivity
• Unique credentials: Log in with your individual credentials, not a shared account
• No personal accounts on clinical devices: Clinical devices should not be used with personal email, personal cloud storage, or non-approved apps
• Screen lock: Device must require authentication to unlock

Personal devices used for telehealth require a formal bring-your-own-device (BYOD) policy with documented security controls. Without a BYOD policy, using a personal phone or laptop for telehealth creates uncontrolled ePHI endpoints.

Handling Technical Failures Mid-Session

Connection failures, audio dropouts, and platform errors are routine in telehealth. When a failure occurs while PHI is on screen or while a sensitive clinical discussion is in progress, follow your clinic’s documented protocol.

Immediate steps:

1. Close or minimize any open patient records visible on screen.
2. Lock the screen if the device is in an exposed location.
3. Do not attempt to reconnect to the patient over a non-approved channel (personal phone, personal email) unless the clinic’s emergency protocol specifically permits it with patient authorization.
4. Contact the patient through the clinic’s approved communication method to reschedule or reconnect.

Documentation: Document the session interruption in the patient’s chart, including: the time the failure occurred; what portion of the encounter had been completed; how the patient was contacted to reschedule or reconnect; and any clinical information already exchanged that needs to be incorporated into the note.

Your clinic should have a written protocol for connection failures so you can follow it without making real-time judgment calls about whether a non-compliant channel is acceptable in the moment.

Post-Session Documentation

Complete telehealth encounter documentation the same day as the encounter. It belongs in the EHR with the same completeness and retention requirements as any other clinical note. Key elements: date and time of the session; platform used; whether the session was recorded (and if so, consent documented); clinical note (SOAP or equivalent); patient location disclosure acknowledgment; and any technical issues that affected the session.

Under 45 CFR § 164.524, patients have the right to access telehealth documentation as part of their medical record. Documentation that is incomplete or not filed in the approved system is both a clinical and compliance risk.

Consumer Health Apps Are Not Covered

The HIPAA Privacy and Security Rules apply to covered entities and their business associates. Many patients use consumer health apps - fitness trackers, wellness platforms, consumer telemedicine apps, medication reminder apps - that are not covered by HIPAA because they are not operated by covered entities or their business associates.

If a patient shares data from a consumer app during your session, that data is not protected by HIPAA until your clinic incorporates it into the medical record. At that point, it becomes PHI. Do not use consumer health apps as clinical data repositories, even if a patient prefers this. Clinical data belongs in the approved EHR.

For PHI communication channel requirements, see PHI in text messaging and PHI in email. For minimum necessary access principles, see minimum necessary standard.

PHIGuard helps small clinics manage telehealth compliance tasks alongside all other HIPAA obligations - BAA tracking, workforce training, and incident response - at current pricing. Learn more at PHIGuard HIPAA.