HIPAA Compliant Telehealth: What Every Clinic Needs to Know
Telehealth use surged during the COVID-19 public health emergency and has remain...
April 30, 2026
Key Takeaways
HIPAA compliant telehealth requires encryption in transit (e.g., TLS 1.2 or higher), access controls, audit logs, and a signed Business Associate Agreement with your video platform.
No official HIPAA certification body exists – platforms self-attest compliance, so your BAA and vendor security documentation are your only legal protections.
Standard consumer tools like Zoom, Google Meet, and Microsoft Teams are NOT HIPAA compliant without a healthcare-specific plan and a signed BAA.
Pabau’s integrated telehealth feature keeps video sessions, patient records, and consent forms within one HIPAA-aligned platform, reducing the compliance gap between tools.
Telehealth use surged during the COVID-19 public health emergency and has remained a significant share of outpatient care in many specialties, particularly behavioral health, per HHS’s January 2024 telehealth utilization report. The compliance implication is the same regardless of exact share: the risk of exposing Protected Health Information (PHI) during a virtual session is higher than ever. Most breaches don’t happen because a provider was careless – they happen because the underlying HIPAA compliance for clinic software was never properly configured in the first place.
This guide covers what HIPAA compliant telehealth actually requires, how Business Associate Agreements work in practice, which platforms meet the bar and which don’t, and how to build a compliant virtual care workflow your whole team can follow. Whether you run a behavioral health practice, a medical spa, or a multi-specialty clinic, the obligations are the same.
HIPAA Compliant Telehealth: Core Requirements Explained
HIPAA doesn’t have a single “telehealth section.” Instead, two existing rules apply directly to every virtual care session your practice conducts.
The HIPAA Privacy Rule governs what PHI can be used or disclosed and under what conditions. During a telehealth session, that means only the minimum necessary information should be visible or transmitted. A video appointment shouldn’t expose unrelated patient records in the background, and session recordings can only be retained with a specific, documented purpose.
The HIPAA Security Rule covers electronic PHI (ePHI) specifically. According to HHS’s telehealth guidance, covered health care providers must use technology vendors that comply with HIPAA Rules and will enter into Business Associate Agreements (BAAs) for their video communication products. The HIPAA Security Rule requirements that apply most directly to telehealth include:
- Encryption in transit and at rest: Video, audio, and any transmitted ePHI must be encrypted using current standards (e.g., TLS 1.2 or higher in transit and AES-256 at rest, per NIST guidance referenced by HHS). True end-to-end encryption is a stronger protection some platforms offer but is not strictly mandated by the HIPAA Security Rule.
- Access controls: Only authorized users can initiate or join a session. Waiting rooms, unique meeting links, and PIN codes all contribute to this.
- Audit logs: The platform must log who accessed what and when. These logs are not optional – OCR audits them during breach investigations.
- Automatic session timeout: Sessions must terminate after inactivity, preventing unauthorized access to an open connection.
- Data transmission security: Any files shared during a session (images, forms, lab results) must transit over encrypted channels.
One clarification that trips up many clinics: HIPAA compliance is not a certification. No federal agency certifies a platform as “HIPAA compliant.” Vendors self-attest their compliance. Your legal protection comes from the BAA they sign, their security documentation, and your own internal policies – not a badge on their website.
What Is a Business Associate Agreement and Why It Matters
A Business Associate Agreement (BAA) is the contractual foundation of HIPAA compliant telehealth. Without one, using any third-party video platform for patient care is a HIPAA violation regardless of how secure the technology actually is.
Under HIPAA, any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate. Your telehealth platform processes ePHI – patient identity, reason for visit, session recording – so it qualifies. The BAA requires the vendor to:
- Implement appropriate safeguards to protect ePHI
- Report any breaches or security incidents to you within required timeframes
- Ensure subcontractors also comply with HIPAA obligations
- Return or destroy ePHI when the business relationship ends
Most enterprise telehealth platforms offer BAAs as part of a paid healthcare tier. This is not a formality – OCR has levied seven-figure fines against covered entities that used non-BAA platforms. Before your next telehealth session, confirm the BAA is signed, dated, and stored in your compliance records. Building a paperless practice that’s HIPAA compliant means having these agreements documented and accessible, not filed away in a drawer.
Pro Tip
Audit your BAA stack annually. List every vendor that touches ePHI – your telehealth platform, your EHR, your scheduling tool, your payment processor. Confirm a signed BAA exists for each one. A single gap in this chain creates liability for your entire practice.
Zoom, Google Meet, and Microsoft Teams: The HIPAA Reality
Clinic owners regularly ask whether the video tools they already use qualify for patient care. The short answer: consumer versions don’t. The longer answer depends on whether you’re using a paid plan that supports a HIPAA BAA and have actually signed that BAA with the vendor.
Using standard Zoom for telehealth without the healthcare-specific plan is among the most common HIPAA violations in virtual care. During the COVID-19 Public Health Emergency (PHE), HHS exercised enforcement discretion – providers could use non-HIPAA-compliant video tools without penalty. That discretion ended when HHS issued a 90-calendar-day transition period beginning May 12, 2023 that expired August 9, 2023. Every telehealth session your clinic runs today must use a HIPAA compliant platform with a signed BAA.
Even on a paid plan with a signed BAA, these general-purpose tools weren’t built for clinical workflows. They lack native EHR integration, automated consent capture, and clinical documentation tied to each session. A provider juggling a Zoom call, a separate EHR, and a manual consent form process is creating compliance gaps at every handoff point.
Building a HIPAA Compliant Telehealth Workflow
Selecting a compliant platform is step one. A compliant workflow is what actually keeps your practice protected. These two things are frequently confused, and that confusion is the source of most telehealth HIPAA violations.
Consider a realistic scenario: a behavioral health clinic selects a HIPAA compliant video platform, signs a BAA, and considers itself covered. But the front desk sends appointment links through a personal Gmail account. The therapist takes session notes in an unencrypted Google Doc. The intake form is a PDF emailed as an attachment. Each of these steps introduces PHI into unsecured channels that fall outside the signed BAA. The platform was compliant. The workflow wasn’t.
A genuinely compliant telehealth workflow covers these five touchpoints:
- Appointment scheduling: Session links generated within a HIPAA covered system, not sent via personal email or SMS tools without BAAs.
- Patient intake: Digital consent forms and intake questionnaires collected through a HIPAA compliant forms platform before the session begins. Pabau’s digital forms feature handles this within the same system as the clinical record.
- The video session: Conducted on a BAA-covered platform with waiting room enabled, E2EE active, and the provider authenticated with MFA.
- Clinical documentation: Notes written directly into the patient’s EHR record during or immediately after the session – not in external apps.
- Follow-up communications: Post-visit instructions and messaging sent through a HIPAA compliant secure messaging channel, not standard SMS or personal email.
Staff training is also a HIPAA obligation, not just a best practice. The HIPAA Security Rule requires covered entities to train all workforce members on security policies. For telehealth, this means front desk staff who send appointment links, clinical staff who conduct sessions, and billing staff who process telehealth claims all need documented training. Reviewing patient data security tools and how your team interacts with them is a good starting point for building that training framework.
Run HIPAA Compliant Telehealth from One Platform
Pabau combines video sessions, digital consent forms, clinical notes, and automated workflows in a single HIPAA-aligned system. See how practices eliminate compliance gaps between disconnected tools.
HIPAA Telehealth Compliance for Behavioral Health and Aesthetics Clinics
HIPAA applies the same way regardless of specialty, but the risk profile varies significantly. Two clinic types that frequently underestimate their telehealth exposure are behavioral health practices and medical spas.
Behavioral health: Mental health and therapy practices conduct the majority of their sessions virtually. Session content – diagnoses, treatment histories, medication lists, disclosures made in therapy – represents some of the most sensitive PHI categories under HIPAA. A breach involving psychiatric records carries heightened reputational and legal consequences compared to a scheduling data leak. Behavioral health providers also frequently use asynchronous messaging between sessions, which must occur on BAA-covered platforms, not standard SMS.
Medical spas and aesthetics clinics: Many aesthetic practices assume HIPAA doesn’t apply to them because they’re not “traditional” medical providers. That assumption is wrong if the practice bills insurance, employs licensed medical professionals, or handles PHI in any form. Med spas and HIPAA compliance obligations are frequently more significant than owners realize – particularly when virtual consultations involve treatment planning or medical histories.
Both clinic types benefit from integrated platforms that connect telehealth with clinical documentation. When a virtual consultation generates a treatment note, that note should link directly to the patient record without any manual transfer. Manual data movement between systems is where PHI gets mishandled. Using Pabau’s telehealth software means the session, the note, and the patient record exist in one place, eliminating that gap.
HIPAA Compliant Telehealth Checklist for Clinic Owners
Use this checklist to audit your current virtual care setup. Each item maps to a specific HIPAA obligation or enforcement risk area.
- BAA signed with every vendor: Telehealth platform, EHR, scheduling tool, messaging platform, payment processor
- Platform uses end-to-end encryption: Verified in vendor’s security documentation, not just their marketing copy
- Waiting room or session authentication enabled: Prevents unauthorized parties from joining sessions
- MFA active on all clinical accounts: Especially for providers accessing sessions from personal devices
- Intake forms collected within HIPAA covered system: Not via email attachments or consumer form tools
- Session notes documented in EHR: Not in Google Docs, Notion, or other external apps
- Post-visit communications via compliant messaging: Not standard SMS or personal email
- Staff training documented: All workforce members with ePHI access trained within the last 12 months
- Audit logs reviewed periodically: Quarterly review of access logs is a reasonable standard
- Breach response plan in place: OCR requires a documented incident response procedure
For a deeper look at how these obligations apply across your full clinical operation, Pabau’s compliance management tools provide a structured framework for tracking your security posture. You can also find a more detailed breakdown of obligations in our HIPAA compliance for medical offices guide.
Pro Tip
Run a tabletop exercise with your team twice a year: simulate a telehealth session where a patient’s PHI is accidentally shared with the wrong recipient. Walk through your breach notification procedure. Practices that have never rehearsed a breach response take three times longer to contain one when it happens.
How Integrated Platforms Reduce Telehealth HIPAA Risk
Most telehealth compliance failures are not security failures – they’re integration failures. A practice using five separate, individually HIPAA compliant tools still creates gaps when data moves between them. Every export, copy-paste, or manual data transfer is a potential exposure point outside any BAA’s coverage.
Integrated practice management platforms address this structurally. When telehealth, digital forms, clinical notes, and patient records share a single data layer, PHI never leaves the covered environment. There’s no “send this file via email to the billing department” step. There’s no copying session notes into a separate EHR. The compliance perimeter of a single BAA covers the entire patient interaction.
This is the operational argument for platforms like Pabau over standalone telehealth tools. A practice that uses a separate video platform, a separate EHR, a separate forms tool, and a separate billing system has four separate BAAs to maintain, four separate security configurations to audit, and four separate breach notification obligations. That complexity is where compliance breaks down in real-world clinic operations. Consolidating onto a platform with data protection best practices built into the core architecture reduces all of that administrative overhead while improving the actual security posture.
For practices evaluating their options, the Pabau HIPAA compliance page outlines the specific technical and administrative safeguards applied across the platform.
Expert Picks
Need to understand your full HIPAA obligations for clinic operations? HIPAA Compliance for Clinic Software covers the technical, physical, and administrative safeguards that apply to every tool in your practice stack.
Running a paperless clinic and want to verify your documentation workflow is covered? Paperless Practice: HIPAA Compliant walks through how to replace paper processes with digital equivalents that meet HIPAA requirements.
Want a broader look at telehealth implementation for GP clinics? Telehealth in GP Clinics covers platform selection, workflow design, and patient communication for primary care virtual visits.
Conclusion
Telehealth volume isn’t going back down, and neither is OCR’s enforcement appetite. The compliance gap in most practices isn’t the video platform itself – it’s the workflow around it. Unsigned BAAs, consumer-grade tools, and PHI moving between disconnected systems are where violations actually originate.
Pabau’s integrated telehealth feature keeps every element of the virtual care workflow – video sessions, patient consent, clinical notes, and follow-up communications – within a single HIPAA-aligned system. There’s no patching together separate tools, no manual PHI transfers, and no gaps in your BAA coverage. If your current setup involves more than two vendors touching patient data during a telehealth visit, it’s worth reviewing. Book a demo to see how Pabau handles the compliance architecture so your team can focus on patient care.
Frequently Asked Questions
What makes a telehealth platform HIPAA compliant?
A HIPAA compliant telehealth platform must offer encryption in transit (such as TLS 1.2 or higher), access controls (such as waiting rooms and unique session links), audit logging, and a signed Business Associate Agreement (BAA). The platform must also ensure that any subcontractors processing ePHI on its behalf are also HIPAA compliant. Technology alone isn’t sufficient – your internal workflows must also prevent PHI from moving into unsecured channels.
Is Zoom HIPAA compliant for telehealth?
Standard Zoom is not HIPAA compliant for telehealth. Zoom for Healthcare, a paid plan that requires a signed BAA from Zoom, includes the technical safeguards and contractual coverage required for patient sessions. Using the standard consumer version for telehealth – even briefly – constitutes a HIPAA violation because no BAA exists and data handling terms don’t meet healthcare standards.
Do I need a BAA with my telehealth platform?
Yes, without exception. Any vendor that creates, receives, maintains, or transmits ePHI on your behalf must sign a BAA before you use their service for patient care. This requirement comes directly from the HIPAA Omnibus Rule. Operating telehealth without a signed BAA from your video vendor is a violation regardless of how secure the technology actually is.
Is Google Meet HIPAA compliant for telehealth?
Standard Google Meet on a free Google account is not HIPAA compliant. Google offers a BAA on most paid Google Workspace editions (Business Standard, Business Plus, and Enterprise) when the customer requests and signs it; the requirement is a paid plan plus a signed BAA, not a specific tier name. Practices using free or unsigned-BAA accounts for patient sessions should treat those sessions as unprotected and transition to a compliant alternative immediately.
How does HIPAA apply to telehealth sessions differently than in-person visits?
The core HIPAA obligations are the same, but telehealth adds specific technical risks: unencrypted video streams, insecure file sharing during sessions, PHI moving between multiple disconnected tools, and session recordings stored in non-covered environments. In-person visits don’t require technology vendors to process ePHI in real time – telehealth does, which is why BAAs and platform selection are so critical in virtual care.
