TelehealthSecurity:HIPAA-CompliantVideo,Messaging,andStorage

During the COVID-19 public health emergency, HHS issued an Enforcement Discretion Notice that allowed providers to use non-HIPAA-compliant video platforms (FaceTime, Skype, Zoom consumer) for telehealth. That discretion expired August 9, 2023. Every telehealth encounter now must comply with the full HIPAA Security Rule — and OCR has signaled enforcement priorities. Practices that stood up telehealth quickly in 2020 and did not revisit their stack are carrying real compliance risk.

This article covers a compliant telehealth stack end-to-end: video, messaging, recording storage, and the patient-device factors most compliance reviews miss.

Video: BAA-Backed Platforms Only

A HIPAA-compliant video telehealth platform has three qualifying characteristics:

• The vendor signs a Business Associate Agreement
• End-to-end encryption or encryption-in-transit with equivalent protections
• Access controls, audit logging, and session authentication

Qualifying platforms include Doxy.me, Zoom for Healthcare, Microsoft Teams (with the appropriate license and signed BAA), Google Meet (Workspace enterprise with signed BAA), Updox, SimplePractice, and specialty-specific platforms. Consumer FaceTime and consumer Zoom do not qualify regardless of how the call is conducted.

Note: Teams and Meet require specific enterprise licenses AND a signed BAA — the free or basic tiers do not qualify. Check your licensing before assuming coverage.

Secure Messaging: Where Most Practices Fail

Secure messaging is the silent compliance gap. Clinicians message about patients on SMS, iMessage, consumer WhatsApp, and internal chat platforms that were never BAA-backed. Every unsecured message about a patient is a potential breach.

A compliant messaging stack:

• Provider-to-provider: Microsoft Teams (with healthcare BAA) or specialty platforms like TigerConnect, Halo, or Spok.
• Provider-to-patient: via the EHR patient portal, or a dedicated secure messaging platform (Klara, Luma, Artera). SMS is acceptable only if the patient has been informed of risks, consented in writing, and the SMS does not contain ePHI beyond what the patient would understand to be in plaintext.
• Internal escalations: If your on-call workflow uses SMS, it needs explicit PHI-avoidance rules. "Please call Dr. Smith about room 412" is acceptable. "Please call Dr. Smith about diabetic patient in 412 with hypoglycemic event" is not.

Recording Storage: The Long Tail

Telehealth recordings are ePHI, subject to the full Security Rule. If you record, you need a policy for:

• Patient consent to recording (two-party consent states require explicit consent — Texas, New York, and many others)
• Storage location (cloud storage under a BAA, not consumer cloud)
• Retention period (tied to your medical records retention policy, commonly 6–10 years)
• Access controls and audit logs on the recording storage
• Disposal procedures at end of retention

Most practices should not record telehealth sessions by default. The compliance overhead is substantial and the clinical value limited. If recording is necessary (training, quality review, specialty-specific documentation), invest in a purpose-built solution.

Patient-Side Factors Most Reviews Miss

The patient's device and network are outside your security perimeter, but your obligations do not stop at the session edge:

• Identity verification: how do you know the person on the other end of the call is the patient? Two-factor confirmation (date of birth + a piece of clinical history, or a portal-backed verification code) reduces impostor risk.
• Session setup: avoid unique session links that could be forwarded. Use portal-launched sessions or one-time codes.
• Privacy advisory: at the start of every session, remind the patient that their end of the call is not protected by your security controls. Ask if they are in a private space. Document that you asked.
• Recording by patient: be aware that patients in one-party-consent states can legally record the session. In two-party consent states they cannot without your consent. Neither case changes your HIPAA obligations on your side of the call.

The Home-Office Provider Compliance Stack

Telehealth moved providers home, and home-office compliance is where small practices are most exposed. A provider conducting telehealth from home needs:

• A practice-managed device (not a personal device) or a fully MDM-enrolled personal device with conditional-access policies
• Full-disk encryption enforced
• Private workspace — no family members within earshot or line of sight of the screen
• Network segmentation — the work device should not share a network segment with IoT or family devices (most home routers support a separate SSID for work)
• No printing of ePHI at home without a practice-managed shredder and printer audit

Interstate Telehealth Licensing

This is not a HIPAA issue but often surfaces alongside compliance reviews. Most states require providers to be licensed in the state where the patient is located during the encounter. Telehealth across state lines requires either licensure in the patient's state, a state-specific exemption, or an interstate compact (IMLC, PSYPACT, etc.). Your telehealth platform should prompt or validate patient location at session start.

Business Associate Agreements: What to Verify

Your video platform BAA should explicitly cover:

• Use of ePHI limited to providing the service
• Subcontractor requirements (any cloud provider, transcoding vendor, CDN must also sign BAAs with your vendor)
• Breach notification timelines (HIPAA requires BA notification without unreasonable delay, and not later than 60 days)
• Return or destruction of ePHI at contract termination
• Security controls the BA will maintain

If your telehealth vendor's BAA lacks any of these, renegotiate or replace the vendor.

Annual Review Checklist

• Every telehealth platform has a signed BAA on file
• Clinicians are trained on approved platforms and messaging rules
• Home-office providers have confirmed compliance configuration
• Patient identity verification is documented in each encounter
• Recording policy matches state law and retention policy
• Licensing by patient-state is validated at session start

Practical Platform Comparison

Platform selection depends on workflow complexity, integration requirements, and existing vendor relationships. A brief orientation:

• Doxy.me: simple, browser-based, low-cost, signed BAA available. Good for small practices without other platform needs.
• Zoom for Healthcare: mature, familiar to most providers, robust features, signed BAA available. Watch the license tier — only the Healthcare tier includes BAA.
• Microsoft Teams (Healthcare): strong if already in Microsoft 365 ecosystem. Requires Business / Enterprise license plus signed BAA. Good messaging integration.
• Google Meet (Workspace Enterprise): strong for Workspace shops. BAA required.
• EHR-integrated telehealth: Epic, athenahealth, eClinicalWorks, and others offer integrated telehealth. Reduces workflow steps and keeps PHI in one compliance envelope. Often the preferred path for larger practices.
• Specialty-specific platforms: SimplePractice, TherapyNotes, Updox, Doximity Video. Purpose-built for specific clinical contexts.

No single platform is universally correct. Match the platform to the workflow, not the workflow to a platform someone picked two years ago.

For a telehealth-specific compliance review or to evaluate your current video and messaging stack, see our healthcare services or schedule a consultation.