Telehealth Security for Small Clinics: HIPAA-Compliant Setup

Telehealth has evolved from a pandemic-era necessity into a permanent fixture of modern healthcare delivery. As of 2025, more than 80 percent of healthcare organizations offer some form of virtual care, and over 60 percent of patients now expect telehealth options from their providers. But telehealth introduces unique security challenges that traditional in-office visits do not. Patient data traverses public networks, providers may use personal devices, and patients connect from home environments with varying levels of security. Securing telehealth is not just a compliance exercise; it is essential to maintaining patient trust and the integrity of the care relationship.

The end of the COVID-19 Public Health Emergency (PHE) in May 2023 marked a critical shift in HIPAA compliance requirements for telehealth. The enforcement discretion period that allowed providers to use non-compliant consumer-grade platforms like FaceTime, Zoom (without BAA), and Skype has expired. The Office for Civil Rights (OCR) has resumed full enforcement of the HIPAA Security Rule for all virtual care activities. Small clinics that continued using non-compliant platforms beyond the PHE termination are now operating in violation of federal law and face potential penalties ranging from $100 to $50,000 per violation.

For small clinics with limited IT resources, establishing a secure telehealth program can seem daunting. But the core requirements are achievable: select a HIPAA-compliant platform with a signed Business Associate Agreement (BAA), implement technical safeguards for both provider and patient endpoints, establish secure workflows for virtual visits, and train staff on telehealth-specific security protocols. This guide provides small clinics with the specific technical controls, platform selection criteria, and operational procedures needed to deliver virtual care that meets HIPAA Security Rule requirements under 45 CFR §164.308, §164.310, and §164.312.

Telehealth Security Risks That Threaten Patient Privacy

Telehealth has become essential for small clinics, but each virtual visit creates security risks that do not exist in person. Video sessions can be intercepted if the connection is not encrypted end-to-end. Screen recordings — either intentional or from malware — can capture sensitive patient information displayed during the visit. Unauthorized individuals in the patient's or provider's environment may overhear protected health information (PHI). Many providers use personal devices and home networks for telehealth visits, creating additional vulnerabilities.

Home WiFi networks are often unsecured or shared with family members and IoT devices like smart speakers, security cameras, and home assistants. Personal laptops may lack the encryption, access controls, and endpoint security software required for HIPAA compliance. Without proper controls, a telehealth visit can expose patient data at multiple points: during transmission over the network, on the provider's device, on the patient's device, and in temporary files or cache that persist after the session ends.

The integration of telehealth with electronic health record (EHR) systems creates additional data flow risks. Patient information moves between the telehealth platform, the EHR, messaging systems, and potentially cloud storage — each transition is a potential point of exposure. If any link in this chain lacks proper encryption or access controls, PHI can be intercepted or inadvertently disclosed. According to the 2025 Verizon Data Breach Investigations Report, 68 percent of healthcare breaches involve a human element such as credential misuse, and 13 percent specifically involve misconfigured cloud storage or data transfer vulnerabilities.

Unauthorized access during live sessions represents another significant risk. Telehealth sessions using predictable meeting IDs or lacking waiting room controls can be accessed by unauthorized parties through "Zoombombing" attacks. Without proper authentication, an attacker who obtains or guesses a meeting link can join the session and observe the patient encounter. Session recordings, if stored insecurely or retained longer than necessary, create long-term exposure risk. The HIPAA Security Rule at 45 CFR §164.312(a)(2)(iv) requires encryption of ePHI at rest and in transit, and 45 CFR §164.308(a)(3) requires implementation of access controls including unique user identification and automatic logoff.

Small clinics face a disproportionate risk because they often lack dedicated IT security staff and may rely on providers' personal judgment about security measures. A 2024 survey by the American Medical Association found that 42 percent of small practices (fewer than 10 providers) do not have a written telehealth security policy, and 38 percent do not verify that their telehealth platform vendor has signed a Business Associate Agreement. These gaps expose clinics to both security incidents and regulatory enforcement action.

Choosing a HIPAA-Compliant Telehealth Platform

The most critical requirement for any telehealth platform is a signed Business Associate Agreement (BAA). Under 45 CFR §164.502(e), covered entities may not disclose PHI to business associates unless a BAA is in place that establishes the associate's permitted uses and disclosures of PHI and requires the associate to implement appropriate safeguards. Without a BAA, using the platform for patient visits violates HIPAA regardless of how secure the technology is. During the COVID-19 enforcement discretion period, HHS temporarily allowed non-compliant platforms — that period has ended, and OCR enforcement is now active.

Beyond the BAA, evaluate platforms for end-to-end encryption, meaning the video and audio streams are encrypted from the provider's device to the patient's device and cannot be accessed by the platform provider or intermediaries. Look for platforms that use Advanced Encryption Standard (AES) 256-bit encryption for data at rest and Transport Layer Security (TLS) 1.2 or higher for data in transit, consistent with NIST SP 800-52 Rev. 2 guidance. The platform should generate unique meeting links for each session rather than using static room IDs that can be reused or shared. Waiting room functionality is essential to prevent unauthorized access — patients should not be able to enter the session until the provider explicitly admits them.

Session locking capability allows the provider to lock the session once all expected participants have joined, preventing additional parties from entering. Audit logging is required by 45 CFR §164.312(b) and should record session start and end times, participant identities, IP addresses, authentication events, and any access to recorded sessions. These logs must be retained for at least six years per 45 CFR §164.316(b)(2)(i) and reviewed regularly for unauthorized access attempts.

Integration with your EHR system reduces the risk of data exposure by eliminating manual data transfer between systems. Evaluate whether the platform supports single sign-on (SSO) with your existing credentials, reducing password fatigue and credential reuse. Role-based access controls (RBAC) allow you to limit which staff members can schedule, conduct, or access recordings of telehealth sessions. If your practice records visits for documentation purposes, verify that the platform stores recordings in encrypted, access-controlled storage covered by your BAA and supports compliant retention and destruction policies.

Platform vendors commonly offering signed BAAs and HIPAA-compliant configurations include Doxy.me, Zoom for Healthcare, Microsoft Teams for Healthcare, Cisco Webex Health, VSee, and SimplePractice Telehealth. Consumer versions of these platforms (Zoom personal accounts, Microsoft Teams personal, etc.) do not include BAAs and are not HIPAA-compliant. Verify your specific subscription tier and configuration with the vendor and obtain a signed BAA before conducting any patient visits. According to OCR's 2025 guidance, verbal assurances or website claims of HIPAA compliance are insufficient — you must have a signed, written BAA on file.

Securing the Provider Environment

The security of the provider's environment during telehealth sessions is critical. Whether providers are conducting virtual visits from a clinic or from home, specific security measures must be in place to protect patient data and maintain compliance with the HIPAA Security Rule's physical safeguard requirements at 45 CFR §164.310.

Providers should conduct telehealth visits from private, enclosed spaces — not open offices, shared workspaces, or public locations like coffee shops. The room should have a door that can be closed and locked during sessions to prevent unauthorized individuals from viewing the screen or overhearing conversations. Position the computer screen so it is not visible through windows or open doorways. Use privacy screens on monitors if the space is shared or visible to others outside of session times.

Use a wired internet connection when possible, as it is more stable and harder to intercept than WiFi. If WiFi is necessary, use a VPN to encrypt all traffic between the device and the clinic's network. Ensure the network is WPA3 encrypted with a strong, unique password not shared with non-practice devices. Separate the WiFi network used for telehealth from guest networks or IoT devices. Disable automatic file sharing and screen mirroring features on the device and network. For detailed VPN implementation guidance, see our VPN security guide.

Use dedicated devices for telehealth whenever possible rather than personal devices also used for family activities, shopping, or social media. If personal devices must be used, implement mobile device management (MDM) software that enforces encryption, screen locks, remote wipe capability, and application whitelisting. Install antivirus and endpoint detection and response (EDR) software on all devices used for telehealth. For more on endpoint protection requirements, see our guide to EDR versus MDR solutions.

Apply operating system and application updates promptly to address known vulnerabilities. According to the 2025 Verizon DBIR, 15 percent of healthcare breaches involved exploitation of known vulnerabilities for which patches were available but not applied. Configure devices to lock automatically after five minutes of inactivity per 45 CFR §164.312(a)(2)(iii). Disable screen recording and screenshot functionality during sessions, or at minimum notify patients if the session is being recorded and obtain documented consent.

Patient-Side Security Requirements

While you cannot control the patient's environment entirely, you can establish minimum security requirements and provide clear guidance to reduce risk. Patients should be instructed to join telehealth visits from private locations where they will not be overheard. They should avoid public WiFi networks in coffee shops, libraries, or airports, which are frequently unencrypted and subject to eavesdropping attacks. If a patient must use public WiFi, recommend they use a personal VPN or mobile hotspot from their phone instead.

Provide patients with written instructions before their first telehealth visit. These instructions should include how to verify they are connecting to the correct provider (not a phishing site), how to test their audio and video before the session, what to do if they experience technical difficulties, and how to securely end the session. Include guidance on not sharing the meeting link with others and ensuring no one else is present in the room unless explicitly authorized by the patient for the encounter.

Verify patient identity at the start of each session using at least two identifiers — typically name and date of birth. This satisfies the authentication requirement at 45 CFR §164.312(d) and helps prevent unauthorized individuals from impersonating patients to obtain medical information. Visual confirmation via video can serve as an additional biometric authentication factor, though it should not be the sole verification method.

Recognize that some patients may have limited technology resources or digital literacy. Provide technical support via phone to help patients download the platform application, test their connection, and troubleshoot issues. Offer alternative appointment formats (phone-only, in-person) for patients who cannot meet minimum security requirements or who are uncomfortable with video visits. Document the patient's consent to telehealth visits and their acknowledgment of security risks in the medical record per state telehealth consent requirements.

Securing Your Telehealth Workflow End to End

Operational security for telehealth extends beyond platform selection and device security. Establish standardized workflows that build security into every step of the patient encounter. Schedule telehealth appointments through your practice management system rather than email or text to avoid inadvertent disclosure of appointment details. Send appointment reminders that do not include the meeting link until shortly before the appointment (15-30 minutes) to reduce the window for link interception or misuse.

Enable the virtual waiting room feature so patients do not enter the session until you admit them. When you admit the patient, visually confirm their identity before discussing any PHI. Ask the patient to confirm they are in a private location and that no one else is present unless they have explicitly consented to another person's participation. Lock the session once all expected participants have joined to prevent additional parties from entering.

Share your screen only when necessary for patient education or reviewing test results, and close all other applications and browser tabs before sharing to prevent accidental display of other patients' information. Use the platform's annotation or pointer tools rather than opening other files that might contain PHI. End screen sharing immediately when the clinical discussion resumes.

After each session, ensure no PHI remains in temporary files, downloads, clipboard memory, or screen captures. If sessions are recorded for documentation purposes, store recordings in encrypted, access-controlled storage covered by your BAA. Establish a retention and destruction policy for telehealth session data consistent with your state's medical records retention requirements — typically six to ten years for adult patients. For detailed guidance on secure data retention and destruction, see our secure backup guide.

Document the telehealth encounter in the patient's EHR, including the date, time, patient location (city and state), technology platform used, participants present, any technical difficulties encountered, and clinical content of the visit. Many states require specific documentation elements for telehealth visits, including patient consent, provider location, and technology used. Review your state medical board's telehealth regulations for specific documentation requirements.

Building a Secure Telehealth Program for the Long Term

Telehealth security is not a one-time implementation but an ongoing program that must adapt to emerging threats, regulatory changes, and technology updates. Establish a schedule for regular review and updates of your telehealth security program. At minimum, conduct an annual review of your platform contract and BAA, security configurations, audit logs, incident reports, and staff training completion. Update your telehealth risk assessment whenever you change platforms, add new clinical workflows, or experience a security incident.

Monitor OCR guidance and enforcement actions related to telehealth. OCR publishes case resolutions on its website at HHS.gov HIPAA enforcement, many of which involve telehealth-related violations such as lack of BAAs, insufficient access controls, or inadequate risk assessments. These case studies provide insight into OCR's enforcement priorities and expectations.

Stay informed about emerging telehealth security threats. The Cybersecurity and Infrastructure Security Agency (CISA) and the HHS Health Sector Cybersecurity Coordination Center (HC3) publish threat briefings and security alerts relevant to healthcare. Subscribe to these alert services to receive timely notifications about vulnerabilities affecting telehealth platforms, exploitation campaigns targeting healthcare, and recommended mitigation measures.

Consider engaging a third-party cybersecurity firm to conduct periodic security assessments of your telehealth program. These assessments can identify configuration weaknesses, policy gaps, and compliance deficiencies before they result in a breach or OCR investigation. Penetration testing of your telehealth platform and network can reveal vulnerabilities that attackers could exploit to intercept sessions or access patient data. For more on security assessment methodologies, see our guide to penetration testing for healthcare organizations.

Document all aspects of your telehealth security program: policies and procedures, risk assessments, BAAs, training records, audit log reviews, incident reports, and security assessments. The HIPAA Security Rule at 45 CFR §164.316(b)(1) requires that you maintain written documentation of your security program and make it available to OCR upon request during an investigation. Failure to produce required documentation can result in penalties even if your technical security measures are adequate. Retain all documentation for at least six years from the date of creation or the date it was last in effect, whichever is later.