Telehealth has evolved from a pandemic-era necessity into a permanent fixture of modern healthcare delivery. As of 2025, more than 80 percent of healthcare organizations offer some form of virtual care. But telehealth introduces unique security challenges that traditional in-office visits do not. Patient data traverses public networks, providers may use personal devices, and patients connect from home environments with varying levels of security.
Securing telehealth is not just a compliance exercise; it is essential to maintaining patient trust and the integrity of the care relationship.
Key Takeaway
Secure your telehealth platform for HIPAA compliance. Video call encryption, patient authentication, and platform choices for small clinics.
Telehealth Adoption By The Numbers
Offer virtual care services in 2025
Required for all telehealth activities
HIPAA Compliance for Virtual Visits
The HIPAA enforcement flexibilities that were introduced during the COVID-19 public health emergency have expired. Healthcare providers must now ensure that all telehealth activities fully comply with HIPAA Privacy, Security, and Breach Notification Rules.
Critical Compliance Update
COVID-19 HIPAA flexibilities have expired. All telehealth activities must now fully comply with standard HIPAA requirements.
Securing the Provider Environment
The security of the provider's environment during telehealth sessions is critical. Whether providers are conducting virtual visits from a clinic or from home, specific security measures must be in place to protect patient data and maintain compliance.
Patient-Side Security Requirements
Private Space
Use a private area where conversations cannot be overheard
Secure Network
Connect via password-protected Wi-Fi, not public networks
Updated Software
Use latest telehealth app version or supported browser
Access Control
Never share session links or access codes with others
Proper Logout
Always log out of the platform after each visit
Support Available
Technical assistance for patients with limited digital literacy
Recognize that some patients may have limited technology resources or digital literacy. Provide clear, simple instructions and offer technical support to help patients connect securely.
Platform Selection Criteria
Choosing a telehealth platform is a security decision as much as a clinical one. The platform you select will handle sensitive patient data and must meet stringent security and compliance requirements.
Building a Secure Telehealth Program
Integrate with Security Programs
Embed telehealth security into broader organizational security and compliance programs
Develop Specific Policies
Create telehealth-specific policies and procedures for secure virtual care
Conduct Risk Assessments
Include telehealth scenarios in your comprehensive risk assessments
Train Clinical Staff
Educate providers on secure virtual care practices and protocols
Monitor and Audit
Audit telehealth activities with the same rigor as in-person operations
Telehealth Security Risks That Threaten Patient Privacy
Telehealth has become essential for small clinics, but each virtual visit creates security risks that do not exist in person. Video sessions can be intercepted if the connection is not encrypted end-to-end. Screen recordings — either intentional or from malware — can capture sensitive patient information displayed during the visit. Unauthorized individuals in the patient's or provider's environment may overhear protected health information.
Many providers use personal devices and home networks for telehealth visits, creating additional vulnerabilities. Home WiFi networks are often unsecured or shared with family members and IoT devices. Personal laptops may lack the encryption, access controls, and security software required for HIPAA compliance. Without proper controls, a telehealth visit can expose patient data at multiple points.
The integration of telehealth with EHR systems creates data flow risks. Patient information moves between the telehealth platform, the EHR, messaging systems, and potentially cloud storage — each transition is a potential point of exposure. If any link in this chain lacks proper encryption or access controls, PHI can be intercepted or inadvertently disclosed.
Choosing a HIPAA-Compliant Telehealth Platform
The most critical requirement for any telehealth platform is a signed Business Associate Agreement (BAA). Without a BAA, using the platform for patient visits violates HIPAA regardless of how secure the technology is. During the COVID-19 enforcement discretion period, HHS temporarily allowed non-compliant platforms — that period has ended, and enforcement is now active.
Beyond the BAA, evaluate platforms for end-to-end encryption, meaning the video and audio streams are encrypted from the provider's device to the patient's device and cannot be accessed by the platform provider. Look for unique meeting links (not static room IDs), waiting room functionality, the ability to lock sessions once started, and audit logging that records session times, participants, and access events.
Integration with your EHR system reduces the risk of data exposure by eliminating manual data transfer between systems. Evaluate whether the platform supports single sign-on with your existing credentials, role-based access controls, and compliant session recording and storage if your practice records visits for documentation purposes.
Securing Your Telehealth Workflow End to End
Providers should conduct telehealth visits from private, enclosed spaces — not open offices, shared workspaces, or coffee shops. Use a wired internet connection when possible, as it is more stable and harder to intercept than WiFi. If WiFi is necessary, use a VPN and ensure the network is WPA3 encrypted with a strong password not shared with non-practice devices.
Verify patient identity at the start of each session using at least two identifiers (name plus date of birth, for example). Enable the virtual waiting room feature so patients do not enter the session until you admit them. Share your screen only when necessary, and close all other applications and browser tabs to prevent accidental display of other patients' information.
After each session, ensure no PHI remains on temporary files, downloads, or clipboard memory. If sessions are recorded for documentation, store recordings on encrypted, access-controlled storage covered by your BAA. Establish a retention and destruction policy for telehealth session data consistent with your state's medical records retention requirements.
Frequently Asked Questions
Zoom for Healthcare is HIPAA-compliant and offers a BAA. However, the standard free or pro Zoom plan is NOT HIPAA-compliant. You must use the specifically designated Zoom for Healthcare plan, sign their BAA, and configure the account settings correctly (enable encryption, disable cloud recording without proper controls, etc.).
Apple FaceTime and Google Meet both offer end-to-end encryption, but the compliance picture is more complex. Google offers a BAA for Google Workspace paid plans (which includes Meet). Apple does not currently offer a BAA for FaceTime, making it technically non-compliant for routine clinical use despite its strong encryption.
A VPN is strongly recommended when conducting telehealth visits from any network you do not fully control, including home networks. The VPN encrypts all traffic between your device and your practice network, preventing interception on the local network. For providers who regularly work from home, a dedicated VPN connection should be mandatory.
Document the patient's preference and the risks explained. You may offer alternative secure options (phone consultation, in-person visit). If the patient insists on an unsecure platform, document their informed consent in writing. However, best practice is to maintain a firm policy on platform requirements — your compliance obligations do not change based on patient preferences.
Standard phone calls (PSTN landline or cellular) are not subject to the same technical safeguard requirements as electronic transmissions of PHI. However, the Privacy Rule still applies — you must take reasonable precautions to prevent unauthorized disclosure during phone conversations, such as conducting calls in private spaces and verifying patient identity.
Telehealth Security Checklist
- Use only HIPAA-compliant telehealth platforms with signed BAAs
- Conduct visits from private, enclosed spaces
- Enable virtual waiting rooms and unique meeting links per session
- Use VPN when connecting from home or remote networks
- Verify patient identity with two identifiers at session start
- Close all other applications before sharing your screen
- Provide patients with written telehealth security guidelines
- Securely store or destroy session recordings per retention policy
Secure Your Telehealth Practice
Our healthcare security team helps small clinics implement HIPAA-compliant telehealth workflows, select secure platforms, and train providers on best practices.
Bellator Cyber Guard helps healthcare organizations build secure, compliant telehealth programs from the ground up. We evaluate platforms, configure security controls, develop telehealth policies, train your clinical staff, and monitor for emerging threats.
Free Consultation
Worried about HIPAA compliance?
Our healthcare cybersecurity team can assess your risks and build a protection plan.
