telehealth-privacy
Telehealth Privacy Compliance
Overview
Telehealth (also termed telemedicine, virtual care, or remote patient monitoring) involves the delivery of healthcare services through electronic communications technologies when the patient and provider are in different locations. The rapid expansion of telehealth — accelerated during the COVID-19 public health emergency — created a complex regulatory environment where HIPAA, state privacy laws, telecommunications regulations, and professional licensing requirements converge. Privacy compliance for telehealth requires addressing the security of the communication platform, the privacy of the encounter, state-specific consent and recording requirements, cross-state practice considerations, and the obligations of technology vendors as business associates.
HIPAA Compliance for Telehealth
Core HIPAA Requirements
Telehealth encounters involve the creation, transmission, and storage of ePHI and are fully subject to HIPAA:
| HIPAA Requirement | Telehealth Application |
|---|---|
| Privacy Rule (§164.500-534) | Telehealth encounters create PHI (notes, prescriptions, diagnoses); all Privacy Rule provisions apply including individual rights, minimum necessary, and authorization requirements |
| Security Rule (§164.312) | Telehealth platform must meet technical safeguards: access controls, audit logs, encryption in transit and at rest, integrity controls |
| Breach Notification Rule (§164.400-414) | Unauthorized access to telehealth session data (recording, transcript, chat) triggers breach notification analysis |
| BAA Requirement (§164.502(e)) | Telehealth technology vendor that creates, receives, maintains, or transmits ePHI must have a BAA with the covered entity |