The COVID-19 public health emergency created a temporary regulatory environment where HHS exercised enforcement discretion for telehealth โ€” allowing practices to use consumer video platforms like FaceTime and Zoom in ways that would not normally be HIPAA-permissible. That enforcement discretion period has ended. The permanent rules are back in full effect.

Many Queens medical practices that adopted telehealth during the pandemic never fully transitioned from the emergency-era tools to properly compliant telehealth infrastructure. If your practice is still conducting telehealth visits over platforms that don't have a BAA with you, you have a compliance gap that needs to be addressed now.

Choosing a HIPAA-Compliant Telehealth Platform

The first requirement for any telehealth platform used to transmit ePHI is a signed Business Associate Agreement. This is non-negotiable. Consumer versions of Zoom, Google Meet, Skype, and FaceTime cannot be used for telehealth โ€” they do not offer BAAs and explicitly exclude healthcare use from their consumer terms of service.

HIPAA-compliant telehealth platforms include Zoom for Healthcare (distinct from consumer Zoom), Doxy.me, Teladoc for providers, Microsoft Teams (with appropriate configuration and a BAA through a Microsoft 365 healthcare plan), and others. The platform itself signing a BAA is necessary but not sufficient โ€” the platform must also provide the technical controls HIPAA requires, including end-to-end encryption, access controls, and audit logging.

๐Ÿ’ก Practical note: Simply because a vendor offers a BAA does not mean their platform meets all HIPAA technical safeguard requirements. Review what the BAA actually covers, and ask specifically about encryption standards, access controls, and audit logging capabilities before signing.

Network and Device Security for Telehealth

Telehealth introduces security risks that in-office care does not. When a physician conducts a visit from their home office, or a staff member accesses the telehealth platform from a personal device, the security perimeter that your office network provides is absent. This requires specific controls:

  • VPN requirement for remote access: Any access to practice systems from outside the office network should require a VPN connection. This encrypts the connection and routes traffic through your controlled network environment.
  • Device management (MDM): Devices used for telehealth โ€” including physician laptops and tablets used at home โ€” should be enrolled in a mobile device management solution that enforces encryption, enforces screen locks, and allows remote wipe if a device is lost or stolen.
  • Network separation: Home WiFi networks used for telehealth should be separate from personal and family networks. A dedicated WiFi network for work use, even at home, significantly reduces exposure to threats from other connected household devices.
  • Session recording policies: If your telehealth platform records visits, those recordings contain ePHI and must be stored, protected, and retained according to HIPAA requirements โ€” including your standard medical record retention timelines.

Staff Policies for Telehealth Security

Technology controls only go so far. The human element of telehealth security requires clear written policies and regular reinforcement. Your telehealth security policies should address:

Telehealth Staff Policy Checklist

  • Approved platforms โ€” list the specific approved telehealth tools; prohibit use of unapproved alternatives
  • Location requirements โ€” define what constitutes an acceptable location for conducting telehealth visits (private space, no family members within earshot)
  • Device requirements โ€” specify whether personal devices are permitted and under what conditions
  • Patient identity verification โ€” document how patients are verified at the start of a telehealth encounter
  • Session security โ€” background blur or neutral backgrounds required; no identifiable patient information visible in the session environment
  • Incident reporting โ€” clear procedure for staff to report suspected security incidents related to telehealth

New York-Specific Telehealth Regulations

Beyond federal HIPAA requirements, New York State has its own telehealth regulations under New York Public Health Law ยง2999-cc. New York requires that telehealth services be provided using platforms that meet specific security standards, and that patient consent for telehealth be documented. New York also has specific requirements about which services can be provided via telehealth and provider licensing requirements for cross-state telehealth.

New York's SHIELD Act applies to telehealth platforms just as it applies to any system containing private information about New York residents โ€” adding a state-level compliance layer on top of federal HIPAA requirements. Practices that experience a telehealth-related breach may face both federal OCR enforcement and New York State attorney general action.

Is Your Telehealth Setup Actually Compliant?

If you adopted telehealth during the pandemic and haven't done a formal compliance review since, there's a meaningful chance your setup has gaps. Let's find out โ€” a free 30-minute conversation with Wlad will give you a clear picture.

Book Free Telehealth IT Review โ†’

Call: (516) 734-1515