Most practices get HIPAA compliance for telehealth completely wrong. They either spend way too much on overbuilt enterprise platforms, or they cut corners with consumer video tools and hope nobody notices. Both paths end badly.

Here's what actually matters, what doesn't, and how to tell if your current setup is going to get you in trouble.

The Four Things HIPAA Actually Cares About

HIPAA's Security Rule kicks in any time you're transmitting protected health information (PHI) electronically. That includes video visits where you can see a patient, hear their symptoms, or discuss treatment. Forget the 200-page compliance guides. It boils down to four things.

1. A Business Associate Agreement (BAA)

This is the one that trips people up the most. Every vendor that touches your patient data has to sign a BAA with you. Your telehealth platform, your cloud provider, your video infrastructure. All of them. If a vendor won't sign a BAA, walk away. It doesn't matter how nice their product is.

2. Encrypted Video and Audio

Your video streams need to be encrypted in transit. The technical details are TLS for signaling and DTLS/SRTP for the actual media. You don't need to understand those acronyms. You just need to confirm your platform uses them. Don't assume. Ask.

3. Access Controls

Random people should not be able to wander into a patient visit. That means unique visit links, waiting rooms, or some form of authentication. If your setup uses a reusable meeting room link that anyone could guess, that's a problem.

4. Audit Logs

You need a record of who accessed what and when. For telehealth, that means visit logs with timestamps, participant info, and session duration. Your platform should handle this automatically. If you're manually tracking this in a spreadsheet, something is wrong.

What HIPAA Does NOT Require

This is where the expensive enterprise vendors lose me. They make compliance sound like you need a whole NASA control room. You don't. Here's what HIPAA does not require:

  • A $50,000 enterprise system. HIPAA doesn't care about your price point. A properly secured $29/month platform is just as compliant as one that costs thousands. Compliance is about security controls, not line items on an invoice.
  • On-premise servers. Cloud hosting is perfectly fine. The provider just needs to sign a BAA and meet the security requirements. Most major cloud companies already offer HIPAA-eligible configurations.
  • A dedicated IT team. If your telehealth vendor handles the technical side (encryption, access controls, logging), your job is mostly policies and staff training. Make sure your team knows not to discuss PHI over unsecured channels. That gets you most of the way there.
  • Video recording of visits. You need clinical documentation, obviously. But HIPAA does not require you to record video sessions. Your visit notes and your platform's audit logs are what matter.

Who Needs a BAA? (Hint: More Vendors Than You Think)

A BAA is a legal agreement between you and any vendor that creates, receives, stores, or transmits PHI on your behalf. Here's the full list you should be thinking about:

  • Your telehealth platform (mandatory). This is non-negotiable. If they won't sign, find a new platform today.
  • Your cloud provider (mandatory). The servers where data lives. The big cloud providers all offer BAAs for their HIPAA-eligible services.
  • Your video infrastructure provider (mandatory). The service handling real-time video and audio streams. Sometimes this is built into your telehealth platform. Sometimes it's a separate provider under the hood.
  • Your email provider (best to just avoid this). The safest move is to never send PHI via email. Use secure messaging inside your telehealth platform instead.
  • Your EHR (mandatory if integrated). If your telehealth platform sends data to your EHR, that vendor needs a BAA too. Most EHR vendors already have one in place.

Simple rule: If a vendor touches patient data in any form, you need a BAA with them. If they refuse to sign one, stop using them for anything that involves PHI. Period.

Tools That Will Get You in Trouble

This is where small practices screw up constantly. Just because something has a video call button doesn't make it safe for patient visits. These tools are NOT HIPAA compliant out of the box:

  • FaceTime. Apple won't sign a BAA. It doesn't matter that it's end-to-end encrypted. No BAA means no compliance. The COVID-era enforcement discretion that let practices slide on this is over.
  • Regular Zoom (free or Pro). Your standard Zoom account is not compliant. Zoom does offer a healthcare-specific plan with a BAA, but you have to be on that exact plan. Your regular Pro subscription doesn't count.
  • Google Meet (consumer version). The free version is not compliant. Google Workspace Enterprise can be configured for HIPAA with a BAA, but the consumer version cannot.
  • WhatsApp. No BAA available. Encryption alone is not enough.
  • Texting from your personal phone. Standard SMS is not encrypted and your carrier is not signing a BAA. Texting patients from your personal number is a violation waiting to happen.

The pattern here is obvious. Consumer communication tools are built for convenience, not compliance. They don't have BAAs, audit logs, or proper access controls. Using them for patient care is a gamble, and the stakes are real. HIPAA fines range from $100 to $50,000 per violation, with annual maximums up to $1.5 million per category.

How SimplyTelehealth Handles This

We built SimplyTelehealth because we got tired of watching practices choose between overpriced enterprise systems and risky consumer tools. Here's how we handle each requirement:

  • BAAs across the entire stack. We have BAAs with our cloud infrastructure, our video infrastructure, and every service that touches patient data. You get a BAA with us, and we've got everything downstream covered.
  • Encrypted video, no exceptions. All video and audio streams use DTLS/SRTP encryption. Signaling data is encrypted via TLS. Your visits are protected end to end.
  • No patient accounts needed. Patients click a link and they're in. No app downloads, no account creation, no extra personal data floating around. Less stored PHI means less risk.
  • Unique, time-limited visit links. Every visit gets its own link with access controls. No shared meeting rooms where someone could wander into the wrong session.
  • Automatic audit logging. Every visit is logged with timestamps, participant info, and duration. You get the documentation you need without lifting a finger.

Your Compliance Checklist

Run through this list against your current setup. If you can't check every box, you've got a gap that needs fixing.

  • Your telehealth platform vendor has signed a BAA with your practice
  • Video and audio streams are encrypted in transit (TLS, DTLS/SRTP)
  • Each visit uses a unique link or requires authentication to join
  • Your platform generates visit logs (who joined, when, duration)
  • Your cloud/hosting provider has signed a BAA
  • Your video infrastructure provider has signed a BAA
  • You are NOT using consumer tools (FaceTime, regular Zoom, WhatsApp) for patient visits
  • Staff have been trained on HIPAA basics for telehealth
  • You have a written policy for telehealth visits and PHI handling
  • PHI is not being sent via standard email or personal phone SMS

If you checked every box, you're solid. If not, fix the gaps now. Not next quarter. Now. HIPAA enforcement isn't theoretical. Practices get fined every year for exactly the kind of shortcuts you might be taking.

Need a telehealth platform with all the HIPAA boxes checked?

SimplyTelehealth is built for compliance from the ground up. BAAs, encryption, audit logs, and zero patient downloads.

Start Free Trial