Telehealth and HIPAA: A Compliance Guide for 2026

Telehealth adoption grew by more than 3,800% during the COVID-19 pandemic. To keep care flowing, federal agencies temporarily relaxed certain HIPAA enforcement discretions so providers could use everyday video tools like FaceTime and Zoom. Those flexibilities have now ended — and practices that built telehealth workflows around non-compliant technology face a serious compliance gap. This guide covers exactly what HIPAA-compliant telehealth requires in 2026.

The Core HIPAA Requirements for Telehealth

Any technology used to conduct telehealth appointments involving PHI must meet HIPAA's electronic safeguard requirements. The HHS official telehealth resource and OCR's telehealth guidance make the expectations clear. Your platform must:

• Support end-to-end encryption for video and audio
• Be backed by a signed Business Associate Agreement (BAA) with the vendor
• Control access and maintain audit logs
• Hold appropriate security certifications (SOC 2, ISO 27001)

Which Platforms Are HIPAA-Compliant?

The most commonly used HIPAA-compliant telehealth platforms include:

• Zoom for Healthcare — the standard consumer product is NOT compliant; the Healthcare edition with a BAA is
• Doxy.me — built specifically for healthcare, with a free tier and BAA
• VSee — HIPAA-compliant, popular with specialty practices
• Teladoc, Amwell, MDLive — full telehealth platforms with built-in compliance

Platforms that are NOT HIPAA-compliant for clinical use (without special agreements): consumer FaceTime, Skype, standard Google Meet, WhatsApp, and Facebook Messenger.

Consent and Documentation Requirements

Beyond technology, telehealth has specific documentation requirements:

• Patient consent for telehealth must be obtained and documented before the visit
• The encounter must be documented in the medical record like any in-person visit
• Your Notice of Privacy Practices should be updated to include telehealth services
• State-specific telehealth laws may impose additional consent requirements

Common Telehealth Compliance Mistakes

• Using a personal Zoom or FaceTime account without a BAA
• Conducting visits over public or shared Wi-Fi without a VPN
• Failing to verify patient identity at the start of virtual visits
• Recording sessions without consent and secure storage
• Using consumer texting apps for clinical communication without encryption

A Quick Telehealth Compliance Audit

Ask yourself these five questions:

1. Do we have a signed BAA with our telehealth platform provider? (See our BAA guide.)
2. Have all staff conducting telehealth been trained on the platform and HIPAA requirements?
3. Is our patient consent process documented and consistently followed?
4. Are telehealth encounters properly documented in our EHR?
5. Is our telehealth workflow included in our Security Risk Assessment?

If you answered "no" or "I'm not sure" to any of these, your telehealth program has compliance gaps.

Frequently Asked Questions

Is FaceTime HIPAA-compliant in 2026?

No. The pandemic-era enforcement discretion that allowed consumer apps has ended, and Apple does not sign a BAA for FaceTime. Use a healthcare-grade platform instead.

Do I need patient consent for a telehealth visit?

Yes. Document the patient's consent to receive care via telehealth before the encounter, and note it in the medical record. Some states require specific consent language.

Telehealth can be fully HIPAA-compliant with the right platform and documented workflows. Contact Protect for a complimentary compliance review, or see our plans to get your entire program audit-ready.