You launched telehealth during COVID, got comfortable with Zoom sessions from your living room, and assumed the flexibility was here to stay. It wasn't. The enforcement discretion that allowed non-compliant platforms and home office shortcuts ended when the Public Health Emergency expired. Now, you're operating in an environment where OCR is actively enforcing HIPAA compliance telehealth mental health providers must meet, and the risks are different than anything you faced in traditional brick-and-mortar practice.
The problem isn't that telehealth is inherently non-compliant. It's that telehealth introduced new attack surfaces: personal devices, home Wi-Fi networks, third-party platforms with unclear data practices, AI documentation tools that process PHI, and multi-state licensure scenarios that create overlapping compliance obligations. Most guidance treats HIPAA as a static checklist. This article addresses what actually changed, what risks telehealth specifically creates, and how to build a compliance infrastructure that holds up under audit.
What Changed Post-COVID: Temporary Waivers vs. Permanent Requirements
During the Public Health Emergency, HHS issued enforcement discretion allowing providers to use non-public facing communication tools like FaceTime, Skype, and standard Zoom accounts without Business Associate Agreements. That discretion ended. HHS made clear that providers must now return to HIPAA-compliant platforms with signed BAAs or face enforcement action.
Here's where operators got comfortable with practices that are now violations: using personal FaceTime for crisis check-ins, conducting sessions over unsecured Zoom free accounts, storing session recordings in personal Dropbox folders, and using non-compliant messaging apps for appointment reminders. These weren't compliant during COVID either, they were just deprioritized for enforcement. That deprioritization is over.
The permanent changes that did stick: expanded reimbursement for telehealth services, relaxed originating site requirements for Medicare, and broader acceptance of audio-only sessions for certain populations. But reimbursement flexibility doesn't mean compliance flexibility. You still need the technical, administrative, and physical safeguards HIPAA requires, regardless of session modality.
If your practice adopted telehealth during the pandemic and hasn't conducted a formal risk assessment since the PHE ended, you're operating with inherited risk. The first step is identifying which shortcuts you're still taking and what your actual exposure is. Many treatment centers we've worked with discovered they had clinicians using personal devices without encryption, storing notes in non-BAA cloud storage, and conducting sessions from public spaces. All reportable violations if discovered during an audit.
Platform Selection and Business Associate Agreements: What Actually Makes a Tool Compliant
A telehealth platform is HIPAA-compliant if, and only if, the vendor will sign a Business Associate Agreement and the platform includes technical safeguards like encryption in transit and at rest, access controls, and audit logging. HHS guidance specifies that a BAA must include permitted uses of PHI, required safeguards, breach reporting obligations, and subcontractor provisions.
Here's the breakdown for commonly used platforms: Zoom for Healthcare offers a BAA and is compliant when configured correctly. Doxy.me is purpose-built for healthcare and includes BAA coverage by default. Google Meet and Microsoft Teams can be compliant if you have a Google Workspace or Microsoft 365 enterprise plan with BAA coverage, but the free consumer versions are not. FaceTime, WhatsApp, and standard Skype have no BAA option and are non-compliant for any PHI transmission.
The BAA itself is not a magic document that makes a platform secure. It's a legal agreement that the vendor will meet HIPAA requirements and notify you of breaches. You still need to configure the platform correctly: disable meeting recordings unless stored in BAA-covered infrastructure, require passwords for all sessions, enable waiting rooms to prevent unauthorized access, and turn off third-party integrations that aren't covered by your BAA.
We've seen practices sign a BAA with Zoom but continue using the free personal version, assuming coverage transferred. It doesn't. The BAA applies only to the specific enterprise account and subscription tier. If your clinicians are logging into personal Zoom accounts for convenience, you're not covered, even if the organization has a separate compliant account.
Home Office and Personal Device Risks: The Safeguards That Apply Outside Clinical Space
HIPAA doesn't prohibit home offices or personal device use, but it requires the same risk assessment and safeguards you'd apply in a clinic. HHS specifies that covered entities must evaluate risks specific to the environment where PHI is accessed and implement appropriate controls.
For home offices, that means: conducting sessions in private spaces where household members can't overhear, using secured Wi-Fi networks with WPA3 encryption (not public or neighbor networks), positioning screens so PHI isn't visible through windows or to others in the home, and securing physical records if any are kept at home. The risk isn't theoretical. We've handled breach notifications triggered by a clinician's partner overhearing a session, a child accessing an unlocked laptop with open EHR, and a stolen work laptop that wasn't encrypted.
Personal devices create additional risk because they're used for non-work purposes, increasing malware exposure, and often lack enterprise-grade security controls. If you allow personal device use, your policies must require: full-disk encryption, automatic screen locks with timeout, remote wipe capability if the device is lost, prohibition of PHI storage on the device itself (cloud access only), and up-to-date operating systems and security patches.
The hardest part isn't writing the policy, it's enforcement. You need a mechanism to verify compliance, whether that's mobile device management software, quarterly attestations, or spot checks. If you can't verify that a clinician's personal iPhone is encrypted and passcode-protected, you can't allow it for telehealth access. The liability transfers to you as the covered entity, not the individual clinician.
For treatment centers expanding telehealth services, consider whether issuing organization-owned devices is more operationally sound than trying to secure dozens of personal devices with varying configurations. The upfront cost is higher, but the compliance overhead is significantly lower. This is especially relevant for centers that previously managed COVID-era operational shifts and are now building permanent telehealth infrastructure.
The New Documentation Risk: AI Tools, Ambient Recording, and Speech-to-Text
AI-assisted documentation tools are proliferating: ambient scribes that record and transcribe sessions, GPT-powered note generators, and real-time speech-to-text software. All of them process PHI, which means they require a BAA with the vendor and a risk assessment before implementation. HHS guidance makes clear that any third party that creates, receives, maintains, or transmits PHI on your behalf is a business associate.
The specific risks these tools introduce: PHI transmitted to vendor servers for processing (where is it stored, how long, who has access?), model training on your patient data unless explicitly prohibited in the BAA, lack of audit logs showing who accessed which patient's data, and integration with non-compliant platforms (e.g., an AI tool that pulls data from a non-BAA Zoom recording).
Before adopting any AI documentation tool, verify: the vendor will sign a BAA, PHI is encrypted in transit and at rest, your data will not be used for model training or shared with third parties, the vendor has breach notification procedures, audit logs are available and retained per your policy, and the tool integrates only with your other BAA-covered systems. If the vendor can't answer these questions or won't commit in writing, the tool isn't compliant regardless of how convenient it is.
We've seen practices adopt ambient AI scribes that record entire sessions and transmit audio to vendor servers for transcription, only to discover later that the vendor's terms of service included a clause allowing use of de-identified data for product improvement. De-identification under HIPAA has specific standards, and most vendors aren't actually meeting them. The safer approach: assume any "de-identified" data could be re-identified and negotiate explicit prohibitions on secondary use.
For behavioral health settings implementing new documentation workflows, our speech-to-text implementation guide provides a detailed framework for evaluating vendor compliance and configuring tools correctly.
State Law Intersections: When State Privacy Rules Are Stricter Than HIPAA
HIPAA sets the federal floor, but state laws often impose stricter requirements for mental health and substance use disorder records. 42 CFR Part 2, which governs SUD treatment records, has consent and redisclosure requirements that go beyond HIPAA. Some states require explicit written consent before any telehealth session, others mandate specific technical standards for video quality or encryption strength, and a few prohibit certain telehealth modalities altogether for initial evaluations.
SAMHSA clarifies that telehealth across state lines requires compliance with both the originating state (where the patient is located) and the distant state (where the provider is located), plus federal HIPAA and Part 2 if applicable. This creates a multi-jurisdiction compliance matrix that most practices don't map until they're facing a complaint.
For example: a Texas-licensed clinician providing telehealth to a California patient must comply with Texas licensing requirements, California's Confidentiality of Medical Information Act (which has stricter breach notification timelines than HIPAA), and federal HIPAA. If the patient is in SUD treatment, Part 2 applies as well. Miss any one of those layers, and you're non-compliant even if you're following HIPAA perfectly.
The operational challenge is that most practices don't have compliance infrastructure to track which states their clinicians are licensed in, which states their patients are located in, and which state-specific rules apply to each session. If you're operating a multi-state telehealth program, you need a system to flag cross-state sessions and ensure the assigned clinician is both licensed and trained on the relevant state requirements.
For treatment centers expanding across state lines, understanding license verification requirements is foundational before launching telehealth services in new jurisdictions.
Breach Notification Requirements Specific to Telehealth: What Counts and How to Respond
Telehealth creates breach scenarios that don't exist in traditional practice: a clinician accidentally admits the wrong patient to a video session, a session recording is saved to an unsecured personal cloud account, a family member overhears a session conducted in a non-private space, or a Zoom link is sent to the wrong email address and accessed by an unintended recipient.
Under HIPAA, a breach is an impermissible use or disclosure of PHI that compromises the security or privacy of the information. Not every incident is a reportable breach, there's a risk assessment process to determine whether the disclosure poses a significant risk of harm. But for telehealth, many incidents do meet the reporting threshold because they involve unauthorized access to highly sensitive behavioral health information.
If you determine a breach occurred, the timeline is strict: notify affected individuals within 60 days, notify HHS (immediately if the breach affects 500+ individuals, annually if fewer), and notify media if the breach affects 500+ individuals in a state or jurisdiction. You must document the risk assessment that led to your breach determination, the corrective actions taken, and the content of notifications sent.
The most common telehealth breach we see: accidental inclusion of an unauthorized participant in a video session. This happens when a clinician reuses a Zoom link, doesn't enable a waiting room, or sends the link to the wrong patient. The breach affects both patients (each learned the other was in treatment), and both must be notified. The corrective action is usually policy changes requiring unique session links, mandatory waiting rooms, and verification of participant identity before admitting to the session.
For practices that haven't updated breach response procedures since launching telehealth, the gap is usually in incident detection. In a clinic, a misfiled chart or overheard conversation is usually noticed immediately. In telehealth, breaches often go undetected unless a patient reports it or you have audit logging that flags anomalies. Your risk analysis should include how you'll detect telehealth-specific breaches, not just how you'll respond once detected.
Building a Telehealth Compliance Infrastructure: Policies, Training, and Technical Safeguards
Compliance isn't a one-time checklist, it's an operational infrastructure that requires ongoing maintenance. For telehealth, that infrastructure includes: written policies specific to telehealth operations, initial and annual training for all clinicians and staff, technical safeguards implemented and monitored, and an annual risk analysis that evaluates telehealth-specific risks.
Your telehealth policies must address: platform selection criteria and BAA requirements, home office and personal device standards, patient identity verification before sessions, emergency procedures for telehealth sessions (how to handle a patient in crisis when you're not physically present), documentation requirements specific to telehealth encounters, and breach response procedures for telehealth incidents.
Training should be role-specific. Clinicians need to understand how to configure their telehealth platform securely, recognize and report potential breaches, conduct sessions in compliant environments, and document telehealth encounters correctly. Administrative staff need to understand how to schedule telehealth sessions, verify patient identity remotely, and handle technical support requests without creating security gaps.
Technical safeguards are where most practices underinvest. At minimum, you need: encryption for data in transit and at rest, access controls that limit who can view PHI to only those with a need to know, audit logging that tracks who accessed which patient records and when, automatic logoff after a period of inactivity, and regular security updates and patches for all systems that touch PHI.
The annual risk analysis is required under HIPAA and should specifically evaluate: new technologies adopted in the past year (AI tools, new telehealth platforms, new EHR integrations), changes in your workforce (new remote clinicians, staff turnover, expanded service areas), reported incidents and near-misses (what almost went wrong and why), and changes in the threat landscape (new types of cyberattacks, new regulatory guidance, new state laws).
For treatment centers navigating evolving regulatory landscapes, staying current on policy changes at the federal level helps anticipate compliance shifts before they become enforcement priorities.
Operational Takeaways: What to Do This Week
If you're running a telehealth program and haven't formalized your compliance infrastructure, start here: audit which platforms your clinicians are actually using (not just what's in the policy), verify you have signed BAAs with every vendor that touches PHI, identify which clinicians are using personal devices or working from home and assess whether those environments meet your security standards, and review your breach response procedure to confirm it addresses telehealth-specific scenarios.
For new telehealth programs, build compliance into the launch plan rather than retrofitting it later. Select a platform with BAA coverage before onboarding patients, issue organization-owned devices or implement MDM for personal devices before granting EHR access, train clinicians on telehealth-specific compliance requirements before their first session, and document your risk analysis and policy decisions contemporaneously.
The goal isn't perfect compliance (that doesn't exist), it's demonstrable good faith effort to identify risks, implement reasonable safeguards, and respond appropriately when incidents occur. OCR evaluates whether you had policies in place, whether staff were trained, whether you conducted risk analysis, and whether you took corrective action when you discovered gaps. If you can document yes to all four, you're in a defensible position even if an incident occurs.
Get Telehealth Compliance Right From the Start
HIPAA compliance for telehealth isn't optional, and the enforcement discretion that made non-compliant shortcuts acceptable during COVID is gone. The practices that will avoid enforcement action are the ones that treat telehealth compliance as operational infrastructure, not a one-time checklist.
If you're launching or expanding telehealth services and need help building a compliant program, or if you're concerned your current telehealth operations have inherited risk from the pandemic era, we can help. Our team has built HIPAA compliance programs for behavioral health organizations across multiple states and specializes in the operational realities of telehealth delivery. Reach out to discuss your specific situation and get a clear path to defensible compliance.
