Telemedicine HIPAA Compliance: Six Months In

March 2020 forced rapid telemedicine adoption. Six months later, practices that implemented video visits in emergency mode are asking about long-term HIPAA compliance.

The answer: it's complicated. But manageable.

March Emergency Measures

In March, OCR (Office for Civil Rights) announced they wouldn't enforce HIPAA penalties for good-faith telemedicine during the public health emergency.

This allowed practices to use consumer video platforms (FaceTime, Zoom, Skype) that aren't normally HIPAA-compliant.

What This Meant

Practices could quickly implement video visits without worrying about Business Associate Agreements or HIPAA-compliant platforms.

This was necessary to maintain patient care when in-person visits weren't safe.

What This Didn't Mean

Enforcement discretion doesn't mean HIPAA doesn't apply. It means OCR won't penalize violations during emergency.

Practices still need to protect patient privacy as much as reasonably possible.

Six Months Later

Six months into pandemic, questions are shifting:

When Does Enforcement Discretion End?

It ends when public health emergency ends. Nobody knows exactly when that will be.

Should We Wait for Emergency to End?

No. Practices should move toward HIPAA compliance now rather than waiting for enforcement discretion to end.

What If We Want to Continue Telemedicine Permanently?

Then you definitely need HIPAA-compliant approach.

HIPAA Requirements for Telemedicine

Business Associate Agreements

Video platform providers handling PHI must sign Business Associate Agreements.

Consumer platforms (regular Zoom, FaceTime, Skype) won't sign BAAs. They're not designed for healthcare.

Healthcare platforms (Zoom for Healthcare, Doxy.me, others) will sign BAAs.

Encryption

Video connections must be encrypted. This protects patient conversations from interception.

Most video platforms encrypt connections. But not all do it properly for HIPAA requirements.

Access Controls

Only authorized people should access patient video visits.

Waiting rooms, passwords, and host controls help enforce this.

Audit Logs

HIPAA requires logging who accessed what patient information and when.

Healthcare video platforms typically provide this. Consumer platforms often don't.

Selecting HIPAA-Compliant Video Platform

Healthcare-Specific Platforms

Platforms designed for healthcare telemedicine:

• Doxy.me: Simple, affordable, no-download for patients
• Zoom for Healthcare: Familiar interface, HIPAA-compliant version
• VSee: Telemedicine-focused, includes clinical features
• Thera-LINK: Behavioral health focus
• Many EHR systems include integrated telemedicine

What to Look For

Willing to Sign BAA

This is minimum requirement. If platform won't sign BAA, it's not HIPAA-compliant.

Encryption

End-to-end encryption meeting HIPAA standards.

Access Controls

Waiting rooms, passwords, ability to control who can join.

Recording Controls

If recording capability exists, you need control over it. Uncontrolled recording creates compliance risks.

Integration

Does platform integrate with your EHR? This simplifies documentation and workflows.

Ease of Use

For patients, simpler is better. Platforms requiring account creation or app downloads create barriers.

Configuration Matters

Even HIPAA-compliant platforms need proper configuration:

Enable Waiting Rooms

Patients wait in virtual waiting room until provider admits them. This prevents patients from seeing each other.

Require Passwords

Meeting links should require passwords. Don't post publicly accessible links.

Disable Recording

Unless you specifically need to record visits, disable recording capability. Recordings are PHI requiring secure storage.

Control Screen Sharing

Only hosts should control screen sharing. Prevents patients from accidentally sharing screens.

Patient Privacy Beyond Platform

Provider Location

Providers conducting telemedicine from home need private spaces. Family members shouldn't overhear patient conversations.

Background visible in video should be neutral, not revealing personal information.

Patient Location

You can't control where patients connect from. But you can remind them about privacy:

• Find private space
• Use headphones if others are nearby
• Don't conduct visits in public spaces

Include these reminders in telemedicine instructions.

Documentation Requirements

Consent

Document patient consent for telemedicine. Some states and payers require specific consent.

Visit Documentation

Document telemedicine visits in EHR just like in-person visits. Note that visit was conducted via telemedicine.

Technology Used

Document what platform was used. This shows you're using appropriate technology.

Training Staff

Staff need training on:

Platform Use

How to schedule telemedicine appointments, start visits, use features, troubleshoot common problems.

Privacy Considerations

Private locations for visits, screen positioning, handling interruptions.

Patient Support

Helping patients connect, troubleshooting their technical issues, providing clear instructions.

Patient Instructions

Good patient instructions reduce technical support burden:

• How to join visit (step-by-step with screenshots)
• What browser or app to use
• How to test audio and video beforehand
• Who to call for technical help
• Privacy recommendations

Send instructions before appointments. Call 15 minutes before to test connections.

Common Mistakes

Assuming Consumer Platforms Are Compliant

Regular Zoom, FaceTime, Skype aren't HIPAA-compliant even though enforcement is relaxed during emergency.

Not Getting BAAs

Even healthcare platforms require signed BAAs. Don't skip this step.

Poor Configuration

HIPAA-compliant platforms configured incorrectly create risks. Enable security features.

No Patient Instructions

Assuming patients will figure it out leads to frustration and wasted time.

Billing Considerations

Telemedicine billing rules evolved during pandemic. Stay current on:

• What CPT codes to use
• Payer coverage policies
• Documentation requirements
• Originating site rules

This is changing area. What's covered now may change when public health emergency ends.

Moving Forward

Telemedicine isn't going away. Even post-pandemic, video visits will remain valuable for:

• Follow-up appointments
• Routine check-ins
• Patients with mobility challenges
• Rural patients
• Reducing no-shows

Invest in HIPAA-compliant telemedicine infrastructure now. Don't wait for enforcement discretion to end.

Our Recommendations

Six months into telemedicine:

1. Select HIPAA-compliant platform (with BAA)
2. Configure security features properly
3. Train staff on platform use and privacy
4. Develop clear patient instructions
5. Document consent and visits properly
6. Review regularly and update as needed

If you need help selecting telemedicine platforms, configuring them for HIPAA compliance, or training staff, we can help.

We've been working with Arizona medical practices through pandemic telemedicine transition. We understand both technical requirements and clinical workflows.

Telemedicine done right expands access and improves convenience. Telemedicine done wrong creates compliance risks. Six months in, it's time to get it right.