Telehealth Security: What Medical Practices Learned in Year One

March 2020 forced rapid telehealth adoption. Practices that had never done video visits suddenly conducted dozens daily.

One year later, telehealth is established part of medical practice. But year one revealed important security lessons. Here's what medical practices learned.

Platform Selection Matters

Consumer vs. Healthcare Platforms

March 2020 saw many practices using consumer Zoom because it was familiar and easy. But consumer video platforms don't meet HIPAA requirements.

Healthcare-specific platforms (Zoom for Healthcare, Doxy.me, others) include necessary features:

• Business Associate Agreements
• Encryption meeting HIPAA standards
• Security controls appropriate for protected health information
• Audit logging

The platform matters. Consumer tools aren't compliant for medical visits discussing PHI.

Integration With EHR

Platforms that integrate with your EHR streamline workflows. Visit notes automatically associate with patient records.

Standalone platforms require manually documenting visits in your EHR, creating extra work and potential errors.

Security Configuration Mistakes

Publicly Shared Meeting Links

Some practices posted telehealth visit links on public-facing websites or social media. Anyone could join patient visits.

Meeting links should be sent directly to specific patients through secure channels (patient portal, encrypted email).

No Waiting Rooms

Without waiting rooms enabled, anyone with the link can join immediately. Patients might see each other or overhear conversations.

Waiting rooms let providers admit patients individually, maintaining privacy.

Recording Mishandling

Some platforms allow recording visits. If enabled, recordings become PHI requiring secure storage and retention policies.

Many practices don't need to record visits. If you don't need it, disable recording capability.

Patient Privacy in Virtual Visits

Provider Location

Providers conducting telehealth from home need private spaces. Other family members shouldn't overhear patient conversations.

Background visible in video should be neutral, not revealing personal information.

Patient Location

Patients might connect from anywhere. You can't control their environment, but you can remind them to find private spaces.

Include privacy reminders in telehealth instructions: use private room, use headphones, don't conduct visits in public spaces.

Technical Barriers to Access

Digital Divide

Not all patients have smartphones or computers. Not all have reliable internet. Some aren't comfortable with technology.

Year one revealed telehealth doesn't work equally for all patient populations. Phone-only visits or in-person alternatives remain necessary.

Platform Complexity

Platforms that require account creation, app downloads, or complex setup create barriers.

Simpler platforms with click-to-join links have better patient adoption, especially for older patients or those less comfortable with technology.

Support Burden

Practices underestimated technology support needs. Staff spend significant time helping patients troubleshoot connection problems, audio issues, camera failures.

This requires either dedicated technical support or realistic scheduling that accounts for troubleshooting time.

Consent and Documentation

Telehealth Consent

Some states and payers require specific consent for telehealth. Early pandemic, enforcement was relaxed. Now, proper consent processes matter.

Document patient consent for telehealth, either as standalone form or integrated into general consent.

Visit Documentation

Telehealth visits need documentation just like in-person visits. Note type of visit (video vs. phone), technology used, and that patient consented.

Some practices struggled with staff working from home unable to access EHR. Cloud-based EHRs had major advantage here.

Billing and Compliance

Coding Telehealth Correctly

Telehealth billing codes and reimbursement rules evolved during pandemic. Keeping current on what's covered and how to code it correctly is ongoing challenge.

State Licensing

Providers need to be licensed in the state where the patient is located during the visit. For practices near state borders, this creates licensing complications.

Prescribing Controlled Substances

Federal rules about prescribing controlled substances via telehealth relaxed during pandemic but may tighten again. Know current regulations.

What Works Well

Dedicated Telehealth Time Blocks

Scheduling telehealth visits in dedicated blocks, not mixing with in-person visits. This reduces context-switching and allows for troubleshooting time.

Pre-Visit Technical Checks

Calling patients 15-30 minutes before appointments to test connections. Catches technical problems before scheduled visit time.

Clear Patient Instructions

Written instructions with screenshots sent before appointments:

• How to join visit
• What browser/app to use
• How to test audio/video
• Who to call for technical help
• Privacy recommendations

Staff Training

Everyone who interacts with telehealth needs training: providers on conducting virtual visits, schedulers on booking and confirming, front desk on technical troubleshooting.

What Doesn't Work

Assuming Patients Have Technology

Don't require telehealth without phone alternatives. Digital divide is real.

Complex Platforms

Platforms requiring accounts, downloads, or multiple steps create barriers and support burden.

Mixing Personal and Professional Accounts

Providers using personal Zoom accounts for patient visits creates compliance and security problems. Use professional, HIPAA-compliant accounts only.

Looking Forward

Telehealth isn't going away. Even as in-person visits resume, virtual visits remain valuable for:

• Follow-ups
• Routine check-ins
• Patients with mobility challenges
• Rural patients
• Reducing no-shows

But sustainable telehealth requires:

• HIPAA-compliant platforms
• Proper security configuration
• Clear policies and procedures
• Staff training
• Patient education
• Technical support capabilities

Our Recommendations

One year into telehealth, best practices are clear:

1. Use healthcare-specific platforms with BAAs, not consumer tools
2. Configure security properly: waiting rooms, passwords, controlled recording
3. Train staff on platform use and troubleshooting
4. Provide clear patient instructions
5. Have phone alternatives for patients without technology access
6. Document consent and visit details
7. Keep current on billing and compliance requirements

If you need help selecting telehealth platforms, configuring them securely, or training staff, we can help. We've been working with Arizona medical practices through the pandemic telehealth transition and understand both the technical and clinical requirements.

Telehealth done right expands access and improves convenience. Telehealth done poorly creates compliance risks and patient frustration. Year one taught us the difference.