Blog
← Back to Blog
February 10, 2025 medical

Telehealth Security in 2025: The COVID Waivers Are Gone. The Risks Are Not.

Telehealth security and compliance

During COVID-19, HHS issued enforcement discretion waivers allowing healthcare providers to use non-HIPAA-compliant telehealth platforms (FaceTime, Zoom consumer, Skype) without penalties. Those waivers are fully expired. But many practices never transitioned to compliant platforms.

If you're still using a non-compliant telehealth tool, you're operating outside HIPAA. Full stop.

What Changed

During the pandemic, HHS announced it would not impose penalties for good-faith use of non-public-facing communication tools for telehealth. This allowed practices to rapidly deploy virtual care without navigating compliance hurdles.

That enforcement discretion ended. The full weight of HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule now applies to all telehealth interactions, exactly as it applies to in-person care.

Compliance Requirements for Telehealth

Platform Requirements

  • BAA required: Your telehealth platform vendor must sign a Business Associate Agreement
  • End-to-end encryption: Video and audio must be encrypted in transit
  • Access controls: Unique logins, role-based access, session management
  • Audit logging: All telehealth sessions must be logged (who, when, duration)
  • Data storage: Any recordings or session data must be stored in compliance with HIPAA

Provider-Side Security

  • Providers conducting telehealth from home offices need secure, private environments
  • Screen sharing during telehealth must not inadvertently display other patients' information
  • Personal devices used for telehealth need mobile device management (MDM) policies
  • Home networks should use separate Wi-Fi networks for clinical work

Patient-Side Considerations

  • Patients should be informed about the privacy limitations of telehealth
  • Consent for telehealth should be documented
  • Patient identity verification procedures should be in place to prevent unauthorized access

Compliant Platform Options

Major HIPAA-compliant telehealth platforms include:

  • Doxy.me (free and paid tiers, BAA available)
  • Zoom for Healthcare (BAA included, not regular Zoom)
  • Microsoft Teams for Healthcare (BAA included with appropriate licensing)
  • Teladoc, Amwell, and other dedicated telehealth platforms

Key distinction: the consumer versions of Zoom, Teams, and Google Meet are NOT HIPAA-compliant. You need the healthcare-specific or enterprise versions with BAAs.

Action Items

  1. Audit your current telehealth tools. Is the platform HIPAA-compliant? Do you have a signed BAA?
  2. Transition off non-compliant platforms immediately. If you're still using FaceTime or consumer Zoom for clinical visits, switch now.
  3. Document telehealth policies. Written policies for provider and patient responsibilities during virtual visits.
  4. Train providers on telehealth security. Privacy of the physical environment, screen sharing protocols, recording policies.
  5. Update your Notice of Privacy Practices. Ensure telehealth is addressed in your NPP.

Telehealth is permanent. The waivers were temporary. Compliance is now mandatory. Get compliant before OCR comes knocking.