HIPAA compliance for telehealth startups

Why telehealth carries extra HIPAA exposure

Every health-tech company handles PHI at rest — records in a database, files in object storage. Telehealth adds a second, harder problem: PHI in real-time transit. A video visit is a continuous stream of protected health information — the patient's face, voice, name, condition, medications, sometimes their home in the background — flowing through infrastructure you mostly don't own.

That changes the risk profile in three ways:

• Third-party media infrastructure. Almost nobody builds their own video stack. Your sessions traverse a vendor's signaling servers, TURN relays, and media servers. Every one of those vendors is touching PHI on your behalf — which makes them business associates (or subcontractor business associates) who must sign a BAA before a single session runs.
• Transmission security is the whole game. The Security Rule's transmission security and encryption requirements — usually a supporting concern for a CRUD app — become your primary technical control surface. See the technical safeguards guide for how those map to real controls.
• Recordings multiply the footprint. The moment you record a session, ephemeral PHI becomes stored PHI: a large media file with its own encryption, access-control, retention, and disclosure obligations.

None of this makes telehealth uniquely dangerous — but it does mean the generic HIPAA checklist underweights the parts that matter most for you.

The post-COVID enforcement reality

If your mental model of telehealth compliance was formed between 2020 and 2023, update it. During the COVID-19 public health emergency, HHS's Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion: it would not penalize providers for delivering good-faith telehealth over everyday, non-public-facing video apps — consumer Zoom, FaceTime, Skype, Google Meet — even without a BAA.

That discretion is over. The public health emergency ended on May 11, 2023, and OCR allowed a 90-day transition period that expired on August 9, 2023. Since that date, full HIPAA requirements apply to telehealth, exactly as they did before the pandemic:

What ended on August 9, 2023

OCR's tolerance for telehealth over consumer video tools without a BAA. Vanilla Zoom, FaceTime, and similar consumer apps are no longer an acceptable channel for sessions involving PHI.

What's required now

A signed BAA with your video provider, encryption in transit, access controls, audit logging, and a documented risk analysis covering the telehealth workflow end to end.

Who this binds

Both the providers delivering care and the platforms (business associates) carrying the sessions. If you're the telehealth platform, your customers' compliance depends on yours.

For a telehealth startup, the practical takeaway is blunt: if there is no BAA covering your video path, you are out of compliance today — not in a gray area, not grandfathered. And because your provider customers are themselves on the hook, "do you have a BAA with your video infrastructure vendor?" is now a standard question in their vendor due diligence. The wrong answer kills deals.

Choosing video infrastructure

The first filter when picking a video stack is binary: will the vendor sign a BAA? If not, the conversation is over regardless of features or price. Vendors that have historically offered BAA-backed, healthcare-oriented video options include:

• Zoom — healthcare plans (often sold as Zoom for Healthcare / Zoom Workplace for Healthcare) where a BAA is part of the agreement. Consumer and standard business tiers are not covered.
• Twilio — signs BAAs covering designated HIPAA-eligible products. Note that Twilio's product line has shifted over time (its Programmable Video product was retired), so confirm which communications products are currently HIPAA-eligible.
• Vonage — the Vonage Video API (the former TokBox/OpenTok platform) has supported HIPAA-compliant configurations with a BAA.
• Daily — a developer-focused video API that offers BAAs on its HIPAA-oriented plans.
• AWS Chime SDK — covered under the AWS BAA as a HIPAA-eligible service, useful if you're already deep in AWS (see HIPAA on AWS).

Verify current BAA availability directly with the vendor before you build. Eligible-product lists, plan tiers, and even whole product lines change; the only thing that protects you is the agreement you actually sign, scoped to the services you actually use.

Beyond the BAA, evaluate the stack on the Security Rule's terms:

• Encryption in transit for all media and signaling (DTLS-SRTP for WebRTC media is the norm). End-to-end encryption is a bonus, not a strict requirement — but know which model your vendor uses and document it in your risk analysis.
• Session access control: unique per-session links or tokens, waiting rooms or host admission, and expiring credentials so a leaked link doesn't admit strangers into a visit.
• Audit logging: who joined which session, when, from where — exportable into your own audit trail.
• Data residency and retention: where media servers run, whether anything is persisted by default, and how fast transient data is purged.

Recordings and storage

HIPAA does not require you to record telehealth sessions — and not recording is the simplest compliant posture. If recordings aren't core to your product, turn them off platform-wide and you've eliminated an entire category of risk.

If you do record (for clinical documentation, supervision, or quality), treat every recording as a high-sensitivity PHI asset:

• Encrypt at rest, with keys managed properly (KMS, not application config).
• Restrict access to the minimum necessary roles, and log every access — a session recording is exactly the kind of record a breach investigation will ask about.
• Define retention before you store the first file. Indefinite retention of video is a liability multiplier; align the schedule with your customers' clinical record requirements and delete on schedule.
• Check the vendor chain. If your video provider stores recordings in its own cloud, that storage must be inside the scope of your BAA with them. If recordings land in your S3 bucket, your AWS BAA and bucket controls apply.
• Mind consent. HIPAA governs the recording as PHI, but recording consent is largely state law — several states require all-party consent to record a conversation. Build consent capture into the product, not the support process.

The SMS reminder trap

Appointment reminders are the most common place telehealth products quietly leak PHI. Plain SMS is unencrypted and sits in the phone's notification tray, visible to anyone glancing at the lock screen. HIPAA permits appointment reminders, but the safe pattern is strict minimalism:

• Allowed (low risk): "Reminder: you have an appointment on Thu, Jun 18 at 2:00 PM. Reply C to confirm." Date, time, a confirm action, a generic callback number.
• Not allowed (PHI leakage): anything revealing health information — the provider's specialty ("your appointment with Dr. Reyes, Psychiatry"), the condition, test results, medication names, or even a clinic name that itself discloses treatment type (a dialysis or behavioral-health clinic name in plaintext SMS is a disclosure).

Operational requirements around the reminder flow:

• BAA with the messaging vendor. If the message content includes or implies PHI, the SMS/email provider is a business associate. Twilio, for example, signs BAAs for designated messaging products; consumer-grade email/SMS tools generally don't.
• Honor channel preferences. Patients have the right to request communications by alternative means; if someone asks for email-only or no-SMS, your system has to enforce that, not just note it.
• Deep-link, don't disclose. Put the details behind authentication: the SMS carries a neutral link, the portal shows the specifics after login.

The state-law layer

HIPAA is federal — and it's the floor. Every state adds its own telehealth rules on top: patient consent requirements for telehealth itself, provider licensure for treating patients across state lines, prescribing restrictions for virtual-only relationships, all-party recording consent statutes, and state health-privacy laws that can be stricter than HIPAA (some, like Washington's My Health My Data Act, reach data HIPAA doesn't).

This guide won't enumerate fifty states — the point is that your compliance scope is HIPAA plus the laws of every state where your patients sit. Build the question into your launch checklist for each new state, and get counsel involved before you turn on cross-state care or recording features.

Telehealth HIPAA implementation checklist

1. Map the PHI flow end to end: scheduling → reminders → waiting room → video session → notes → recordings → billing. Every hop is in scope.
2. Inventory the vendors on that path and confirm a signed BAA for each — video, messaging, email, cloud, transcription, analytics. No BAA, no PHI.
3. Run a risk analysis covering the telehealth workflow specifically — OCR's first document request in any investigation.
4. Harden the session layer: encrypted transport, unique session credentials, host admission controls, join/leave audit logs.
5. Decide your recording posture — off by default is simplest; if on, implement encryption, access logging, retention, and consent capture.
6. Sanitize reminders: minimal content, BAA-covered messaging vendor, patient channel preferences enforced.
7. Write the policies and train the workforce — administrative safeguards are half the Security Rule.
8. Check state-law requirements for every state you serve before launch.
9. Test your gaps: run the free HIPAA SaaS readiness checker, then work the findings through the full HIPAA compliance guide.

Related reading

• HIPAA for SaaS & digital health — the full resource hub
• HIPAA SaaS readiness checker — free instant gap readout
• HIPAA compliance guide — the complete walkthrough
• BAAs explained — what to sign with your video and messaging vendors
• HIPAA technical safeguards — the Security Rule mapped to real controls

Common questions

Can I use regular Zoom for telehealth?

Not for sessions involving PHI. Standard consumer Zoom accounts don't come with a BAA. Zoom offers healthcare plans where a BAA is part of the agreement — you need one of those (or another video provider that signs BAAs) before any patient session runs through the platform. The COVID-era enforcement discretion that tolerated consumer video tools ended on August 9, 2023.

Is FaceTime HIPAA compliant?

No. Apple does not sign business associate agreements for FaceTime, so it cannot be used for telehealth sessions involving PHI regardless of its encryption quality. It was tolerated only under OCR's COVID-era enforcement discretion, which ended in August 2023.

Did the COVID telehealth HIPAA exceptions end?

Yes. OCR's Notification of Enforcement Discretion for telehealth ended when the COVID-19 public health emergency expired on May 11, 2023, followed by a 90-day transition period that ended August 9, 2023. Since then, full HIPAA requirements apply to telehealth — including BAAs with video vendors.

Do telehealth sessions have to be recorded?

No — HIPAA does not require recording, and not recording is the simplest compliant posture. If you do record, the recording is PHI: it must be encrypted at rest, access-controlled, audit-logged, covered by your retention policy, and stored with vendors under BAA.

Are SMS appointment reminders a HIPAA violation?

Not automatically, but they're a common violation source. Plain SMS is unencrypted, so reminders must contain minimal information — date, time, a callback number — and never the provider's specialty, condition, or treatment details when that would reveal health information. You also need a BAA with the messaging vendor and should honor patient channel preferences.

Does my telehealth video vendor need a BAA?

Yes. A video platform transmitting patient sessions is creating, receiving, or transmitting PHI on your behalf, which makes it a business associate (or subcontractor business associate). A signed BAA is required before any patient traffic flows — encryption alone does not substitute for the agreement.

Do state laws add requirements beyond HIPAA for telehealth?

Yes. States layer on their own telehealth rules: consent requirements, provider licensure for cross-state care, prescribing restrictions, recording consent laws (some states require all-party consent), and state health privacy statutes that can be stricter than HIPAA. HIPAA is the floor, not the ceiling — check the states you operate in.

Is end-to-end encryption required for telehealth video?

HIPAA requires transmission security — encryption in transit is an addressable specification that in practice you must implement. Strict end-to-end encryption isn't explicitly mandated, and many healthcare video platforms use encrypted transport with media servers rather than true E2EE. What's non-negotiable: encrypted transport, a BAA, access controls, and audit logging.

Last updated: June 11, 2026 · Reviewed by the LukaGRC compliance team