Telehealth Security Requirements

Reviewed by Fully Compliance editorial staff

Telehealth security requires a HIPAA-compliant video platform with a Business Associate Agreement, encryption of all video and data in transit, patient and provider authentication before every consultation, explicit consent before any recording, and integration with your EHR that transmits only the data relevant to each consultation. Consumer video platforms in their default configurations are not appropriate for healthcare use.

Consumer Video Platforms Are Not Healthcare-Appropriate Without Specific Configuration

Telehealth expanded healthcare access dramatically, and it also expanded the attack surface for patient data. A video consultation happens over the internet, with patient information transmitted from their home, through their internet provider's network, to your facility, through your network, through cloud servers, and back to the patient's device. At each point in that journey, patient information could be intercepted, recorded, or compromised. The platforms that enable telehealth — video conferencing systems, patient portals, remote monitoring devices — have security vulnerabilities. And the people using them, both patients and providers, are often less technically sophisticated than enterprise IT users, making social engineering and configuration errors more likely.

The opportunity created by telehealth is real. Remote consultations reduce travel burden for patients, expand access to specialists, and make healthcare more efficient. The security risk is equally real. According to HHS breach data, telehealth-related incidents increased significantly during and after the rapid expansion of virtual care, and the agency resumed full HIPAA enforcement for telehealth platforms after the temporary COVID-19 enforcement discretion ended. Unencrypted video consultations, weak authentication of participants, recording of sessions without disclosure, storage of patient data on consumer devices — these patterns became normalized during the rapid telehealth expansion and now carry full regulatory risk.

Video Platform Selection and Privacy

Video conferencing platforms are the primary delivery mechanism for telehealth consultations, and the security and privacy implications depend entirely on which platform you use and how it's configured. Consumer platforms in their default configurations are not designed to meet healthcare privacy requirements. The platform itself may not encrypt video between participants, may record sessions without explicit disclosure, may retain session data beyond what's necessary, may grant the vendor rights to use data for marketing or training through its terms of service, may be hosted outside the United States, and may not have business associate agreements with healthcare providers.

HIPAA-compliant video platforms exist — healthcare-specific configurations from major vendors include appropriate encryption, audit logging, business associate agreements, and terms of service aligned with HIPAA. These platforms cost more than consumer versions, but the price difference is often small and the compliance protection is substantial.

The alternative is using consumer platforms with specific configurations that make them more suitable for healthcare. Some platforms can be configured with encryption, restricted recording, required authentication, and BAA support. But the configuration is critical — the default setup is not healthcare-appropriate, and organizations have to deliberately change settings to make it suitable. The risk is misconfiguration: a meeting that seems secure but isn't, a recording that's created without disclosure, data retained beyond the retention period. Patient perception of privacy matters alongside actual privacy — healthcare organizations should be transparent with patients about what platform is being used, what privacy protections are in place, and how their data is handled.

Encryption and Transmission Security

Video data transmitted over the internet needs to be encrypted so that someone intercepting the traffic cannot watch the consultation. Encryption in transit uses protocols like TLS to encrypt all data traveling between the provider's system, the video platform, and the patient's device. This is the baseline expectation for any video conferencing in healthcare.

The encryption should be end-to-end when possible, meaning that the video platform vendor itself cannot view the video without the encryption keys. End-to-end encryption is technically more complex than encryption that simply protects traffic in transit — in transit encryption protects data while it's moving but doesn't prevent the platform vendor from accessing it. The practical reality is that most HIPAA-compliant video platforms use encryption in transit rather than true end-to-end encryption. This is acceptable for healthcare compliance if the platform has a BAA, the vendor is subject to HIPAA's business associate rules, and the platform doesn't retain recordings or data beyond what's necessary for the consultation.

TLS 1.2 or higher should be enforced — older encryption protocols like SSL or TLS 1.0 have known vulnerabilities. The video platform configuration should enforce strong encryption with no option to disable it. Testing the encryption is straightforward technically but often overlooked in practice — network monitoring tools can verify that traffic between endpoints and the video platform is encrypted, and checking platform documentation and settings confirms that encryption is enabled.

Patient and Provider Authentication

Before a provider can consult with a patient over video, the provider needs to be certain they're talking to the right patient. In-person care achieves this through photo identification and face-to-face confirmation. Telehealth requires explicit authentication mechanisms to ensure that the person on the video call is actually the patient whose medical record the provider is about to discuss.

The baseline is asking security questions that only the patient would know — date of birth, medical record number, address on file, previous procedures, medication names. For sensitive procedures or new patients, stronger authentication is required: a unique access code sent via text or email, information from a previous medical bill, or video identification with a government-issued ID. Patient authentication should be documented — the consultation note should include confirmation of how the patient was authenticated and by whom.

Providers connecting to telehealth consultations need multi-factor authentication — a password plus a code from an authenticator app, a security key, or SMS verification. MFA is especially important for remote access since the risk of compromise is higher when providers connect from outside the office. Shared logins where multiple providers use the same account are a compliance failure because audit logs cannot show which provider performed which action. For consultations involving multiple participants beyond the patient and the primary provider — a specialist, a nurse, a medical student, a family member — each person should be explicitly authenticated and their participation disclosed to the patient before the consultation begins.

Session management rounds out the authentication controls. Once a provider logs into a telehealth system, their session should remain active for a reasonable period — one shift or one workday. After that, they should need to re-authenticate. Sessions should also terminate after inactivity, preventing someone from taking over an unattended workstation.

Recording, Retention, and Regulatory Compliance

Many telehealth consultations are recorded for clinical purposes. Recording is useful, but it creates data retention and privacy obligations. If a recording is made, the patient must be informed and must consent. The recording must be stored securely with access controls limiting who can view it. The recording should be retained only for as long as it's clinically and legally necessary.

HIPAA requires that recordings of consultations containing protected health information be treated as part of the medical record, subject to the same access controls, retention requirements, and security safeguards. A recorded consultation encrypted and stored in the EHR is compliant. A recording stored on a provider's personal device or a shared cloud drive without access controls is not. The default should be that consultations are not recorded unless there's a specific clinical reason and explicit patient consent. Organizations that record all consultations by default and require patients to opt out create compliance risk because patients may not see the opt-out option or may not understand what they're consenting to.

Retention policies for recordings should balance clinical utility against privacy. Many organizations set a default retention period — 90 days to one year — beyond which recordings are automatically deleted unless there's a specific reason to retain them longer. Patients have the right under HIPAA to request copies of their medical records, which includes recordings.

Beyond HIPAA, telehealth is subject to additional regulatory frameworks that vary by jurisdiction. State medical boards have varying requirements about telehealth practice — some states require initial in-person consultation before telehealth follow-ups, some restrict which services can be delivered via telehealth, and some require specific technology standards. Telehealth across state lines adds complexity because a provider licensed in one state cannot simply provide consultations to patients in another state without being licensed there. DEA regulations around controlled substance prescribing by telehealth have specific requirements — in most cases, a provider cannot prescribe controlled substances via telehealth without an in-person consultation first, though exceptions exist for established patients and maintenance prescriptions.

Platform Vetting and EHR Integration

Selecting a telehealth platform is a procurement decision that should include security and compliance criteria alongside price and ease of use. Evaluate whether a platform has a business associate agreement, what encryption and audit logging it provides, what its incident response process is, and what its data retention policies are. Reputable vendors can provide security audit reports, SOC 2 certifications, or penetration testing results that demonstrate their security practices.

Integration capabilities matter because disconnected systems create manual work and data inconsistency. The platform should integrate with the EHR so that consultation notes automatically sync to the patient's medical record, integrate with the billing system so telehealth encounters are properly coded and billed, and integrate with patient portals so patients can schedule and access telehealth appointments in a single system.

The integration needs to be secure — only authorized data should be transmitted, data should be encrypted in transit, and audit logging should track what data is transmitted. Single sign-on integration using secure standards like OAuth or SAML improves usability by letting providers authenticate to the EHR once and then access the telehealth platform without re-authenticating. Patient data exchange between the EHR and telehealth platform needs to be handled carefully — the telehealth platform shouldn't have access to the entire EHR, only to the patient data relevant to the consultation. Sensitive information like psychiatric records or substance use history should not be automatically exposed unless clinically relevant and the patient has consented.

Testing the integration is critical before going live. Create a test patient, schedule a telehealth appointment, conduct a test consultation, verify that notes and orders sync to the EHR, verify that billing data is transmitted correctly, and verify that audit logs capture all activity. The user experience matters because bad UX leads to workarounds — if the platform is difficult to use, providers fall back to less secure alternatives, and if it's difficult for patients to access, they skip consultations.

Frequently Asked Questions

Can I use regular Zoom or Microsoft Teams for telehealth?
Not in their default consumer configurations. Standard Zoom and Teams are not configured for HIPAA compliance out of the box. Both vendors offer healthcare-specific versions (Zoom for Healthcare, Microsoft Teams for healthcare) that include appropriate encryption, audit logging, BAA support, and compliant terms of service. If you use the consumer version, you must deliberately reconfigure settings and obtain a BAA from the vendor, and you accept the risk that misconfiguration creates compliance exposure.

Does HIPAA require end-to-end encryption for telehealth video?
HIPAA does not specifically mandate end-to-end encryption. Encryption in transit using TLS 1.2 or higher is acceptable if the platform vendor has signed a BAA, is subject to HIPAA's business associate rules, and does not retain recordings or data unnecessarily. End-to-end encryption provides stronger privacy by preventing the platform vendor from accessing video content, but it is not a strict HIPAA requirement.

Do I need patient consent before recording a telehealth consultation?
Yes. If you record a telehealth consultation, you must inform the patient and obtain their consent before the recording begins. Recordings containing PHI are part of the medical record and subject to HIPAA's security and retention requirements. The safer approach is to record only when there's a documented clinical reason rather than recording all consultations by default.

What are the rules for prescribing controlled substances via telehealth?
DEA regulations generally require an in-person consultation before prescribing controlled substances, with exceptions for established patients and maintenance prescriptions. The specific rules depend on the substance schedule and the state. Organizations need documented processes to ensure compliance, and prescribing systems should reflect the legal authority of each provider type in each state where they practice.

How do I authenticate patients for telehealth consultations?
At minimum, verify identity through security questions the patient would know — date of birth, medical record number, address on file. For sensitive procedures or new patients, use stronger methods such as a unique access code sent via text or email, or video verification with a government-issued ID. Document the authentication method in the consultation note.

What happens if my telehealth platform vendor has a breach?
You are responsible for notifying affected patients and HHS, even though the vendor's systems were compromised. Your BAA should require the vendor to notify you within a specified timeframe (typically 24 hours for potential breaches) and provide enough information for you to determine the scope. The vendor should cooperate with your investigation and preserve forensic evidence.