Telehealth HIPAA Considerations
The HIPAA Privacy and Security Rule applies to telehealth services; technology choices must support the safeguards.
1 min read · Last reviewed May 23, 2026
At a glance
- Category
- Telehealth
- Primary sources
- 2
- Workspace handoff
- compliance binder →
Where this comes up
Telehealth coding, place-of-service, modifier (95, GT, GQ, FQ, FR), and post-PHE policy parity all converge here. State licensure rules and DEA controlled-substance prescribing rules add a second compliance layer most billers learn about only after the first denial.
Full definition
What it is in practice
HHS clarifies that telehealth platforms transmitting ePHI must support HIPAA-compliant safeguards and a BAA with the vendor. Consumer video apps without a BAA do not meet the standard.
How it shows up in your practice
Use a telehealth platform that signs a BAA. Document the platform choice in the risk analysis.
Sources
- HHS — Telehealth & HIPAAhttps://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
- 45 CFR 164.312 — Technical safeguardshttps://www.ecfr.gov/current/title-45/section-164.312
Document telehealth platform selection in the Compliance Binder
Open compliance binder →Related terms
- TelehealthTelehealthDelivery of health care services through audio-video or audio-only technology when the patient is not at the same location as the practitioner.
- HIPAA & PrivacyBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- SecurityEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- HIPAA & PrivacyHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
Related across the archive
- GlossaryEncryption in TransitCryptographic protection of ePHI moving between systems or networks, typically via TLS.
- GlossaryHIPAA Security RuleThe federal regulation at 45 CFR Part 164 Subpart C that requires safeguards for ePHI.
- GlossaryTelehealthDelivery of health care services through audio-video or audio-only technology when the patient is not at the same location as the practitioner.
- GlossaryBAA (Business Associate Agreement)A written contract required between a covered entity and any vendor that creates, receives, maintains, or transmits PHI on its behalf.
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- GlossaryAudit LogA record of system activity (logins, record access, configuration changes) that can be reviewed to detect inappropriate access or system compromise.
- GlossaryEmail Encryption GatewayA system that automatically encrypts outbound email containing PHI based on content rules or recipient address.
This glossary entry is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at HHS, OCR, CMS, eCFR, NIST, and the relevant payer or industry body.