Skip to main content

HIPAA Compliant Telehealth: Platform and Hosting Requirements in 2026

By Joseph Abear ·
HIPAA Compliant Telehealth

Last updated: June 18, 2026

HIPAA compliant telehealth requires two things: a video and messaging platform that signs a Business Associate Agreement (BAA) and is configured correctly, and HIPAA-compliant hosting for everything behind it, the application, the patient data, and the session recordings. The COVID-era waiver that let providers use any video tool ended on May 11, 2023. Since then, every telehealth visit must meet the full HIPAA Security Rule, and the HHS Office for Civil Rights (OCR) is enforcing it. So a free Zoom call or a recording saved to a personal Google Drive is no longer a gray area; it is a violation. This guide covers what 2026 actually requires, for both providers and the telehealth platforms that serve them.

TL;DR: Quick answer

  • The COVID enforcement discretion ended May 11, 2023, so HIPAA compliant telehealth must now meet the full Security Rule on every visit.
  • Your video tool must sign a BAA. Zoom for Healthcare and Doxy.me do; standard or free Zoom and FaceTime do not.
  • The BAA has to be signed before the first session, and video, audio, and data must be encrypted with TLS 1.2 or higher.
  • A session recording is electronic protected health information (ePHI). It cannot live in personal Google Drive, iCloud, or Dropbox; it needs BAA-covered, encrypted storage.
  • Telehealth platforms and the apps behind them need HIPAA-compliant hosting under a BAA, which is the part the video tool does not cover.

What HIPAA requires for telehealth now

For a few years, providers could use almost any video app for telehealth. That was a temporary exception. During the COVID-19 public health emergency, OCR said it would not penalize good-faith use of non-compliant tools. That discretion ended on May 11, 2023. Since then, telehealth gets no special treatment. The Privacy Rule, the Security Rule, and the Breach Notification Rule all apply in full, the same as any other system that handles patient data.

This matters because a telehealth visit touches PHI at several points: the live video, the chat, the intake form, the notes, and any recording. Each point has to be protected, and every vendor that handles that data has to sign a BAA under 45 CFR § 164.308(b). Whether your organization is in scope at all is covered in our guide to who needs HIPAA-compliant hosting; for telehealth providers and platforms, the answer is almost always yes.

The video tool must sign a BAA

The first requirement for HIPAA compliant telehealth is a platform that will become your Business Associate. Not every plan of every tool qualifies, so check the tier.

  • Zoom. Standard and free Zoom plans do not include a BAA or HIPAA settings. Only the Zoom for Healthcare plan signs a BAA and turns on the right configuration.
  • Doxy.me. Built for healthcare and offers BAA coverage. Confirm your account tier and execute the BAA through its portal.
  • FaceTime, regular Skype, and consumer chat apps. No BAA, so they cannot be used for HIPAA compliant telehealth.

Two rules apply to all of them. The BAA must be signed before the first clinical session, not just available somewhere. And the connection must be encrypted with TLS 1.2 or higher for video, audio, and any data exchanged.

The video tool is only half the picture

Here is the part that trips up most telehealth providers and the companies that build telehealth software. A compliant video tool protects the live call. It does not protect everything around it. The patient portal, the scheduling and intake system, the clinical notes, the billing data, and the recordings all live somewhere else, and that somewhere has to be HIPAA-compliant hosting under its own BAA. A perfect Zoom for Healthcare setup feeding into a patient portal on ordinary hosting still fails an audit.

This is why HIPAA compliant telehealth is a hosting question as much as a video question. The application and its data need a host that signs a BAA and implements the Security Rule safeguards: encryption at rest and in transit, access controls, audit logging, and tested backups. Our complete guide to HIPAA-compliant hosting covers those safeguards, and for the cloud platforms that telehealth software usually runs on, see HIPAA compliant cloud hosting.

Session recordings are ePHI

A recorded visit is among the most sensitive data a practice holds. It is ePHI, full stop. That means it cannot sit in a personal Google Drive, an iCloud account, or a standard Dropbox, because none of those carry a BAA, guaranteed encryption, or the access controls the content needs. Recordings belong in BAA-covered, encrypted storage with logging that shows who opened them. The same rule covers transcripts and AI-generated summaries of a visit. Where that data is stored is part of the hosting question, which we break down in HIPAA compliant database hosting.

If you build telehealth software, you are a Business Associate

Telehealth platforms, scheduling tools, remote monitoring dashboards, and AI scribes that handle patient data for provider customers are Business Associates under 45 CFR § 160.103. That carries direct liability to OCR, plus the duty to sign BAAs with your provider customers and with your own infrastructure vendors. The practical core of that obligation is running the product on HIPAA-compliant hosting. Intake forms are part of the same chain; building them correctly is covered in HIPAA compliant forms.

A telehealth compliance checklist

  • BAA with the video tool, signed before the first session, on a plan that includes HIPAA settings.
  • Encryption with TLS 1.2 or higher on the call and at rest for stored data.
  • HIPAA-compliant hosting for the platform, portal, forms, and notes, under its own BAA.
  • Secure storage for recordings, never a personal cloud account.
  • Access controls and audit logs so you can show who saw what and when.
  • Secured devices, because the clinician's laptop or phone is an ePHI system too, and should be encrypted and locked.
  • A documented risk analysis that includes the whole telehealth data path, which OCR asks for first.

Where to host the telehealth side

The video tool is a contract you sign. The infrastructure is a choice you make. If your telehealth visits feed a portal, store recordings, or run on custom software, that side needs a host built for healthcare. Our healthcare hosting provides single-tenant, BAA-covered environments for clinics, practices, and telehealth platforms, with encryption, a web application firewall, audit logging, and encrypted backups included. For larger or scaling platforms, our managed HIPAA cloud hosting runs the application layer. We sell these services, so weigh that as a disclosure. We also say plainly when a simpler setup fits, because a provider who understands the full telehealth data path makes safer choices either way. If you want a straight read on yours, tell us what your telehealth setup collects and stores.

Frequently asked questions

Is telehealth still allowed under HIPAA after the COVID waiver ended?

Yes. Telehealth is fully allowed, but the COVID enforcement discretion ended May 11, 2023, so every visit must now meet the full HIPAA Security Rule. The flexibility to use any video app is what went away.

Is Zoom HIPAA compliant for telehealth?

Only the Zoom for Healthcare plan with a signed BAA and HIPAA settings enabled. Standard and free Zoom plans do not include a BAA and cannot be used for HIPAA compliant telehealth.

Can I record a telehealth visit and save it to Google Drive?

No, not a personal or standard Drive. A recording is ePHI and needs BAA-covered, encrypted storage with access controls. A personal cloud account has none of those.

Does a HIPAA compliant video tool make my whole telehealth setup compliant?

No. The video tool protects the call. The portal, intake forms, notes, billing data, and recordings need HIPAA-compliant hosting under its own BAA. Both halves are required.

Is my telehealth software company a Business Associate?

Yes, if it handles patient data for provider customers. That brings direct liability to OCR and the duty to sign BAAs with customers and infrastructure vendors, and to run on HIPAA-compliant hosting.

Recap: HIPAA compliant telehealth

To recap, HIPAA compliant telehealth has two halves. The video tool must sign a BAA on the right plan and encrypt the session. Everything behind the call, the portal, the forms, the notes, and the recordings, needs HIPAA-compliant hosting under its own BAA. The COVID waiver is gone, so this applies to every visit now. Sign the BAA with your video tool, store recordings in encrypted BAA-covered storage, and host the platform and its data with a provider built for healthcare.

This article is general information, not legal advice. Telehealth also involves state licensure and consent rules beyond HIPAA. Confirm your obligations with qualified counsel and base your safeguards on a documented risk analysis. Reviewed June 2026.

Sources

← Back to all posts