Telehealth HIPAA Checklist: Post-Pandemic Enforcement is Here

Published: January 21, 2026 | Category: Compliance Checklist | Reading time: 11 min

During the COVID-19 public health emergency, OCR relaxed HIPAA enforcement for telehealth services. Those flexibilities have ended, and OCR is now enforcing full HIPAA compliance for telehealth. Use this checklist to ensure your practice is ready.

⚠️ Enforcement Has Resumed

OCR's Notification of Enforcement Discretion for telehealth services ended with the public health emergency. Practices must now comply with full HIPAA requirements for all telehealth services, including video platforms, messaging, and remote consultations.

What Changed?

During the pandemic, OCR allowed healthcare providers to use non-HIPAA-compliant video communication platforms (like FaceTime, Skype, Zoom) for telehealth services without risk of enforcement action. This temporary flexibility ended when the public health emergency declaration expired.

Now: OCR expects full HIPAA compliance for all telehealth services, including:

Video consultation platforms
Secure messaging systems
Remote patient monitoring
E-prescribing and digital health tools

Telehealth HIPAA Compliance Checklist

1. Business Associate Agreements (BAAs)

Signed BAA with video platform provider (Zoom for Healthcare, Doxy.me, etc.)

Signed BAA with secure messaging provider (if used)

Signed BAA with cloud storage provider hosting telehealth recordings

BAA register maintained with all telehealth vendors

Annual review of BAAs scheduled and documented

2. Platform Security

Video platform uses end-to-end encryption

Access controls implemented (unique user IDs, strong passwords)

Waiting rooms enabled to prevent unauthorized access

Session recordings encrypted and access-controlled

Audit logs enabled to track access to PHI

3. Patient Privacy

Patient consent obtained for telehealth services

Privacy notice updated to include telehealth services

Patients informed about privacy risks of telehealth

Procedures for handling patient requests to restrict telehealth use

Patient right to access telehealth records documented

4. Documentation

Telehealth usage policy created and signed

Procedures for documenting telehealth visits

Record retention policies for telehealth sessions

Incident response procedures for telehealth breaches

Risk assessment conducted for telehealth services

5. Staff Training

All staff trained on telehealth HIPAA requirements

Training documentation maintained (who, when, what topics)

Physicians trained on secure platform usage

Administrative staff trained on BAA requirements

Annual training scheduled and documented

6. Technical Safeguards

Unique user identification for all platform users

Automatic logoff after period of inactivity

Encryption in transit (HTTPS/TLS) verified

Encryption at rest for stored recordings

Regular security updates and patches applied

Common Compliance Gaps

Based on recent OCR enforcement actions, common gaps include:

Missing BAAs: Using platforms without signed Business Associate Agreements
Inadequate Security: Not using encrypted platforms or enabling security features
Missing Documentation: No written policies for telehealth HIPAA compliance
Insufficient Training: Staff not trained on telehealth-specific HIPAA requirements
No Risk Assessment: Failure to assess and document risks specific to telehealth

Platform-Specific Considerations

Video Platforms

Zoom for Healthcare: HIPAA-compliant when BAA is signed and security features enabled
Doxy.me: HIPAA-compliant platform designed for healthcare
Microsoft Teams: Requires BAA and proper configuration for HIPAA compliance
Avoid: Consumer platforms (FaceTime, Skype, Google Meet) unless BAA is signed

Secure Messaging

Ensure messaging platform has signed BAA
Verify end-to-end encryption
Document message retention policies
Train staff on appropriate use of messaging for PHI

What to Do If You're Not Compliant

Assess Current State: Review this checklist and identify gaps
Prioritize Fixes: Start with BAAs and platform security (highest risk)
Create Policies: Document telehealth usage policies and procedures
Train Staff: Provide HIPAA training specific to telehealth
Conduct Risk Assessment: Document risks and mitigation strategies
Monitor Compliance: Establish ongoing review procedures

Resources

For more information:

OCR Telehealth Notification - Official guidance on enforcement discretion ending
5 HIPAA Gaps We Found in 90% of AI-Generated Clinical Notes - Similar compliance gaps
Compliance Wizard - Generate telehealth-specific compliance documentation

Next Steps

If your practice offers telehealth services:

Complete this checklist to identify gaps
Verify all required BAAs are in place
Review platform security settings
Create or update telehealth HIPAA policies
Train staff on compliance requirements
Conduct a risk assessment for telehealth services

Remember: OCR enforcement has resumed. Non-compliant practices risk civil monetary penalties and corrective action plans. Address gaps now to protect your practice.