Related Reading

What Changed After COVID-Era Flexibilities Ended

During the COVID-19 public health emergency, HHS issued enforcement discretion notices that allowed providers to use non-HIPAA-compliant platforms (including FaceTime, Skype, and Zoom without a BAA) for good-faith telehealth delivery. Those emergency flexibilities have expired.

In 2026, the standard HIPAA rules apply to telehealth in full:

  • Telehealth must use a HIPAA-compliant platform with appropriate encryption and access controls
  • A Business Associate Agreement (BAA) must be in place with the telehealth platform vendor before patient sessions occur
  • Patient consent must be obtained and documented for telehealth visits
  • State licensure requirements apply based on where the patient is physically located at the time of service

Practices that continued using consumer-grade video tools after the emergency period ended are operating out of compliance.

What Makes a Telehealth Platform HIPAA-Compliant

A HIPAA-compliant telehealth platform is not defined by a certification badge or a claim on the vendor's website. It is defined by the technical, administrative, and physical safeguards the platform implements and the contractual obligations it accepts.

Required technical safeguards:

  • End-to-end encryption of video, audio, and any transmitted data
  • Access controls — only authorized users can access session data
  • Audit logs — the platform logs who accessed what, when
  • Automatic session termination after inactivity
  • Secure data storage if sessions or clinical data are retained

What the vendor must provide contractually:

  • A signed Business Associate Agreement before you transmit any PHI through the platform
  • Willingness to be contractually bound as a Business Associate under HIPAA
  • Breach notification procedures and timelines

A platform that refuses to sign a BAA or claims it isn't subject to HIPAA as a Business Associate cannot be used for telehealth involving PHI, regardless of its technical security features.

Business Associate Agreements for Telehealth

A Business Associate Agreement (BAA) is a written contract required by HIPAA between a covered entity (your practice) and any business associate that creates, receives, maintains, or transmits PHI on your behalf. Your telehealth platform vendor, if they handle PHI, is a Business Associate.

What must be in a HIPAA-compliant BAA:

  • Permitted and required uses and disclosures of PHI by the business associate
  • Requirement that the business associate not use or disclose PHI beyond what is permitted in the BAA
  • Requirement to implement appropriate safeguards to prevent unauthorized use or disclosure
  • Breach notification obligations — the business associate must notify you of any breach within 60 days
  • Requirement to return or destroy PHI upon termination of the agreement
  • Requirement to make information available to HHS for compliance investigations

Common BAA mistake: Accepting a vendor's click-through terms of service without confirming a separate BAA is in place and signed. Many vendors bury BAA language in their terms of service or require you to affirmatively opt into a separate BAA process. Confirm explicitly with every telehealth vendor that a BAA is in place before the first patient session.

Telehealth vendors with BAAs readily available: Doxy.me, Zoom for Healthcare, Microsoft Teams (healthcare plans), Teladoc, SimplePractice, Healthie, and most purpose-built telehealth platforms. Consumer Zoom, FaceTime, Google Meet (standard), and Skype do not provide BAAs and cannot be used for HIPAA-covered telehealth.

HIPAA does not specifically require patient consent for telehealth visits beyond the standard Notice of Privacy Practices acknowledgment. However, most states have independent telehealth consent laws, and CMS requires documented patient consent for Medicare telehealth services.

Best practice regardless of state requirement: Obtain and document written (or electronic) informed consent for telehealth that covers:

  • The nature of telehealth services and how they differ from in-person care
  • Limitations of telehealth (inability to perform physical examination, technology limitations)
  • Privacy and confidentiality of the telehealth session
  • Patient's right to withdraw consent and receive in-person care instead
  • Technology requirements and what happens if the connection fails
  • Emergency procedures if a crisis arises during the session

For mental health and substance abuse telehealth, additional consent and confidentiality rules under 42 CFR Part 2 may apply. Consult a healthcare attorney for practices treating substance use disorders via telehealth.

Audio-Only Telehealth Rules

Audio-only telehealth (telephone visits without video) has different rules than video telehealth. CMS expanded Medicare coverage for audio-only telehealth during the pandemic and has maintained some of those expansions permanently.

Key audio-only provisions in 2026:

  • Medicare covers audio-only E&M visits (99441-99443) permanently for established patients who are unable to use video technology
  • The provider must document why video wasn't used (patient lacks video capability, technical limitations)
  • Audio-only is appropriate for conditions that don't require visual assessment — medication management, follow-up for stable conditions, behavioral health check-ins
  • Audio-only is not appropriate for new patient visits under Medicare in most circumstances
  • Commercial payer coverage for audio-only varies significantly — verify each payer's current policy

HIPAA applies to audio-only telehealth: the telephone system used must meet the same security standards as video systems. A regular telephone call over a standard PSTN line is not subject to HIPAA's technical safeguard requirements in the same way as electronic communications, but any transmission of PHI through a digital VoIP or messaging system is covered.

State Licensure Requirements

The most complex compliance area for telehealth is state licensure. In most states, you must be licensed in the state where the patient is physically located at the time of the telehealth visit — not where your practice is located.

Interstate licensure solutions:

  • Interstate Medical Licensure Compact (IMLC): Expedited licensure for physicians in participating states. As of 2026, 42 states participate. Allows physicians to obtain licenses in multiple participating states through a streamlined process.
  • Nurse Licensure Compact (NLC): Multistate license for registered nurses and LPNs in participating states.
  • Counseling Compact, Psychology Interjurisdictional Compact (PSYPACT): Behavioral health providers can practice across participating state lines under these compacts.

Practicing telehealth without a license in the patient's state is a serious legal and regulatory violation. Before expanding telehealth to patients in a new state, verify your licensure status and the state's specific telehealth laws. Some states have specific telehealth practice standards beyond just licensure.

Telehealth Billing and Documentation

Telehealth billing requires the appropriate place of service (POS) code and, for Medicare, specific CPT codes and modifiers depending on the service type.

Place of Service codes for telehealth:

  • POS 02: Telehealth services provided in a non-patient-home setting (patient is in a medical office, hospital, etc.)
  • POS 10: Telehealth services provided in a patient's home — used when the patient is at home during the telehealth visit (the most common scenario for direct-to-patient telehealth)

Medicare telehealth modifier: Use Modifier 95 on telehealth claims to indicate the service was provided via synchronous real-time interactive audio and video.

Documentation requirements for telehealth visits:

  • Document that the service was provided via telehealth (video or audio-only as applicable)
  • Record the patient's location (city and state) at the time of service
  • Document the technology used if relevant to coverage determination
  • For audio-only: document why video wasn't used
  • Patient consent for telehealth — documented in the chart
  • All standard clinical documentation requirements apply identically to telehealth and in-person visits

HIPAA-Compliant Telehealth Platforms Compared

PlatformBAA AvailableSpecialty FocusStarting Price
Doxy.meYesGeneral healthcare, primary careFree tier available; paid from $35/mo
Zoom for HealthcareYes (separate plan required)General; integrates with most EHRsHealthcare plan pricing varies
SimplePracticeYesMental health, therapy$29-$99/mo
HealthieYesNutrition, health coaching, wellness$49-$149/mo
Teladoc/AmwellYesEnterprise; network-based telehealthEnterprise pricing
Microsoft Teams (Healthcare)Yes (Healthcare plan)Large health systemsPart of Microsoft 365 Healthcare

Purpose-built telehealth platforms (Doxy.me, SimplePractice, Healthie) are generally the simplest compliance path for small and mid-size practices — the BAA and HIPAA-compliant infrastructure are built in by design. Configuring a general-purpose tool like Zoom for HIPAA compliance requires additional steps and a specific healthcare plan subscription.

Telehealth Compliance Checklist

  • HIPAA-compliant telehealth platform selected and in use
  • BAA signed with telehealth platform vendor before first patient session
  • BAAs also in place with any scheduling, EHR, or billing vendors that receive telehealth PHI
  • Patient informed consent policy and form created and implemented
  • Patient consents documented in the medical record
  • Telehealth policies and procedures documented in HIPAA policies
  • State licensure verified for all states where telehealth patients are located
  • Staff trained on telehealth-specific HIPAA requirements
  • Billing workflow updated with correct POS codes (02 or 10) and modifiers
  • Documentation templates updated to include telehealth visit documentation requirements
  • Emergency and crisis protocols established for telehealth sessions

Frequently Asked Questions

Can I use regular Zoom for telehealth?

No. Consumer Zoom does not provide a Business Associate Agreement and is not HIPAA-compliant for use with protected health information. You must use Zoom for Healthcare (a separate paid plan that includes a BAA) or a purpose-built healthcare telehealth platform. Using consumer Zoom for telehealth visits is a HIPAA violation.

Do I need a BAA with my telehealth platform?

Yes, without exception. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate under HIPAA, and a BAA is required before any PHI is transmitted through their system. No BAA means no compliant telehealth.

Can I see patients in other states via telehealth?

You must be licensed in the state where the patient is physically located at the time of the service. Practicing telehealth without appropriate state licensure is a regulatory violation independent of HIPAA. Check whether the states where your patients are located participate in an interstate licensure compact relevant to your license type.

Does HIPAA require patient consent for telehealth?

HIPAA itself does not require specific telehealth consent beyond the standard Notice of Privacy Practices. However, many states have independent telehealth consent laws, CMS requires documented consent for Medicare telehealth, and best practice strongly supports obtaining and documenting informed consent for all telehealth visits. Your malpractice risk is also lower with documented consent.

What is POS 02 vs. POS 10 for telehealth billing?

Place of Service 02 is used when the patient is receiving telehealth from a non-home location (such as a medical office or clinic site). Place of Service 10 is used when the patient is at home during the telehealth visit, which is the most common scenario for direct-to-patient telehealth. Using the wrong POS code is a common billing error that results in denials or reimbursement rate adjustments on Medicare claims.

Related Resources

About GetPracticeHelp

GetPracticeHelp.com is a free resource for independent healthcare practice owners. We research, compare, and connect you with vendors and tools that help your practice run better. Browse 160+ vetted vendors at getpracticehelp.com/browse.

Last updated: March 2026 | Author: Bryan, Practice Success Team