If you're still using standard Zoom, personal Gmail, or regular text messages to communicate with patients — you're not just behind on best practices. You're operating outside HIPAA compliance and exposing your practice to enforcement risk that is now very real.

The COVID-era enforcement grace period is long gone. The Office for Civil Rights (OCR) is actively investigating and fining providers. And the tools most commonly flagged in complaints? The ones your staff probably uses every day.

This guide walks through exactly what changed, what the rules now require, and how to bring your telehealth practice into full compliance in 2026 — without overhauling everything at once.

The 2026 HIPAA Telehealth Landscape

Telehealth exploded during the pandemic. From 2019 to the height of the public health emergency, the share of patients using telehealth grew from roughly 11% to 47%, driven largely by necessity and the government's temporary willingness to look the other way on platform compliance.

That window closed.

OCR's COVID-era HIPAA enforcement discretion for telehealth ended at 11:59 PM on May 11, 2023, with a 90-day transition period that expired August 9, 2023. Since that date, full HIPAA compliance applies to every remote care encounter — including business associate agreements (BAAs), security controls, and a current risk analysis that covers your telehealth workflows.

What many practice owners don't realize is that the Medicare reimbursement flexibilities (geographic restrictions, originating site rules) are a separate issue from HIPAA privacy and security compliance. Congress has continued extending Medicare telehealth coverage through December 31, 2027 — but those extensions say nothing about your privacy obligations. Those rules snapped back to full enforcement in August 2023.

In 2026, the bottom line is this: every telehealth platform you use, every communication tool that touches patient data, and every vendor who handles that data on your behalf must meet HIPAA standards. No exceptions.

What Actually Changed: The Enforcement Timeline

Here's how the regulatory landscape shifted:

DateWhat Happened
March 2020OCR issues Notice of Enforcement Discretion — providers can use non-compliant platforms "in good faith"
May 11, 2023COVID-era HIPAA telehealth enforcement discretion ends
August 9, 202390-day transition period expires — full compliance required
February 16, 2026OCR gains formal enforcement authority over Part 2 substance use disorder records
December 31, 2027Current Medicare telehealth coverage flexibility extension expiration (reimbursement only)

The critical misunderstanding among practice owners: many assumed "telehealth flexibilities" meant HIPAA was still relaxed. It wasn't. The only flexibilities that were extended beyond 2023 relate to Medicare billing and reimbursement — not to privacy and security compliance.

Since August 2023, any provider using consumer Zoom, FaceTime, personal email, or standard SMS to transmit protected health information (PHI) has been operating in violation of HIPAA.

BAA Requirements: Which Telehealth Platforms Need Them

A Business Associate Agreement (BAA) is a legal contract between your practice (a covered entity) and any vendor that creates, receives, maintains, or transmits PHI on your behalf. Under HIPAA, you are required to have a signed BAA in place before the vendor accesses any patient data.

No BAA = HIPAA violation. Full stop. It doesn't matter how encrypted the platform is or what their marketing says.

Every one of these requires a BAA:

  • Your telehealth video platform
  • Your EHR or practice management system
  • Your secure messaging tool
  • Your patient scheduling software (if it handles any patient health info)
  • Any cloud storage you use for clinical records
  • Any AI documentation tools that process session notes

What to look for in a valid BAA:

  • The vendor explicitly acknowledges they are a Business Associate under HIPAA
  • They describe how they will safeguard ePHI
  • They commit to reporting breaches to your practice
  • They agree to return or destroy PHI upon contract termination
  • They identify any subcontractors who may also handle your PHI

If a vendor can't or won't sign a BAA, do not use their product for anything that touches patient data.

Non-Compliant Tools That Practices Still Use

This is where many practices have a serious blind spot. According to discussions across r/therapists and r/psychotherapists, some of the most common HIPAA violations stem from tools providers use every day without thinking twice.

Regular Text Messaging (SMS)

Standard SMS — from your iPhone, Android, or even Google Voice — is not HIPAA compliant and cannot be made fully compliant. The problem isn't just your end. You can't guarantee security on the patient's device, and standard SMS is transmitted and stored by carrier infrastructure without the level of encryption HIPAA requires.

The gray area many providers exploit: using text only for scheduling ("Your appointment is Thursday at 2 PM") with no PHI. This can be technically defensible — but only if the message contains absolutely no information connecting the patient to a health condition. The moment a text says "therapy appointment" or references a specific service, it's PHI.

As one therapist on r/therapists put it: "I advise my clients to avoid sending me messages they wouldn't feel comfortable texting their barber. If it's not something you'd share with your barber, it should go through the patient portal."

Personal Email (Gmail, Yahoo, Outlook)

Standard email is not HIPAA compliant without encryption or a signed BAA with the email provider. Many providers don't realize that even basic appointment reminders can constitute PHI — a message reading "Your therapy session is confirmed for Thursday" links the patient's identity to mental health services.

Google Workspace (paid) offers a BAA and can be configured for HIPAA compliance. Free Gmail does not. Yahoo and standard Outlook do not. Using these accounts for patient communication is a compliance gap that OCR audits regularly surface.

Standard Zoom (Free and Business Plans)

The free version of Zoom is explicitly not HIPAA compliant — it lacks the required security controls and does not offer a BAA. The standard Business plan also does not qualify. Only Zoom for Healthcare (previously called Zoom Workplace for Healthcare), available through a paid healthcare license with a signed BAA, meets HIPAA requirements.

Many providers who switched to "Zoom" during the pandemic never upgraded to the healthcare-specific plan. If you're using a standard Zoom subscription, you're non-compliant.

FaceTime and Apple Messages

FaceTime and iMessage are not HIPAA compliant. Apple does not sign BAAs for these consumer services. Period.

WhatsApp

WhatsApp is not HIPAA compliant and should not be used for any patient communication involving PHI. It is extremely common in some communities and among international patients, but it has no BAA mechanism and does not meet HIPAA's technical safeguard requirements.

Compliant Alternatives for Patient Communication

The good news: compliant options exist at every price point, including free.

For Video Telehealth Sessions

PlatformHIPAA CompliantBAA AvailableStarting Cost
Doxy.meYesYesFree (basic)
Zoom for HealthcareYesYes~$16.99/user/month
SimplePractice TelehealthYesYesIncluded with SimplePractice
Teladoc / AmwellYesYesEnterprise pricing
Google Meet (Workspace)Yes (paid only)Yes~$6/user/month
Microsoft Teams (E3/E5)Yes (with config)YesEnterprise pricing

Not approved: Consumer Zoom, FaceTime, Google Meet (free), Skype, WhatsApp

For Secure Messaging

  • Spruce Health — HIPAA-compliant phone, text, and voicemail with BAA; popular with small practices
  • Klara — Secure patient messaging and communication platform
  • iPlum — HIPAA-compliant calling and texting at ~$15/month
  • Doximity — Commonly used by physicians; includes secure calling
  • Your EHR's built-in portal — Most major EHRs (SimplePractice, TherapyNotes, Jane App, Athenahealth) include secure patient messaging; use this first

For Secure Email

  • Paubox — Encrypts outbound emails automatically so patients receive them in standard email clients
  • Google Workspace (Business Starter) — With signed BAA, configured correctly
  • Microsoft 365 Business — With signed BAA and proper configuration

The simplest approach for most independent practices: keep clinical communication inside your EHR's patient portal, use a HIPAA-compliant phone/messaging service for routine contact, and run telehealth visits on a platform that signs a BAA.

Telehealth Platform HIPAA Compliance Checklist

Before using any platform for telehealth, verify all of the following:

Legal/Contractual

  • [ ] Signed BAA on file with the platform vendor
  • [ ] BAA covers all services you use (video, messaging, scheduling, storage)
  • [ ] BAA identifies any subcontractors who handle PHI
  • [ ] BAA includes breach notification obligations

Technical Safeguards

  • [ ] End-to-end encryption for video and audio (TLS 1.2+ minimum)
  • [ ] Access controls requiring unique user IDs
  • [ ] Multi-factor authentication enabled
  • [ ] Automatic session timeout after inactivity
  • [ ] Audit logging of all user activity
  • [ ] Data encrypted at rest

Administrative Safeguards

  • [ ] Written telehealth policies in your HIPAA compliance program
  • [ ] Staff trained on platform-specific HIPAA requirements
  • [ ] Incident response plan covers telehealth breaches
  • [ ] Annual security risk analysis updated to include telehealth workflows

Patient-Facing

  • [ ] Telehealth-specific informed consent obtained and documented
  • [ ] Patients informed of their right to in-person care
  • [ ] Patient privacy notice covers telehealth

State-Specific Telehealth Regulations to Watch

HIPAA sets the federal floor, but many states have layered additional requirements on top of it. These vary significantly and are still evolving in 2026.

California has the most stringent state-level requirements. The Telehealth Advancement Act requires informed consent that discloses the specific limitations of telehealth. California also enforces the CCPA, which may apply to non-PHI patient data your practice collects. Strong parity laws require private insurers to cover and pay for telehealth at rates equivalent to in-person visits.

Texas requires written informed consent before each telemedicine encounter, with specific language requirements for mental health services. Prescribing rules are particularly strict around controlled substances.

New York requires documented informed consent before each virtual visit and enforces technology standards that, in some areas, go beyond what HIPAA requires. The Office of Mental Health has been actively updating behavioral health telehealth regulations.

Florida has relatively permissive telehealth rules for established patients but still requires compliance with all HIPAA standards and appropriate documentation.

Key compliance actions for multi-state telehealth:

  • Know the state where your patient is located at the time of the visit — that state's laws apply
  • Build consent forms that satisfy the most demanding state in your patient pool
  • Verify you hold licensure in every state where you see telehealth patients
  • Track DEA prescribing rules separately from state rules for controlled substances

For a deeper look at state compliance requirements, review our telehealth platform comparison guide which covers platform-specific features by state.

OCR Enforcement: Recent Fines and What Triggered Them

OCR has dramatically increased its enforcement activity. In 2024 alone, 22 investigations resulted in civil monetary penalties or settlements — one of the busiest enforcement years on record. Here's what's been triggering fines:

Risk analysis failures are the single most common trigger. OCR expects every covered entity to conduct a thorough and accurate risk analysis that identifies all systems handling ePHI — including telehealth platforms, messaging tools, and any cloud services. Practices that deployed new telehealth tools during COVID without updating their risk analysis are particularly exposed.

2024-2025 Notable OCR Enforcement Actions:

  • Heritage Valley Health System — $950,000 settlement for failure to conduct a risk analysis and lack of emergency policies
  • Children's Hospital Colorado — $548,265 civil monetary penalty including failure to train 6,666 workforce members and impermissible ePHI disclosure
  • BayCare Health System — $800,000 settlement for information access management failures and impermissible disclosures
  • Northeast Radiology — $350,000 settlement following a server exposure affecting imaging records

The 2025 civil monetary penalty schedule (adjusted for inflation):

TierCulpabilityPer-Violation MinimumPer-Violation MaximumAnnual Cap
Tier 1Lack of knowledge$145$73,011$2,190,294
Tier 2Reasonable cause$1,461$73,011$2,190,294
Tier 3Willful neglect, corrected$14,602$73,011$2,190,294
Tier 4Willful neglect, not corrected$73,011$2,190,294$2,190,294

Using a non-compliant platform without a BAA — when you had reason to know BAAs were required — falls squarely into Tier 2 or Tier 3. That means minimum fines starting at $1,461 per violation, per day.

State attorneys general can also independently enforce HIPAA violations and may layer additional state privacy penalties on top of OCR fines.

Step-by-Step HIPAA Telehealth Audit for Your Practice

Use this process to identify and fix compliance gaps. Block two hours, gather your vendor list, and work through each step.

Step 1: Inventory Every Tool That Touches Patient Data (15 minutes)

List every software platform, app, and communication tool used in your practice. Include:

  • EHR and practice management system
  • Telehealth video platform(s)
  • Scheduling software
  • Patient messaging apps
  • Email services (practice and personal)
  • Cloud storage (Google Drive, Dropbox, etc.)
  • Any AI documentation tools
  • Billing software

Don't forget tools staff use informally — personal cell phones for patient texts, personal email for referral coordination, WhatsApp for patient check-ins.

Step 2: Verify BAAs for Every Vendor (20 minutes)

For each item on your list, locate the signed BAA. If you can't find it within five minutes of looking, assume it doesn't exist and request one immediately. Create a BAA tracker spreadsheet that includes:

  • Vendor name
  • Date BAA signed
  • BAA expiration or review date
  • Services covered
  • Contact for BAA-related questions

Step 3: Audit Non-Compliant Tools (15 minutes)

Flag any tool on your list that:

  • Has no BAA
  • Refused to sign a BAA
  • Is a consumer product (free Gmail, standard Zoom, FaceTime, SMS)
  • Staff are using outside of official practice policy

These tools must be replaced or restructured. Create a timeline — typically 30-60 days is reasonable for transitioning communication workflows.

Step 4: Review Your Risk Analysis (20 minutes)

Pull your most recent HIPAA security risk analysis document. Check:

  • Date last updated (must be at least annually, or after significant technology changes)
  • Does it include telehealth platforms?
  • Does it cover remote work environments where staff conduct telehealth?
  • Does it identify risks associated with messaging tools?

If your risk analysis predates your telehealth deployment or hasn't been updated since 2022, you need to update it now. Use the HIPAA Compliance Self-Assessment resource to structure this update.

Step 5: Check Staff Training Records (10 minutes)

HIPAA requires workforce training on policies and procedures relevant to each staff member's role. Verify:

  • When was your last all-staff HIPAA training?
  • Does training specifically cover telehealth communication rules?
  • Are new hires trained before they handle any patient data?

Step 6: Review Patient Consent Documentation (10 minutes)

Confirm that your informed consent process includes:

  • Acknowledgment that care will be delivered via telehealth
  • Explanation of privacy limitations
  • Patient's right to request in-person care instead
  • Platform-specific privacy information

Step 7: Document What You Found and Set a Remediation Timeline

Create a written summary of gaps found and the steps to fix them. This documentation demonstrates good faith to OCR if questions arise, and it's required as part of your compliance program. The HIPAA Compliance Self-Assessment resource includes templates for this documentation.

Frequently Asked Questions

Q: The COVID flexibilities let us use regular Zoom. Is that still okay in 2026?

No. OCR's enforcement discretion ended on May 11, 2023, with a transition window that closed August 9, 2023. Any use of non-HIPAA-compliant platforms for telehealth after that date is a potential violation. You must use a platform that signs a BAA and meets HIPAA's technical safeguards.

Q: Do I need a BAA with my EHR vendor even if they're already "HIPAA certified"?

Yes. There is no such thing as HIPAA "certification" for vendors — it's a self-attestation by the vendor that they meet requirements. Regardless of what a vendor claims about their compliance posture, you are required to have a signed BAA with any business associate. The BAA is what creates your legal protection.

Q: Can I text patients appointment reminders using my personal phone?

It depends on what the message says. Texts containing only a date and time, with no health information, may not constitute PHI transmission. However, any text that connects the patient's identity to a health service — "your therapy appointment," "your appointment with Dr. Smith's cardiology practice" — is likely PHI. The safest approach: use a HIPAA-compliant messaging service or your EHR portal for all patient communication.

Q: A patient asked me to just email them directly using Gmail. Can I do that?

HIPAA does allow providers to honor patient preferences for unencrypted communication, but only if you: (1) inform the patient of the risks, (2) obtain and document their informed consent to receive unencrypted email, and (3) keep that documentation in their record. This exception covers communication at the patient's explicit request — it doesn't cover your practice initiating contact via Gmail.

Q: We use a HIPAA-compliant EHR but still use Zoom for actual video visits. Is that okay?

Only if you're using Zoom for Healthcare (the paid healthcare-specific plan) with a signed BAA. Standard Zoom — including the Business plan — does not qualify. Check which version your practice is subscribed to. Many practices that "upgraded" during the pandemic are still on non-qualifying plans.

Q: What's the difference between HIPAA violations from OCR and from my state?

OCR enforces federal HIPAA. State attorneys general can also bring independent enforcement actions, and many states have their own privacy laws with separate penalties. California (CCPA), Texas, and New York have been particularly active. You can face fines from both OCR and your state for the same underlying violation.

Q: How often do I need to update my HIPAA risk analysis?

At minimum, annually. Also required whenever there is a significant operational change — such as deploying new telehealth software, switching EHRs, adding remote staff, or changing how you store patient records. OCR consistently cites outdated or missing risk analyses as the primary basis for enforcement actions.

Written by Bryan, Practice Success Team

About GetPracticeHelp

GetPracticeHelp.com is a free resource for independent healthcare practice owners. We research, compare, and connect you with the vendors and tools that help your practice run better — from billing and credentialing to EHR, staffing, and compliance. Browse 160+ vetted vendors at getpracticehelp.com/browse.