Implements telehealth privacy compliance covering HIPAA requirements for virtual care, state licensing and recording consent laws, platform security with BAA requirements for telehealth vendors, cross-state prescribing rules, and OCR enforcement discretion during public health emergencies. Keywords: telehealth privacy, virtual care, HIPAA, recording consent, platform BAA, cross-state licensing, OCR enforcement.
Telehealth (also termed telemedicine, virtual care, or remote patient monitoring) involves the delivery of healthcare services through electronic communications technologies when the patient and provider are in different locations. The rapid expansion of telehealth — accelerated during the COVID-19 public health emergency — created a complex regulatory environment where HIPAA, state privacy laws, telecommunications regulations, and professional licensing requirements converge. Privacy compliance for telehealth requires addressing the security of the communication platform, the privacy of the encounter, state-specific consent and recording requirements, cross-state practice considerations, and the obligations of technology vendors as business associates.
Telehealth encounters involve the creation, transmission, and storage of ePHI and are fully subject to HIPAA:
| HIPAA Requirement | Telehealth Application |
|---|---|
| Privacy Rule (§164.500-534) |
| Telehealth encounters create PHI (notes, prescriptions, diagnoses); all Privacy Rule provisions apply including individual rights, minimum necessary, and authorization requirements |
| Security Rule (§164.312) | Telehealth platform must meet technical safeguards: access controls, audit logs, encryption in transit and at rest, integrity controls |
| Breach Notification Rule (§164.400-414) | Unauthorized access to telehealth session data (recording, transcript, chat) triggers breach notification analysis |
| BAA Requirement (§164.502(e)) | Telehealth technology vendor that creates, receives, maintains, or transmits ePHI must have a BAA with the covered entity |
Asclepius Health Network evaluates telehealth platforms against these Security Rule requirements:
Access Controls (§164.312(a)):
Audit Controls (§164.312(b)):
Transmission Security (§164.312(e)):
Integrity Controls (§164.312(c)):
| Platform Type | BAA Required | Rationale |
|---|---|---|
| Dedicated telehealth platform (Teladoc, Amwell, Doxy.me) | Yes | Creates, receives, maintains, or transmits ePHI |
| Video conferencing adapted for telehealth (Zoom for Healthcare, Microsoft Teams with BAA) | Yes | ePHI transmitted and potentially stored (recordings, chat) |
| Consumer video platforms without BAA (standard Zoom, FaceTime, Skype, Google Hangouts) | No BAA available — generally not compliant | No BAA offered; ePHI not adequately protected |
| EHR-integrated telehealth (Epic MyChart Video Visit) | Covered by existing EHR BAA | ePHI managed within existing BAA relationship |
| Remote patient monitoring devices | Yes (for cloud-connected devices) | Device data transmitted to vendor cloud containing ePHI |
| Asynchronous telehealth (store-and-forward) | Yes | Images, data transmitted and stored by vendor |
| Patient messaging/portal | Covered by existing EHR/portal BAA | Secure messaging within covered platform |
On March 17, 2020, OCR issued a Notification of Enforcement Discretion for Telehealth Remote Communications (85 FR 22024), stating that during the COVID-19 public health emergency, OCR would exercise enforcement discretion and would not impose penalties for noncompliance with HIPAA related to the good-faith provision of telehealth using non-public-facing remote communication technologies:
What was permitted during enforcement discretion:
What was NOT permitted even during enforcement discretion:
Post-PHE Status: The COVID-19 PHE ended on May 11, 2023. OCR enforcement discretion for telehealth formally expired on August 9, 2023. All telehealth must now be conducted on HIPAA-compliant platforms with BAAs in place.
Asclepius Health Network: Asclepius transitioned all telehealth to BAA-covered platforms (Epic MyChart Video Visit as primary; Zoom for Healthcare as backup) prior to the enforcement discretion expiration. All consumer-grade platform use for clinical telehealth was discontinued.
Healthcare providers are generally licensed by individual states. Providing telehealth services to a patient in a state where the provider is not licensed may violate that state's medical practice act.
Key Licensing Models:
| Model | Description | Participating States |
|---|---|---|
| Interstate Medical Licensure Compact (IMLC) | Expedited licensure pathway for physicians seeking multi-state licenses | 42 states, DC, and Guam as of 2024 |
| Nurse Licensure Compact (NLC) | Multistate license allowing RNs and LPN/VNs to practice across member states | 41 states as of 2024 |
| Psychology Interjurisdictional Compact (PSYPACT) | Allows psychologists to practice telepsychology across member states | 42 states as of 2024 |
| Individual state telehealth licenses | Some states offer special telehealth-only or limited-scope licenses | Varies by state (e.g., Florida, Texas telehealth registrations) |
| Full state licensure | Traditional full license in each state where patients are located | All states |
Privacy Implication: The state where the patient is physically located at the time of the telehealth encounter generally controls which state's privacy laws apply. This means the provider must comply with that state's specific privacy, consent, and recording requirements even if the provider is located in a different state.
Asclepius Health Network: Asclepius providers are licensed in the 4 states where Asclepius operates. For telehealth, the EHR prompts the provider to confirm the patient's physical location at the start of each encounter. The system applies location-specific consent requirements and recording notices based on the patient's state.
HIPAA does not specifically address recording of telehealth encounters, but recordings containing ePHI are subject to all HIPAA protections. Recordings become part of or associated with the medical record and must be:
State wiretapping and eavesdropping laws impose consent requirements on the recording of communications:
| Consent Model | Requirement | States |
|---|---|---|
| One-party consent | Only one participant needs to consent to recording (the provider can record without patient consent, but best practice is to inform) | 38 states + DC including New York, Texas, Ohio, Georgia, Virginia |
| Two-party (all-party) consent | All participants must consent to recording | 12 states: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Pennsylvania, Washington |
Two-party consent states require particular attention: A provider in a one-party state conducting telehealth with a patient in a two-party state must obtain the patient's consent before recording. The more restrictive state law controls.
Asclepius Health Network Recording Policy:
| State Requirement | Privacy Implication |
|---|---|
| Prescriber must be licensed in patient's state | Provider credential verification creates PHI (license lookup, verification) |
| State prescription drug monitoring program (PDMP) check required | Provider must access the patient's state PDMP — cross-state PDMP data sharing involves PHI |
| State formulary restrictions | May require disclosure of diagnosis to justify off-formulary prescriptions |
| E-prescribing mandates (most states for controlled substances) | Electronic prescription transmission must be HIPAA-compliant; DEA EPCS standards apply |
Asclepius Health Network: The telehealth platform integrates with the state PDMP for the patient's location. Providers must complete PDMP checks before prescribing controlled substances. The integration uses a HIPAA-compliant API with the state PDMP system. For cross-state encounters, the system automatically routes prescriptions to the correct state PDMP.
Remote patient monitoring involves continuous or periodic collection of health data from devices in the patient's home or on their person:
| RPM Component | Privacy Consideration | HIPAA Requirement |
|---|---|---|
| Monitoring devices (blood pressure cuffs, glucometers, pulse oximeters) | Device data is ePHI; device may store data locally | Encryption on device storage; secure transmission |
| Wearable devices (smartwatches, continuous glucose monitors) | Continuous data collection; potential for excessive data collection beyond medical necessity | Minimum necessary — collect only clinically relevant data; patient consent for monitoring scope |
| Cloud platform for data aggregation | Vendor receives and stores ePHI | BAA required with RPM platform vendor |
| Alerts and notifications | Transmitted health data may reach patient's personal device | Patient education on securing personal devices; notification content should minimize PHI |
| Data integration with EHR | RPM data flows into clinical record | Secure integration (FHIR API with OAuth 2.0); data quality validation |
While HIPAA does not require consent for treatment, RPM programs should obtain informed consent addressing:
| Component | Implementation |
|---|---|
| Telehealth Privacy Policy | Comprehensive policy covering platform selection, consent, recording, cross-state compliance, RPM; reviewed annually |
| Platform Approval Process | All telehealth platforms must be approved by IT Security and Privacy Office; BAA executed; security assessment completed |
| Provider Training | Annual telehealth-specific privacy training covering: location verification, consent procedures, recording requirements, secure environment setup |
| Patient Education | Telehealth privacy information provided at scheduling; pre-visit checklist includes privacy tips (private location, headphones, secure WiFi) |
| Incident Response | Telehealth-specific incident playbook covering: unauthorized access to session, recording breach, platform compromise |
| Compliance Monitoring | Monthly audit of telehealth session compliance: location verification completion, consent documentation, platform adherence |
Asclepius requires providers conducting telehealth to: