HHS Guidance on HIPAA and Telehealth: The Complete 2026 Compliance Guide

Nick Edward
HHS Guidance on HIPAA and Telehealth

Quick Answer: HHS guidance on HIPAA and telehealth — issued primarily through the Office for Civil Rights (OCR) — requires all covered healthcare providers and health plans offering virtual care to comply fully with the HIPAA Privacy, Security, and Breach Notification Rules. The COVID-era enforcement discretion that allowed non-compliant platforms ended permanently on August 9, 2023. Today, every telehealth provider must use HIPAA-compliant platforms, execute signed Business Associate Agreements (BAAs) with technology vendors, implement technical and administrative safeguards, and follow strict rules for audio-only sessions. This guide walks you through every layer of what that means in practice.

Introduction: Why HHS Guidance on HIPAA and Telehealth Matters More Than Ever

Telehealth has permanently reshaped how Americans access healthcare. According to data highlighted by the U.S. Department of Health & Human Services (HHS), nearly 80% of healthcare consumers had tried telemedicine at least once by 2026 — a figure unimaginable before 2020. Mental health services, primary care visits, specialist consultations, and even substance use disorder treatment are now routinely delivered through screens.

But with that convenience comes significant legal and regulatory responsibility. Every virtual session that involves a patient’s health information is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) — just as rigorously as an in-person visit. And since the end of the COVID-19 Public Health Emergency (PHE), there are no more guardrails or exceptions. Full compliance is required.

The HHS guidance on HIPAA and telehealth is not a single document. It’s a layered body of rules, official guidance publications, FAQ responses, and enforcement actions — primarily issued through OCR, the HHS Office for Civil Rights, the federal agency responsible for HIPAA enforcement. Understanding this guidance is no longer optional for any covered provider offering remote care.

This article synthesizes all current HHS guidance into one actionable, clearly structured reference — including the rules on audio-only telehealth, Business Associate Agreements (BAAs), platform selection, security safeguards, and what changed when COVID-era discretion ended.

IRS Publication 535: A Complete Guide for Small Business Owners (2026 Edition)

Who Is Covered: Understanding HIPAA’s Scope for Telehealth

Before diving into the specific guidance, it’s worth clarifying who is obligated to follow it.

According to HHS’s official telehealth and HIPAA resource page, the HIPAA Rules apply to covered entities and their business associates. In the telehealth context:

Covered entities include:

  • Licensed healthcare providers (physicians, therapists, counselors, nurses, etc.) who transmit health information electronically
  • Health plans (insurance companies, HMOs, Medicare, Medicaid)
  • Healthcare clearinghouses

Business associates in the telehealth context include:

  • Video conferencing platform vendors (if they create, receive, or store PHI)
  • Cloud storage providers holding patient session data
  • Transcription or AI note-taking services used during sessions
  • Billing services and EHR vendors

If you are a licensed counselor, physician, or psychologist conducting sessions via video or phone, you are a covered entity. The platform you use to do that is likely your business associate. Both parties carry compliance obligations under HIPAA.

HHS’s Telehealth.gov puts it plainly: telehealth appointments, messages, and related health and billing information are protected by HIPAA in exactly the same way as in-person visits.

The End of COVID-Era Enforcement Discretion: What Changed in 2023

The Original Emergency Policy

When COVID-19 arrived in March 2020, HHS OCR issued an emergency Notification of Enforcement Discretion for Telehealth that temporarily suspended HIPAA penalties for providers using non-compliant telehealth platforms in good faith. Under that policy, providers could use consumer apps like Apple FaceTime, Skype, Google Hangouts, and Zoom — even without BAAs — without risking HIPAA enforcement.

This was an emergency measure, not a permanent change to HIPAA.

The End of the Grace Period

The COVID-19 PHE ended on May 11, 2023. HHS OCR announced that its enforcement discretion would also end simultaneously, with a 90-calendar-day transition period for providers to bring their telehealth operations into full HIPAA compliance. That transition period expired at 11:59 p.m. on August 9, 2023.

As confirmed by HIPAA Journal’s analysis of the enforcement transition, since that date, healthcare providers must only use fully HIPAA-compliant platforms for telehealth — or risk financial penalties.

What This Means for Providers Today

If you are still using a platform whose vendor will not sign a BAA, you are in violation of HIPAA. Period. The informal arrangements that worked during the pandemic are no longer permissible. Any provider still using standard consumer Zoom, FaceTime, or Google Meet without a healthcare BAA in place is operating outside the law.

The full HHS HIPAA and Telehealth page remains the authoritative source on this transition and the rules that now apply.

Core HIPAA Requirements for Telehealth: What the HHS Guidance Requires

HHS guidance establishes that telehealth services must comply with three interconnected HIPAA rules. Here is what each requires in a virtual care context.

1. The HIPAA Privacy Rule

The Privacy Rule governs how Protected Health Information (PHI) — any individually identifiable health information — can be used and disclosed. In telehealth, this means:

  • Sessions must be conducted in private settings. HHS guidance explicitly states that “OCR expects health care providers will ordinarily conduct telehealth in private settings.” Providers should avoid conducting sessions in public or semi-public spaces unless patients have provided specific consent.
  • PHI collected during telehealth sessions (session recordings, transcripts, clinical notes, appointment data) must be handled under the same privacy protections as in-person records.
  • Providers must offer patients a Notice of Privacy Practices before or at the first point of service.
  • Minimum necessary standards apply: providers should only share the minimum PHI necessary for the telehealth purpose at hand.

2. The HIPAA Security Rule

The Security Rule governs electronic PHI (ePHI) — and telehealth generates enormous volumes of it. Per the HHS Security Rule guidance, covered entities and business associates must implement:

Administrative safeguards:

  • A documented risk analysis identifying all sources of ePHI (including telehealth platforms, session recordings, and messaging tools)
  • Policies and procedures for telehealth sessions
  • Workforce training on HIPAA-compliant telehealth practices
  • Unique user identification for all individuals accessing ePHI

Technical safeguards:

  • Encryption of ePHI in transit during telehealth sessions
  • Automatic logoff from telehealth portals after a period of inactivity
  • Audit controls — logs of who accessed what, when
  • Authentication mechanisms (including multi-factor authentication, strongly recommended by OCR)

Physical safeguards:

  • Device controls for computers and mobile devices used for telehealth
  • Protection of workstations used to access patient systems

As Accountable HQ’s 2025 compliance resource notes, key security actions for any telehealth provider now include using platforms that sign BAAs, enabling encryption in transit, restricting access with unique IDs and two-factor authentication, logging and auditing remote sessions, and updating the security risk analysis to reflect telehealth-specific workflows and vendors.

3. The HIPAA Breach Notification Rule

If a telehealth session, platform, or associated system results in a breach of unsecured PHI, providers must:

  • Notify affected individuals within 60 days of discovering the breach
  • Notify the HHS Secretary (breaches affecting 500+ individuals require simultaneous media notification)
  • Notify prominent media outlets in affected states for large breaches

This rule applies whether the breach happens because a session was intercepted, a vendor is hacked, or records are improperly disclosed to a non-HIPAA-compliant tracking technology.

Section 179 Deduction Guide 2026: Limits, Qualifications, and Examples

Business Associate Agreements (BAAs): The Non-Negotiable Requirement

One of the most operationally critical elements of HHS guidance on HIPAA and telehealth is the requirement for a signed Business Associate Agreement (BAA) with any technology vendor that handles PHI on your behalf.

What the HHS Guidance Says

Per HHS’s Business Associate guidance page, if a covered entity uses a cloud service provider or video platform to maintain, process, or store ePHI without entering into a BAA with that vendor, the covered entity is in direct violation of the HIPAA Rules (45 C.F.R. §§ 164.308(b)(1) and 164.502(e)).

The HHS Business Associate Contracts page specifies that a valid BAA must:

  1. Establish the permitted and required uses and disclosures of PHI by the vendor
  2. Confirm the vendor will not use or further disclose PHI beyond what the contract permits
  3. Require the vendor to implement appropriate safeguards including the HIPAA Security Rule
  4. Require the vendor to report any breach of unsecured PHI to the covered entity
  5. Require the vendor to return or destroy PHI at contract termination

When You Do — and Don’t — Need a BAA

Not every technology vendor that touches your practice requires a BAA. The HHS guidance on audio-only telehealth provides important nuance: a standard telephone service used purely as a conduit for transmission — where the provider doesn’t store recordings or transcripts — generally does not require a BAA with the phone company, because it functions as a “mere conduit” for the data.

However, if the telehealth app you use stores session recordings, generates transcripts, maintains notes in a cloud database, or processes patient data beyond simple transmission, its vendor is a business associate and a BAA is required.

Specific examples from HHS guidance:

  • A video chat app that stores recordings in the developer’s cloud → BAA required
  • An AI translation app used to translate speech during a session → BAA required (it creates and receives PHI)
  • A standard PSTN telephone connection for audio-only calls with no recording → generally no BAA required

The Consequences of Missing BAAs

HHS OCR has issued significant financial penalties to covered entities that failed to execute compliant BAAs. One hospital system paid $400,000 specifically for failing to update its BAAs to meet post-2013 Omnibus Rule requirements. Missing, outdated, or incomplete BAAs have triggered settlements ranging from $400,000 to over $1.5 million.

As HIPAA Journal’s BAA analysis documents, both covered entities and their business associates can face direct enforcement from OCR, state attorneys general, and even the FTC for BAA-related violations.

HHS Guidance on Audio-Only Telehealth

One of the most practically significant guidance documents HHS OCR has issued is the June 2022 guidance on audio-only telehealth: Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth.

This guidance was issued because many patients — particularly elderly individuals, those in rural areas with limited broadband, those with disabilities, and those with limited English proficiency — cannot reliably access video-based telehealth. Audio-only telephone consultations serve a critical access function.

Key Rules for Audio-Only Telehealth

Under this guidance, covered entities may conduct audio-only telehealth when:

1. The Privacy Rule is satisfied: The session involves only the minimum necessary PHI, is conducted in a private location, and the provider verifies the patient’s identity before the session begins. If a covered entity cannot confirm patient identity verbally, it must apply reasonable safeguards based on the risk level of the service being provided.

2. The Security Rule is satisfied (where applicable): If the telephone system used transmits ePHI electronically (e.g., VoIP systems, apps that store audio, transcription services), the Security Rule applies to those systems. The covered entity must conduct a risk analysis covering those technologies and implement appropriate safeguards.

Standard PSTN telephone calls — where the audio is not stored, recorded, or transmitted electronically beyond the call itself — generally fall outside the Security Rule’s technical safeguard requirements. But any app, platform, or service that records, stores, or processes the audio must meet Security Rule standards.

3. BAA requirements are met: As noted above, a BAA is required with any vendor that stores, processes, or transmits ePHI — including audio data. A traditional phone carrier acting as a pure conduit generally does not require a BAA; an AI transcription app used during that call does.

4. Identity verification: Providers should implement reasonable steps to verify that the person they are speaking to is the correct patient. This can be as simple as confirming the patient’s date of birth or address at the start of the call.

HHS issued this guidance partly in response to an Executive Order on Transforming Federal Customer Experience, directing agencies to remove unnecessary friction in accessing government services and healthcare.

What Is HRM SaaS? The Complete Guide to HR Software as a Service (2025)

HIPAA and Telehealth Platform Selection: What HHS Says

The HHS Telehealth.HHS.gov guidance on HIPAA compliance for telehealth technology is unequivocal: covered health care providers and health plans must use technology vendors that comply with the HIPAA Rules and will enter into HIPAA business associate agreements in connection with their video communication products or remote communication technologies.

This means your checklist when evaluating any telehealth platform should include:

✔ Does the vendor sign a BAA? If a vendor refuses to sign a BAA — or claims one is unnecessary because their platform is “encrypted” — proceed with caution. HHS guidance makes clear that encryption alone does not eliminate the BAA requirement. A vendor with “persistent access” to ePHI passing through its servers is a business associate regardless of encryption status.

✔ Does the platform support end-to-end encryption for sessions? All telehealth sessions involving PHI must be encrypted in transit. Review the vendor’s security documentation, not just their marketing materials.

✔ Does the platform maintain audit logs? The HIPAA Security Rule requires audit controls that track access to ePHI. Your telehealth platform must support this, or you must have a compensating control in place.

✔ Does the platform allow for unique user identification? Each clinician and administrator must have unique login credentials — shared passwords are a HIPAA violation.

✔ Does the platform include a virtual waiting room? While not a HIPAA requirement per se, virtual waiting rooms prevent patients from joining sessions before the provider is ready, protecting patient privacy and session confidentiality.

✔ Has the vendor undergone independent security assessments? SOC 2 Type II certification, HITRUST certification, or a documented penetration testing program are positive indicators of a serious security posture.

Remember: as HHS OCR explicitly states, “OCR does not endorse, certify, or recommend specific technology or products.” No platform is pre-approved by HHS. Compliance depends on how the platform is configured, contracted, and used — not the brand name.

Online Tracking Technologies: A Critical 2024 Update

In a notable 2024 development relevant to any telehealth provider with a website or patient portal, HHS OCR issued updated guidance on the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.

This guidance addressed the common practice of embedding tracking pixels (Google Analytics, Meta Pixel, etc.) on healthcare websites and patient portals. OCR’s position was that disclosing PHI to tracking technology vendors through authenticated webpages (patient portals, appointment booking systems) requires either a valid HIPAA permission or a BAA with the tracking vendor.

In June 2024, a U.S. District Court in Texas partially vacated this guidance, ruling that HIPAA obligations are not triggered simply because a visitor’s IP address on an unauthenticated public webpage is combined with information about a health condition or provider. HHS stated it is evaluating its next steps.

The practical upshot for 2026:

  • Tracking technologies on authenticated pages (patient portals, appointment schedulers) that collect PHI still require compliance and likely a BAA with the tracker vendor
  • Tracking on unauthenticated public pages (your general website) is less clearly regulated after the court decision — but sharing PHI with any third party without authorization or a BAA remains prohibited
  • Providers should audit their website and patient portal tracking technologies and remove or obtain BAAs for any that may collect PHI

State Law Overlay: Where HIPAA Is the Floor, Not the Ceiling

HHS guidance consistently notes that HIPAA establishes minimum federal standards — states may impose stricter requirements, and several have. The HHS Telehealth privacy laws page identifies several important state-level trends:

  • Reproductive health data protections: Several states, including California, Nevada, and Connecticut, have enacted laws that go beyond HIPAA in protecting reproductive health, sexual health, and mental health data from out-of-state disclosure. California’s AB 352 requires segmentation and access controls for sensitive services.
  • Consumer health data laws: Washington State’s My Health MY Data Act and Nevada’s SB 370 cover entities not subject to HIPAA — including some telehealth apps and wellness platforms — and impose consent, notice, and security obligations.
  • Substance use disorder confidentiality: Under 42 CFR Part 2, providers treating substance use disorders face stricter confidentiality requirements than general HIPAA. The 2024 HHS/SAMHSA final rule updated these protections significantly.
  • Mental health-specific protections: Some states impose additional consent requirements for sharing mental health treatment records beyond what HIPAA mandates.

Providers practicing across state lines — common in telehealth — must evaluate the laws of both the provider’s location and the patient’s location.

Special Topic: Telehealth for Mental Health and Behavioral Health Providers

Therapists, licensed counselors, psychologists, and other behavioral health providers face a particularly dense compliance environment under HHS guidance on HIPAA and telehealth.

The good news: as HHS Telehealth Policy Updates confirms, several behavioral health telehealth flexibilities have been made permanent or extended through December 31, 2027 under recent Congressional action:

  • Patients can receive behavioral and mental health telehealth services from their home without geographic restrictions
  • Audio-only mental health telehealth is permitted for Medicare patients who cannot access video
  • Marriage and Family Therapists and Mental Health Counselors are permanently eligible Medicare distant-site providers
  • An in-person visit requirement tied to initial telemental health services has been waived through December 31, 2027

These policy flexibilities coexist with HIPAA compliance requirements — the extension of reimbursement and access rules does not change the privacy and security obligations.

For behavioral health providers specifically, 42 CFR Part 2 substance use disorder record confidentiality rules impose additional constraints on how patient records can be shared, even between providers within the same organization. The 2024 final rule update aligned Part 2 more closely with HIPAA but did not eliminate its stricter consent requirements.

Patient Education and Consent: The Provider’s Responsibility

HHS OCR has published a dedicated resource for healthcare providers on educating patients about privacy and security risks when using remote communication technologies for telehealth. The guidance recommends that providers:

  1. Inform patients that telehealth involves transmitting health information electronically and that, while the provider uses HIPAA-compliant tools, the patient’s own device and internet connection may introduce risks that HIPAA does not govern.
  2. Explain that once PHI is transmitted to a patient’s device, the provider is generally not responsible for what happens to it on the patient’s end — the patient’s personal phone or computer is not covered by HIPAA.
  3. Obtain and document informed consent for telehealth, including the nature of the service, privacy considerations, and the patient’s right to choose in-person care instead.
  4. Offer alternatives for patients who are unable or unwilling to use video telehealth, including audio-only options where clinically appropriate.

Documentation of this consent should be retained for a minimum of six years under HIPAA records retention requirements.

What is Oracle SIA? The Ultimate Guide to Software Investment Advisory

Practical Compliance Checklist: HHS Guidance Applied

Based on all current HHS guidance on HIPAA and telehealth, here is a practical checklist every covered provider should maintain:

Platform & Vendor Compliance:

  • Telehealth platform vendor has signed a valid, current BAA
  • BAA covers all relevant services (video sessions, data storage, transcription if used)
  • Platform uses end-to-end encryption for all sessions
  • Platform supports unique user logins and audit logging
  • BAAs reviewed and updated after any major HIPAA rule changes

Administrative Safeguards:

  • Security risk analysis has been conducted and updated to include telehealth workflows
  • Written policies and procedures for telehealth HIPAA compliance are in place
  • Workforce trained on HIPAA-compliant telehealth practices annually
  • Identity verification procedure in place for all telehealth sessions

Patient Privacy Protections:

  • Sessions conducted in private, non-public settings
  • Patients informed of privacy risks and digital consent obtained
  • Notice of Privacy Practices provided to telehealth patients
  • Audio-only session procedures documented when video is not available or used

Breach Preparedness:

  • Breach response plan includes telehealth-specific scenarios
  • Vendor BAAs require prompt breach notification to covered entity
  • HHS breach reporting procedures documented and rehearsed

Website & Digital Tracking:

  • Audit of tracking technologies on patient-facing authenticated pages
  • BAAs obtained for any trackers on authenticated pages that collect PHI
  • State health data privacy laws reviewed for each state where patients are served

Frequently Asked Questions

Is standard Zoom HIPAA compliant for telehealth?

No. Standard consumer Zoom is not HIPAA compliant for telehealth. To use Zoom legally for healthcare services, you must be on Zoom for Healthcare and have a signed Business Associate Agreement in place with Zoom. Without a BAA, any PHI transmitted through a Zoom session could constitute a HIPAA violation. The COVID-era enforcement discretion that allowed consumer platforms ended on August 9, 2023. See HHS OCR’s current telehealth guidance for full details.

Does HHS guidance require a BAA for every telehealth tool I use?

Not necessarily every tool, but any vendor that creates, receives, maintains, or transmits PHI on your behalf requires a BAA. A standard telephone line acting as a pure transmission conduit generally does not. But any app or service that records sessions, generates transcripts, stores appointment data, or processes PHI in any form is a business associate. See HHS’s Business Associates FAQ for specific scenarios.

What does HHS say about audio-only telehealth and HIPAA?

HHS OCR’s June 2022 guidance on audio-only telehealth confirms that audio-only telehealth is permissible under HIPAA when the Privacy Rule and applicable Security Rule requirements are met. The main considerations are patient identity verification, use of private settings, and determining whether the telephone technology transmits ePHI electronically (which triggers Security Rule safeguards). Standard phone calls without recording or storage generally face fewer technical requirements than app-based or VoIP audio.

What are the HIPAA penalties for non-compliant telehealth?

HHS OCR enforces HIPAA through a four-tier civil penalty structure based on culpability:

  • Tier 1 (lack of knowledge): $100–$50,000 per violation
  • Tier 2 (reasonable cause): $1,000–$50,000 per violation
  • Tier 3 (willful neglect, corrected): $10,000–$50,000 per violation
  • Tier 4 (willful neglect, not corrected): $50,000 per violation, up to $1.9 million annually per violation category

Specific to telehealth, missing BAAs have triggered settlements ranging from $400,000 to over $1.5 million. See HHS OCR’s enforcement history for documented cases.

Has HHS changed its guidance on online tracking technologies for telehealth websites?

Yes, partially. In 2024, HHS OCR issued guidance on online tracking technologies warning providers about embedding trackers on healthcare websites. However, a federal court partially vacated that guidance in June 2024, ruling that tracking on unauthenticated public webpages does not automatically involve PHI. HHS is evaluating next steps. For now: be cautious with trackers on authenticated pages (patient portals, booking systems) — those still require compliance, and any tracker receiving PHI requires a BAA.

Do state laws override HHS HIPAA guidance on telehealth?

States cannot reduce HIPAA protections — they can only add to them. Several states have enacted health data privacy laws that are stricter than HIPAA, particularly for reproductive health, mental health, and consumer health apps. The HHS Telehealth privacy laws resource notes that providers serving patients across state lines must comply with both federal HIPAA requirements and the laws of each state where patients are located. Compliance with HIPAA alone is not sufficient in states with stronger protections.

What Is Google Workspace SaaS? The Ultimate Guide for 2026

Key HHS Resources: Quick Reference Links

ResourceDescriptionURL
HHS HIPAA and TelehealthCore landing page on HIPAA telehealth compliancehhs.gov
Telehealth.HHS.gov HIPAA RulesHHS Telehealth program HIPAA guidance hubtelehealth.hhs.gov
OCR Audio-Only Telehealth GuidanceFull guidance on audio-only telehealth + FAQshhs.gov
Business Associates FAQWhen BAAs are required, scenarios and exampleshhs.gov
Sample BAA LanguageHHS-provided model BAA provisionshhs.gov
Online Tracking Technologies GuidanceHIPAA and website/portal tracking pixelshhs.gov
Telehealth Policy UpdatesCurrent Medicare telehealth extensions and flexibilitiestelehealth.hhs.gov
HIPAA Guidance Materials IndexFull library of all OCR HIPAA guidance documentshhs.gov
HHS Security Risk Assessment ToolFree tool for conducting HIPAA risk analyseshealthit.gov
File a HIPAA Complaint with OCRReport a HIPAA violationhhs.gov OCR Complaint Portal

Conclusion

The HHS guidance on HIPAA and telehealth is comprehensive, continuously updated, and fully enforceable — there are no more pandemic exceptions. Every covered provider who sees patients remotely, whether via video, phone, or secure messaging, must operate within the framework established by OCR’s Privacy Rule, Security Rule, and Breach Notification Rule requirements.

The most consequential action any telehealth provider can take today is simple: verify that every technology vendor touching your patient data has signed a valid BAA, then conduct or update your security risk analysis to reflect your telehealth workflows. Those two steps address the most common compliance failures OCR identifies in its investigations.

Staying current with HHS guidance matters because the regulatory environment continues to evolve — the 2024 online tracking guidance, the 2024 42 CFR Part 2 update, ongoing HIPAA Security Rule proposed modifications, and state-level health data privacy laws all add new layers. Bookmark HHS’s HIPAA Guidance Materials page and Telehealth.HHS.gov as your primary ongoing references.

HIPAA compliance in telehealth is not a one-time checkbox. It’s an ongoing practice — exactly like the clinical care it protects.

5 Best Intake Form Software for Healthcare Practices in 2026

This article on HHS guidance on HIPAA and telehealth is for informational purposes only and does not constitute legal advice. For guidance specific to your practice, consult a qualified healthcare attorney or HIPAA compliance officer.

References and Primary Sources:

  1. HHS HIPAA and Telehealth — Special Topics
  2. HHS OCR Audio-Only Telehealth Guidance (June 2022)
  3. Telehealth.HHS.gov — HIPAA for Telehealth Technology
  4. Telehealth.HHS.gov — Privacy Laws and Policy Guidance
  5. Telehealth.HHS.gov — Telehealth Policy Updates
  6. HHS Business Associates FAQ
  7. HHS Sample Business Associate Agreement Provisions
  8. HHS Online Tracking Technologies Guidance (2022, updated 2024)
  9. HHS Notification of Enforcement Discretion for Telehealth (COVID-19)
  10. HHS Telehealth FAQs
  11. HHS HIPAA Guidance Materials Index
  12. HHS OCR Enforcement and Compliance Agreements
  13. Medicaid.gov — OCR HIPAA Guidance for Telehealth
  14. HIPAA Journal — HIPAA Guidelines on Telemedicine (2026)
  15. HIPAA Journal — End of COVID-19 Telehealth Enforcement Discretion
  16. Accountable HQ — Telehealth and HIPAA Compliance for Providers in 2025
  17. ONC/OCR Security Risk Assessment Tool

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *