← Back to Blog

Telehealth and HIPAA in 2026: What Changed After the Pandemic Flexibilities Ended

· HIPAA Security Suite

The Habits Outlived the Policy

For three years, OCR's enforcement discretion on non-HIPAA-compliant communications platforms let providers see patients on whatever video tool would connect. That accommodation made sense at the time. It has been gone for some time now, and yet a remarkable number of telehealth-heavy practices — behavioral health, primary care, specialty consultations — are still operating with workflows shaped by the relaxed period.

The most common artifacts of that era we still see in 2026:

  • A video platform in active use with no current Business Associate Agreement.
  • Clinician laptops that have never been scanned, encrypted, or inventoried.
  • Recording retention policies that exist on paper but not in the recording vendor's actual settings.
  • Personal mobile devices logged into secure messaging with no MDM, no policy attestation, and no offboarding path.
  • A patient-facing scheduling tool that emails PHI in plaintext.

None of these are unfixable. All of them are also exactly what a payer due-diligence questionnaire or a covered-entity vendor review now asks about by name. Here is how to bring a telehealth-heavy practice back into a defensible posture.

Audit Your Telehealth Stack

List every vendor in your visit flow. The complete inventory usually surprises people:

  • Video / visit platform. Zoom for Healthcare, Doxy.me, an EHR-bundled video module, etc.
  • Secure messaging. Between visits and for follow-up.
  • Scheduling and intake. The intake form, eligibility check, and reminder system.
  • Recording / storage. If you record sessions, where they live, for how long, and who can pull them.
  • E-prescribing and labs. Often outsourced to a separate platform.
  • Payment processing. If receipts include service descriptors, they may contain PHI.
  • Transcription / scribe service. Manual or AI; either way it is a BA relationship.

For each, capture: vendor name, signed BAA on file (yes/no, date, expiration), where the BAA lives, and whether the vendor's current Trust Center page or DPA matches your understanding. About a third of telehealth practices we talk to find at least one vendor with no BAA on this exercise alone.

Treat Clinician Endpoints as In-Scope

The single biggest blind spot in telehealth compliance is the clinician laptop. In-office practices have an MSP that scans and patches endpoints; remote-first practices often have nothing in place. The Security Rule does not care that the laptop sits at the clinician's kitchen table — if it accesses ePHI, it is in scope.

A reasonable minimum:

  • Inventory: a list of every device that accesses ePHI, with owner, OS, encryption status, and last-seen date.
  • Encryption: full-disk encryption verified, not just enabled.
  • Patching: evidence that patches are applied, especially for CVEs in CISA's Known Exploited Vulnerabilities feed.
  • Endpoint protection: running, current, and reporting to a console you can actually check.
  • Credential hygiene: no shared accounts, MFA on everything, and a credential leak response playbook for when (not if) a clinician's password shows up in a dump.

This is the work that compliance-only platforms typically punt on. It is also the work that turns "we have policies" into "we have evidence." See our telehealth-specific overview for how the NSS Agent slots into a remote workforce.

Get Recording and Retention Aligned

If you record sessions — for training, supervision, or quality — the recording is PHI. Where it lives, who can pull it, and how long it is retained must match a written policy. We routinely see:

  • Recordings retained indefinitely by default because no one changed the vendor setting.
  • Recordings accessible to the entire clinical team when policy says only the supervisor.
  • "Auto-delete after 30 days" policies in writing, but the actual vendor setting still defaults to 90.

The fix is a 30-minute exercise: pull the vendor's admin console, screenshot the actual settings, compare to your written policy, and reconcile. Then put the reconciliation date on the quarterly mini-audit calendar.

Behavioral Health Is a Special Case

Behavioral health, mental health, and substance use practices carry an above-average compliance burden because the PHI is more sensitive and the workflows are usually fully remote. A behavioral-health-specific compliance approach usually emphasizes three things: tight BAAs with telehealth vendors, per-clinician training on remote PHI handling, and clear documentation of what gets recorded, kept, and shared.

For practices that touch 42 CFR Part 2 substance-use data, the additional confidentiality rules layer on top of HIPAA. The platform side of that is straightforward — customized policies, access controls, and workforce training topics. The program side requires specialized counsel.

The Workforce Side: Train What Telehealth Actually Looks Like

Generic annual HIPAA training does not change behavior on remote workflows. The most useful additions for telehealth-heavy practices are short, role-specific modules:

  • Clinicians: how to handle an interrupted visit, recording disclosure, and family members appearing on camera.
  • Front desk: how to verify identity over video and what to do if a wrong patient joins.
  • Billers: secure handling of remittance files and EOBs that include PHI.
  • Everyone: what to do when a personal device is lost, sold, or returned for service.

The behavioral science around this is clear: short, frequent, scenario-based training outperforms an annual hour-long video. Pair it with documented attestation so the change is auditable.

What to Have Ready Before the Next Vendor Review

If you sell into covered entities — or your covered-entity clients are getting more rigorous about due diligence — expect to be asked for:

  • A current Security Risk Analysis with telehealth-specific findings called out.
  • A list of subprocessors / vendors and current BAAs.
  • Evidence of clinician endpoint security (encryption, patching, EDR).
  • Workforce training records, including telehealth-specific topics.
  • An incident response plan that explicitly addresses telehealth scenarios.
  • A breach notification process and prior incident history (if any).

If you cannot produce these in a few days, you are not ready for a sales cycle that includes a security review. A 30-day audit prep plan works equally well for OCR and for covered-entity due diligence.

Talk to Us

Telehealth-heavy practices end up with the same HIPAA scope as brick-and-mortar ones, plus more vendors and a wider endpoint footprint. HIPAA Security Suite is built for that reality: BAA tracking, per-clinician training, endpoint scanning, breached-credential monitoring, and audit-ready documentation in one workspace.

Schedule a walkthrough tailored to a telehealth workflow, or run your numbers through the readiness quiz first. Either way, the pandemic-era posture is no longer enough — and the fix is more about process than panic.

Ready to simplify your HIPAA compliance?

See how HIPAA Security Suite can protect your organization.

Request a Demo