Understanding HIPAA requirements for telehealth reimbursement, licensing, and policy

According to the study Unveiling the Adoption and Barriers of Telemedicine in US Hospitals: A Comprehensive Analysis (2017–2022), telehealth has seen an increase in its adoption in hospital settings. In fact, in 2017, 47% of hospitals offered at least one type of telemedicine service, while in 2021, 72% of hospitals offered at least one type of telemedicine service. The study notes that “Across the 5-year period, the provision of consultation and visit services experienced the fastest growth—it was available among 26% of hospitals in 2017 and 55% in 2021. The availability increased from 28 to 39% for stroke care, from 15 to 27% for psychiatric and addiction management, and from 14 to 29% for remote patient monitoring. Electronic ICU had the slowest growth (from 12 to 13% availability) and was less commonly provided than the other four telemedicine services in 2021.” 

The growth of telehealth has transformed healthcare delivery, offering patients greater convenience and providers new opportunities to expand access. However, this rapid adoption comes with significant regulatory and operational challenges. Central to these challenges is HIPAA compliance, which ensures that protected health information (PHI) is kept secure and private. While telehealth platforms themselves are often the focus of compliance discussions, factors such as reimbursement policies, provider licensing, and the broader policy landscape profoundly affect how HIPAA rules are applied in practice.

The interplay between telehealth and HIPAA

HIPAA, the Health Insurance Portability and Accountability Act, establishes national standards to protect PHI, covering its collection, storage, transmission, and use. Under HIPAA, healthcare providers must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. Telehealth adds complexity to each of these areas.

For example, when patient consultations move online, PHI is no longer confined to the clinic. It flows through digital channels such as video conferencing software, mobile apps, and cloud-based EHR platforms. Each of these channels represents a potential vulnerability if not properly secured. A seemingly minor oversight, such as using a non-HIPAA compliant video call platform, could result in PHI exposure, triggering both legal and reputational consequences.

While telehealth platforms themselves must meet HIPAA standards, external factors, notably reimbursement, licensing, and policy complexity, can indirectly influence compliance. These factors affect how PHI is generated, where it is stored, and how it is shared, demonstrating the interconnectedness of operational, legal, and technological considerations in telehealth.

Read also: 

• The healthcare digital transformation
• Technology in healthcare

Reimbursement and HIPAA compliance

Documentation and PHI expansion

According to the Rural Health Information Hub, “The financial viability of rural healthcare facilities depends on payment for healthcare services provided. Payers for these services include government programs such as Medicare and Medicaid, commercial health insurers, and patients paying directly for their own care, among others.” Reimbursement requirements, particularly from Medicare, Medicaid, and private insurers, have a direct impact on HIPAA compliance. To receive payment for telehealth services, providers must maintain detailed documentation, including clinical notes, coding information, and encounter histories, to support their claims. This additional documentation expands the volume of PHI that must be handled securely.

For example, a telehealth provider submitting claims for multiple virtual visits per day must ensure that all patient data, diagnoses, treatment plans, and notes are accurately documented in an EHR system and transmitted securely to payers. If these records are transmitted or stored without proper safeguards, the risk of a HIPAA violation increases.

Integration with billing systems

Telehealth reimbursement often requires integration between clinical platforms and billing systems. Providers can use cloud-based EHRs that automatically sync visit information with billing software; however, while this integration improves efficiency, it also increases the number of points where PHI could be exposed. A misconfigured system or weak access controls could allow unauthorized parties to access patient data.

In addition, billing platforms themselves must comply with HIPAA rules when handling PHI. Providers must ensure that third-party billing services have signed business associate agreements (BAAs), formally establishing their responsibility for HIPAA compliance. Failure to do so can result in liability for the provider, even if the violation occurs outside their direct control.

Incentives for HIPAA compliant technology

Interestingly, reimbursement policies can promote HIPAA compliance. Many insurers and government programs require that claims be generated from HIPAA compliant telehealth platforms. As noted by Womble Bond Dickson, some state Medicaid programs and private payers have issued guidance or policies indicating that telehealth services must use “secure communications tools” or platforms that meet their security policies to be eligible for reimbursement. For example, the article states that “we caution providers to pay close attention to policies from commercial payors and Medicaid programs that require secure communications tools in order to conduct telehealth visits.” Providers who fail to use secure platforms risk claim denials or audits, which can have financial and legal consequences. For instance, the study A deeper look into cybersecurity issues in the wake of Covid-19: A survey, states that “In the year 2020, in the wake of the COVID-19 crisis, there were about 1,872 breaches, compared to 1,108 in 2019.” This demonstrates the importance of linking reimbursement and compliance practices.

Licensing and HIPAA compliance

Cross-state telehealth and privacy risks

Licensing presents another complex dimension. As stated by the Rural Health Information Hub, “State requirements for licensing and credentialing of telehealth providers vary widely.” Telehealth often involves providers delivering care to patients located in different states. Each state has its own licensure requirements and may impose unique privacy or data-handling laws. “States typically require providers to be licensed in the state where the patient receives services,” states the Rural Health Information Hub. Providers must navigate this multi-jurisdictional landscape without violating HIPAA standards.

For example, a provider licensed in New York treating a patient in California may be subject to California’s stricter privacy rules, which can include additional patient consent requirements and data storage restrictions. These overlapping obligations create a higher compliance burden, as providers must align federal HIPAA requirements with each state’s rules.

Related: Civil Laws vs. HIPAA: Which one dominates?

Data jurisdiction and storage

Some states require that patient data remain within state boundaries. As stated by McDermott Will & Schulte LLP, “The most common means by which states seek to control risk is through data localisation provisions within contracts with state agencies, and through Medicaid regulatory restriction. In some cases, these contractual provisions require both the storage of patient data and the performance of the services to occur in the US. For example, Wisconsin prohibits contractors and subcontractors from performing work outside the US that involves access to or disclosure of patient health and related information. Similarly, Texas’ Uniform Managed Care Contract requires Managed Care Organisations (MCOs) to provide all services within the US. It further requires that all information obtained by the MCO or a subcontractor pursuant to the Managed Care Contract be “stored and maintained within the United States”. Other states that prohibit data offshoring include Arizona’s Health Care Cost Containment System program and executive orders in Ohio, Missouri, and New Jersey. 

Ultimately, telehealth platforms must be configured to store or route data in compliance with these rules. Failing to do so could result in both HIPAA and state-level violations. Multi-state telehealth providers may need geofencing solutions or cloud configurations that guarantee data residency without compromising security.

Credentialing and audit trails

Licensing boards and hospital credentialing processes frequently require detailed audit trails and access logs, which are also a core component of HIPAA administrative safeguards. Telehealth systems must track who accessed PHI, when, and for what purpose, ensuring that only authorized personnel can view sensitive information. Failure to maintain these logs risks HIPAA penalties and may also violate licensure requirements.

Policy complexity and HIPAA compliance

Regulatory fragmentation

Telehealth compliance exists at the intersection of multiple regulations. HIPAA sets the federal baseline, but CMS guidelines, state health departments, and professional boards often layer additional rules. Providers must harmonize these overlapping requirements without creating gaps that could expose PHI.

For instance, while HIPAA allows certain disclosures for treatment, payment, and operations, a state may require additional consent before sharing data across borders or using certain telehealth platforms. Navigating this regulatory patchwork demands proactive compliance planning and continuous monitoring of policy updates.

Temporary waivers and enforcement discretion

During the COVID-19 public health emergency, the OCR relaxed enforcement of some HIPAA rules for telehealth, permitting the use of non-public-facing apps like FaceTime or Skype. These temporary flexibilities increased access but also stressed how rapidly policy changes can affect compliance obligations. As these waivers are rolled back, providers must pivot back to fully HIPAA compliant platforms, sometimes requiring additional training or system upgrades.

Business associate agreements (BAAs)

Telehealth often involves multiple vendors, including EHR providers, video platforms, and remote monitoring services. HIPAA requires that all these vendors sign BAAs, taking on formal responsibility for safeguarding PHI. Managing multiple BAAs can be challenging, especially when vendors change their services or policies. Providers must maintain careful documentation and oversight to ensure continuous compliance.

Policy lag

Telehealth technology adoption has outpaced regulatory updates, leaving grey areas in compliance. Providers often face uncertainty regarding whether certain new applications or workflows meet HIPAA standards. In such cases, risk assessments, internal policies, and proactive vendor vetting become essential tools for minimizing exposure to risk.

Practical strategies for maintaining HIPAA compliance

Given the complex interplay of reimbursement, licensing, and policy, telehealth providers can adopt several strategies to reduce risk:

Align reimbursement with compliance

• Ensure billing and EHR platforms are HIPAA compliant.
• Train staff on secure documentation and transmission of PHI.
• Audit claims processes regularly to detect errors that could trigger HIPAA investigations.

Manage multi-state licensing risks

• Maintain a central database of state-specific privacy and telehealth rules.
• Implement geofencing and data residency solutions where required.
• Document provider licensure and patient location for each telehealth encounter.

Strengthen vendor management

• Execute and regularly review BAAs with all telehealth technology providers.
• Conduct periodic security assessments of vendors.
• Establish clear escalation paths for data breach response using incident response plans.

Train staff and update policies

• Provide ongoing HIPAA and telehealth compliance training.
• Develop standard operating procedures for platform use, remote access, and data sharing.
• Monitor regulatory updates and adjust policies proactively.

Leverage technology for compliance

• Use encrypted video conferencing and messaging platforms.
• Implement multi-factor authentication (MFA) and access controls.
• Maintain audit logs to track all PHI access and transmission.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

Who is responsible for HIPAA compliance in telehealth—the provider or the telehealth platform?

Both. Providers are responsible for choosing HIPAA compliant platforms and ensuring their workflows protect PHI. Telehealth vendors that handle PHI must sign a business associate agreement (BAA) to share legal responsibility.

Go deeper: Who is responsible for HIPAA compliance?

Are business associate agreements (BAAs) required for telehealth vendors?

Yes. Any telehealth vendor that stores, transmits, or processes protected health information (PHI) is considered a business associate under HIPAA. A signed BAA is required to ensure both the provider and vendor share responsibility for safeguarding PHI.

What happens if a provider uses a non-HIPAA compliant telehealth platform?

Using non-compliant platforms (without a BAA, encryption, or audit trails) can result in unauthorized PHI disclosures. This may trigger OCR investigations, fines, or breach notifications under HIPAA.

What security features should a HIPAA compliant telehealth platform include?

Key features include:

• Authomatic encryption
• Secure authentication for providers and patients
• Access controls and role-based permissions
• Audit logs for monitoring access
• Signed BAA with the vendor