Protecting Telehealth Patient Data With HIPAA-Compliant Video Conferencing

Propelled by the pandemic, healthcare organizations have risen to the occasion for the demand for more virtual care options by offering telehealth to patients. With the proliferation of telehealth platforms combined with insurance compensation for telehealth visits, video conferencing options have become popular and well-utilized, especially for routine appointments and people who have experienced barriers to in-person visits.

Telehealth Concerns

Despite its many benefits, several concerns still plague both patients and healthcare companies alike. Is telehealth HIPAA compliant? Are certain platforms more compliant than others? Most people already have multiple software systems downloaded on their personal computers, tablets, and mobile devices that have video conferencing capabilities, such as WhatsApp®, Facebook Messenger™, Apple FaceTime®, Skype™, and Zoom®, and they are using them in other areas of their lives and feel comfortable and familiar with them. But will these platforms adequately protect patient electronic Personal Health Information (ePHI)? How and what data do these platforms store?

Overall, many patients[¹] still do not trust healthcare companies to protect their ePHI digitally. Their concerns are well-founded: IT and hacking incidents have increased[²] over the past few years. Recent ransomware attacks[³] that target ePHI have also reinforced this concern.

There are serious implications for not providing secure means of telehealth communication. Non-secure communication could result in a security breach, putting patient data at risk. Security breaches cost healthcare organizations an average of $6.45 million[²], as well as legal and public relations issues.

What Does HIPAA Say About Telehealth?

Some of the governing laws of HIPAA do not seem to be specific in regards to telehealth. Regardless, the standard rules for the protection of ePHI, such as encryption and the implementation of a Business Associate Agreement (BAA) for third-party solutions, do apply. The current HIPAA guidelines[⁴] around telehealth are found within the HIPAA Security Rule and stipulate:

  • HIPAA Standard 164.312(d): “Implement systems that verify the persons seeking access to ePHI are who they claim to be.”
  • HIPAA Standard 164.306(b): “Implement appropriate security measures.”

HIPAA Compliance During Video Conferencing

Healthcare staff should be careful to only host video calls in a secure and private location to prevent unauthorized people from overhearing any PHI.

HIPAA-Compliant Video Conferencing

Use a HIPAA-Compliant Video Conferencing Platform

Healthcare companies can offer HIPAA-compliant video conferencing to their patients by investing in a platform that implements the necessary safeguards to meet the required standards. This ensures organizations can protect ePHI throughout the entire appointment process, including all HIPAA-compliant SMS messaging, live chat, chatbot, and emails prior to or following the HIPAA video conference.

There are several necessary components to ensure that the platform is fully HIPAA compliant:

  • End-to-end encryption should meet both industry best practices and HIPAA standards.
  • Authentication of the patient and any third-party participants (such as legal guardians, other healthcare providers, translators, etc.) should be required using a log-in each time there is an interaction, and automatically logging them out when the appointment is over.
  • Interactions should be able to be centrally monitored, audited, managed, and reported on.
  • If the company uses a third-party software vendor, there must be a BAA executed with the vendor.
  • A system for monitoring communications containing ePHI should be in place to prevent data breaches.

To aid healthcare companies seeking a HIPAA-compliant video conferencing tool, the Office for Civil Rights (OCR) has compiled a list of HIPAA-compliant telemedicine software:

  • Amazon Chime™
  • Bridge Video Visits, powered by Zoom for Healthcare®
  • Cisco® Webex Meetings / Webex Teams
  • Google Hangouts™
  • GoToMeeting™
  • Skype for Business™
  • Spruce Health Care Messenger™
  • Updox®
  • VSee™
  • Zoom for Healthcare®

Digital Front Door

Healthcare organizations can provide HIPAA-Compliant video conferencing options to their patients with confidence by implementing a fully HIPAA-compliant telehealth platform integrated into their existing patient engagement solution.

Patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:

All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.

  1. Accenture. How Can Leaders Make Recent Digital Health Gains Last? (2020). [online]. Accenture. Available at:
  2. Seh AH, Zarour M, Alenezi M, et al. Healthcare Data Breaches: Insights and Implications. (2020). [online] Healthcare (Basel). Available at:
  3. Drees, J.(2021). Hacker had access to Georgia health system’s IT network 6 months before ransomware strike. [online] Available at:
  4. HIPAA Journal (2018). HIPAA Guidelines on Telemedicine. [online] HIPAA Journal. Available at:
John Deutsch
John Deutsch

Chief Executive Officer (CEO) John is a seasoned executive with 20+ years of healthcare IT business ownership experience specializing in patient engagement, marketing, and software/web development. He was the co-founder of EMR Experts, an EHR consulting firm, which was sold to Bizmatics Inc in 2008. John then founded Medical Web Experts, a leader in custom HIPAA-compliant software/web development and marketing for the healthcare industry. Bridge Patient Portal, an all-in-one patient engagement solution, was spun off from Medical Web Experts in 2014. John split his time as CEO between both Medical Web Experts and Bridge Patient Portal until late 2019, at which point he stepped down as CEO at Medical Web Experts to focus solely on Bridge Patient Portal. Besides his extensive experience in business and workforce management, he also maintains strong technical knowledge in information systems, IT security, compliance, and healthcare.