Healthcare by Specialty May 31, 2026 8 min read

HIPAA Compliance for Telehealth Practices: BAAs, Pixels, and State Rules

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

BAA is the gating question: Zoom Workplace for Healthcare, Doxy.me, SimplePractice, VSee, and Updox all sign BAAs as of 2026. Consumer Zoom, FaceTime, standard Google Meet, and consumer WhatsApp do not.
Patient portal pixels: Tracking code on an authenticated telehealth portal triggers HIPAA exposure the June 2024 court ruling did not touch, plus class-action risk under state wiretap statutes.
State licensing overlay: HIPAA is federal, but state medical boards and state privacy laws apply to the patient's location, not the provider's. A Texas clinician treating a California patient is subject to California medical board rules and CMIA.
DEA controlled-substance flip: The pandemic flexibilities for telehealth controlled-substance prescribing were extended through December 31, 2026 by DEA's Fourth Temporary Extension (issued Dec 31, 2025). The Special Registration framework remains a proposed rule from January 2025; finalization timing is uncertain.
Risk Analysis must reflect telehealth: 45 CFR 164.308(a)(1)(ii)(A) requires the analysis to cover video platform data flow, recording storage, cross-state transmission, and portal authentication. Generic templates almost never do.

Quick answer

Telehealth practices carry HIPAA exposure most general compliance guides do not address. The video platform requires a BAA at the right tier. The patient portal almost certainly has tracking code the practice owner has not audited. The patient’s state imposes privacy rules separate from the provider’s state. Controlled-substance telehealth prescribing rules changed in 2024 and 2025 and continue to shift in 2026. A Risk Analysis built for an in-person practice does not cover any of this.

If you run a telehealth practice, “HIPAA compliant” is not a checkbox. It is four distinct compliance surfaces, and the platforms and vendors you depend on every day touch each one. Most practice owners I work with have addressed one or two and assume the others are handled by the EHR or the video vendor. They almost never are.

What Makes Telehealth HIPAA Different

A traditional in-person practice has a finite physical footprint. HIPAA exposure maps roughly to the building. Telehealth removes the building and replaces it with vendors: the video platform, the SaaS portal, the clinician’s home laptop, the patient’s device in another state, the cloud storage for recordings. Each leg of that path is a HIPAA touchpoint that requires the same scrutiny a covered entity would apply to its on-premise network.

Four issues recur across telehealth practices I look at:

The video platform either has no BAA or has a BAA that applies to a different tier than the practice is actually using.
The patient portal carries tracking code the practice owner installed for marketing years ago and never re-examined.
Cross-state telehealth pulls in state medical board rules and state privacy laws the practice owner has not mapped.
Controlled-substance prescribing via telemedicine sits inside DEA rules that shifted significantly in 2024 and 2025 and are still moving in 2026.

Each section below covers one of those.

BAA Requirements for Video Platforms

The Business Associate Agreement is the gating compliance document for any vendor that creates, receives, maintains, or transmits PHI on your behalf. Video platforms are squarely inside that definition. Most major telehealth video vendors have a BAA available, but the tier and the configuration matter.

Here is the platform-by-platform picture as of 2026:

Zoom signs BAAs on Zoom for Healthcare and on Zoom Workplace Business, Business Plus, and Enterprise paid plans. Consumer Zoom and the free tier do not qualify. The Healthcare tier is the most opinionated option, turning off cloud recording defaults and disabling third-party integrations that would route PHI to non-BAA vendors; a properly configured paid Business or Enterprise account with a signed BAA is also HIPAA-eligible. Confirm the BAA is on file and the active account is on the tier the BAA covers.
Doxy.me signs a BAA on every tier including the free tier, but the free-tier BAA is scoped to an individual provider only. Professional, Clinic, and higher tiers carry the same BAA with organizational coverage suitable for multi-provider practices. A practice running multiple providers on a single free Doxy.me account is outside the BAA’s documented scope.
SimplePractice signs a BAA as part of standard onboarding. The platform integrates EHR, scheduling, billing, and video, so the BAA needs to cover all functions, not just video.
VSee signs a BAA on Clinic and Enterprise tiers. Updox signs a BAA for its telehealth, secure messaging, and patient portal modules.
Google Meet and Microsoft Teams sign BAAs only under qualifying Workspace or Microsoft 365 plans with the HIPAA amendment executed and services configured for HIPAA. Personal accounts do not qualify.
FaceTime, WhatsApp, Signal, consumer Skype, and standard SMS have no BAA available. Using any of these for patient visits or PHI exchange is an impermissible disclosure regardless of clinical intent.

What to verify in the BAA itself: the named entity matches your practice’s legal name, the services in scope cover what you actually use, the data return or destruction provision at termination is clear, and the breach notification timeline aligns with HIPAA’s 60-day requirement. A BAA from 2020 that has not been re-examined since the pandemic flexibilities ended is worth re-reading.

The broader principle here is the same one I covered in why an IT provider BAA does not equal HIPAA compliance: the contract describes the relationship, but the practice still owns the obligation to configure and use the service in a compliant way.

Patient Portal Tracking Pixel Risk

The tracking pixel problem is not just a hospital problem or a dermatology problem. It applies to any healthcare website with authenticated pages, and every telehealth practice has authenticated pages by definition. The patient portal login, the appointment booking page, and the intake form are exactly the surfaces the OCR guidance and the class-action plaintiff bar are looking at.

A federal court in Texas in June 2024 vacated one narrow element of OCR’s tracking technology guidance: the rule that an IP address combined with a visit to an unauthenticated public webpage about a health condition constitutes PHI. Everything else in the OCR guidance remained in force. Authenticated pages are still in scope. The Business Associate Agreement requirement for any vendor receiving PHI is still in force. I covered the full scope of what the ruling did and did not do in the tracking pixel risk for Houston dermatology practices, and the same analysis applies to a telehealth portal.

Telehealth practices specifically should audit the patient portal login page, the appointment booking flow including any intake questions, the post-visit summary page, and any embedded video, calendar, or chat widget that loads third-party code on authenticated pages. Common offenders are Meta Pixel, Google Analytics, Google Tag Manager scripts, LinkedIn Insight Tag, and TikTok pixel.

The 10-minute check: open the portal in a browser, right-click and choose Inspect, open the Network tab, log in, and watch which external domains receive requests. Anything other than your own domain and your platform vendor’s domain needs a BAA on file or it needs to come off the authenticated pages. The same gap pattern shows up across specialties, including the one I documented in Texas mental health practices and the tracking code gap.

Class-action exposure on tracking pixels is independent of OCR. Plaintiff attorneys pursue these cases under state wiretapping statutes and common-law privacy theories the 2024 ruling did not touch. Telehealth portals concentrate the identifying-plus-clinical data those theories rely on.

State Licensing and Privacy Overlay

HIPAA is federal. State medical boards and state privacy laws are not. The rule of thumb that catches most telehealth practices: the patient’s state controls, not the provider’s state.

A clinician licensed in Texas who treats a patient physically located in California is practicing medicine in California for purposes of California licensing and medical board rules. The same clinician is subject to California’s Confidentiality of Medical Information Act (CMIA), which imposes obligations and remedies beyond HIPAA, including a private right of action that has driven significant class-action activity.

States that telehealth practices should specifically map: California (CMIA), New York (SHIELD Act), Texas (HB 300), Washington (My Health My Data Act, which reaches further than HIPAA’s definition of PHI), and the growing list of states that have enacted health-data-specific privacy statutes since 2023 (Connecticut, Nevada, and others). HIPAA preempts state laws that are contrary to it, but state laws that are more stringent are not preempted, and most health-privacy statutes are more stringent in at least some respect.

Practical implication: your compliance program must inventory the states your patient panel actually lives in, identify the medical board licensing rule for each, and identify the privacy statute for each. A practice that is HIPAA-compliant on paper but never mapped CMIA exposure for its California panel has a gap that will not show up in an OCR audit but will show up in a state attorney general inquiry or a class-action complaint.

DEA and Controlled-Substance Telehealth Prescribing

Prescribing controlled substances via telemedicine sits inside a separate regulatory framework from HIPAA. The Ryan Haight Online Pharmacy Consumer Protection Act of 2008 generally requires an in-person medical evaluation before a practitioner can prescribe a controlled substance via the internet.

During the COVID-19 public health emergency, the DEA granted flexibilities allowing telehealth controlled-substance prescribing without the in-person requirement. Those flexibilities have now been extended through December 31, 2026 by DEA’s Fourth Temporary Extension (Federal Register document 2025-24123, issued December 31, 2025). In January 2025 the DEA released three telemedicine-related rules: two final rules (buprenorphine via telemedicine and a continuity-of-care rule for VA practitioners) and one proposed rule (the Special Registration framework). The Special Registration comment period closed in March 2025 and the rule has not been finalized as of mid-2026, so its real-world impact on practices remains uncertain.

Practices that started prescribing Schedule II through Schedule V substances via telemedicine under the pandemic flexibilities need to confirm their status under the post-flexibility framework. The Special Registration framework creates distinct categories for telemedicine prescribers, telemedicine clinics, and Schedule III through Schedule V prescribing, each with its own in-person exam and registration rules. State medical boards and state pharmacy boards impose additional telehealth prescribing rules on top of the federal floor, often stricter.

This is not a HIPAA question directly, but it sits inside the same telehealth compliance program. A practice with a clean BAA framework that is prescribing controlled substances outside current DEA rules has an enforcement problem no privacy program will fix.

What a Defensible Risk Analysis Looks Like for Telehealth

HIPAA’s Security Rule under 45 CFR 164.308(a)(1)(ii)(A) requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. The requirement is the same whether the practice is in-person or telehealth. The content of a defensible Risk Analysis is not.

Elements a telehealth Risk Analysis must cover that an in-person template typically does not:

Video platform inventory and BAA mapping. Every video platform in active use, the BAA on file for each, the tier the BAA applies to, and the tier in actual use.
Recording storage and access. If sessions are recorded, where the recording lives, who can access it, encryption at rest, retention, and the BAA covering the storage.
Cross-state data flow. The states the patient panel covers, the privacy statutes that apply in each, and the licensing position the practice holds in each.
Provider workstation and network. Clinician devices (practice-issued or BYOD), encryption, screen-lock, and the residential network and VPN posture for at-home visits.
Patient portal authentication. Authentication mechanism, MFA enforcement, password reset workflows, and the audit log on portal access.
Patient device assumptions and state law overlay. What the practice tells patients about device and network use, and how safeguards meet the more-stringent state requirement where applicable.

A template that swaps in the practice name but does not address the items above is not a defensible Risk Analysis for a telehealth practice. OCR has cited inadequate Risk Analysis in nearly every recent telehealth-related enforcement action. The deeper documentation standard is covered in what OCR actually wants in a Risk Analysis.

The flat-fee HIPAA Risk Analysis service at North Privacy Advisors is scoped to deliver an OCR-defensible document that maps the nine HHS elements to the telehealth-specific surfaces above. The deliverable includes a prioritized risk register, a remediation roadmap, and a documentation package you can produce if OCR sends a request letter.

The Practical Picture for Telehealth Practice Owners

Telehealth’s growth has run ahead of its compliance scaffolding. The video platforms got BAAs. The portal vendors mostly got BAAs. The marketing scripts the practice owner installed in 2021 did not. The state-by-state privacy map nobody built. The Risk Analysis the EHR vendor promised does not address the things that actually matter for a telehealth practice.

The right starting point is the inventory: every vendor in the patient data flow, every state in the patient panel, every device that touches PHI, and every page on the portal. If you cannot produce that inventory today, that is the first project. The structured second look is exactly what the $750 Privacy Exposure Review is designed to deliver: your top compliance gaps in a one-page memo within 48 hours, no retainer.

If you would like to see what the financial stakes look like for a practice of your size, the HIPAA penalty calculator shows how OCR’s tiers translate to actual dollar figures.

Last reviewed: May 31, 2026

Stay current on HIPAA enforcement for telehealth practices

Practical updates for small healthcare practices. No spam, no legal jargon.

No spam. Unsubscribe anytime.

Not sure what your telehealth program is exposing?

A Privacy Exposure Review identifies your top compliance gaps in a one-page memo. Flat fee, no retainer.

Schedule a Consultation

Frequently Asked Questions

Does Zoom satisfy HIPAA for a telehealth practice?

Yes, on paid plans with an executed Business Associate Agreement. Zoom signs BAAs for Zoom for Healthcare and for Zoom Workplace Business, Business Plus, and Enterprise. The free Zoom tier and consumer Zoom accounts do not qualify and Zoom does not sign a BAA at those tiers. The Healthcare tier is the most opinionated option, disabling features that risk PHI exposure such as cloud recording defaults and certain third-party app integrations, but a properly configured Business or Enterprise account with a signed BAA is also HIPAA-eligible. A practice using consumer or free Zoom for patient visits has an impermissible disclosure on every session regardless of whether anything bad happens.

Does Doxy.me sign a BAA?

Yes. As of 2026 Doxy.me offers a BAA on every tier including the free tier, with the caveat that the free-tier BAA is limited to an individual provider (not multi-provider organizations or clinics with shared admin). Practices on Professional, Clinic, or higher tiers get the same BAA with broader organizational coverage. Before relying on any video platform, confirm three things in writing: a signed BAA, the scope the BAA applies to (individual provider vs organization), and that the account in active use matches that scope. The vendor will not catch a downgrade or a multi-provider mismatch for you.

Are tracking pixels on a telehealth patient portal a HIPAA violation?

Almost always yes when there is no Business Associate Agreement with the pixel vendor. The June 2024 Texas federal court ruling in American Hospital Association v. Becerra vacated only the rule covering IP address plus unauthenticated public page visits. Authenticated patient portal pages were not affected. Meta does not sign BAAs at any tier. Google Analytics does not offer a standard BAA. A telehealth portal running Meta Pixel or Google Analytics on login or visit pages is transmitting PHI to a vendor with no HIPAA agreement.

If I practice telehealth across state lines, whose privacy laws apply?

Both. HIPAA applies federally to your practice regardless of patient location. State medical board rules and state privacy laws (such as California's CMIA, New York's SHIELD Act, and Texas HB 300) apply to the state where the patient is physically located at the time of the visit. A clinician licensed in Texas who treats a California-resident patient is subject to California medical board licensing rules and California's medical confidentiality statute, on top of HIPAA. Most telehealth practice owners track the licensing question and miss the privacy question.

Can I prescribe controlled substances via telehealth without an in-person exam in 2026?

Yes, but only under the DEA's extended pandemic flexibilities, currently extended through December 31, 2026 by DEA's Fourth Temporary Extension (issued December 31, 2025). The Ryan Haight Act generally requires an in-person medical evaluation before prescribing a controlled substance via telemedicine. DEA released three telemedicine rules in January 2025: two final rules (buprenorphine via telemedicine, and a continuity-of-care rule for VA practitioners) and one proposed rule (the Special Registration framework, comment period closed March 2025, not yet finalized). Practices prescribing Schedule II-V substances via telemedicine should confirm their current registration status and which rule applies to their prescriber category.

What does a telehealth-specific HIPAA Risk Analysis cover that a generic one does not?

A telehealth Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A) must document the video platform in use, the BAA that covers it, where session recordings are stored if recordings exist, how PHI moves between the provider's state and the patient's state, the authentication path for the patient portal, the devices providers use from home, and the network those devices connect to during sessions. A generic template built for an in-person practice typically covers none of these. OCR has cited inadequate Risk Analysis in nearly every telehealth-related enforcement action.

Last updated: May 31, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation