Question 1

Did the HIPAA telehealth flexibility from COVID still apply in 2026?

Accepted Answer

No. HHS OCR ended HIPAA enforcement discretion for telehealth on August 9, 2023, 90 days after the COVID-19 public health emergency expired on May 11, 2023. The full standard HIPAA Security Rule, Privacy Rule, and Breach Notification Rule apply to all telehealth interactions from that date forward. Consumer-grade FaceTime, Skype, personal Google Meet, and other non-HIPAA platforms are no longer permitted for clinical care. Every covered entity using telehealth must have an executed Business Associate Agreement with the platform provider.

Question 2

Which telehealth platforms include BAAs in 2026?

Accepted Answer

Doxy.me offers BAA coverage on all tiers including the free tier, per Doxy.me's own help documentation. Zoom signs BAAs for Zoom Business, Zoom Business Plus, and Zoom Enterprise tiers (the consumer Free and Pro plans do not include a BAA). SimplePractice, TherapyNotes, and Spruce include BAA coverage in standard paid plans. Google Meet supports BAA through Google Workspace, not consumer Gmail. Microsoft Teams supports BAA through Microsoft 365 healthcare-specific plans. Before clinical use, confirm the BAA is executed and the specific service tier you are using is covered.

Question 3

What about the DEA telehealth prescribing rules?

Accepted Answer

The DEA telehealth flexibilities for controlled substance prescribing were extended through December 31, 2026 by the Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescribing Controlled Medications. These allow prescribing controlled substances via telehealth without an in-person evaluation in many circumstances. The DEA has issued two final rules and one proposed rule covering buprenorphine treatment, V.A. providers, and a proposed Special Registration framework for telehealth controlled substance prescribing that has not yet been finalized. Practices that prescribe via telehealth should track the Special Registration rulemaking and confirm their workflows match the current extension terms.

Question 4

Does Texas have separate telehealth privacy requirements?

Accepted Answer

Yes. Texas Senate Bill 1188, signed by Governor Greg Abbott on June 20, 2025 and effective September 1, 2025, requires that EHR data of Texas residents be physically stored within the United States. This data localization requirement took effect January 1, 2026 and applies to EHR vendors and cloud storage services used by Texas telehealth practices. Confirm in writing with your EHR and telehealth platform vendors that all stored PHI resides on US servers. SB 1188 also requires that Texas covered entities provide a minor's parent or guardian "complete and unrestricted access" to the minor's EHR "immediately." Texas HB 300 separately requires training within 90 days of hire and signed records retained for six years.

Question 5

What HIPAA-specific risks does a telehealth practice face that an in-person practice does not?

Accepted Answer

Telehealth practices have four distinct risk patterns. First, the platform itself is in scope: BAA coverage, encryption standards, session recording retention, and breach notification timelines all become the practice's responsibility to verify. Second, multi-state practice introduces dual or triple regulatory layers: state licensure, state medical board telehealth rules, and state privacy laws (TDPSA, VCDPA, CCPA depending on patient residency) all apply. Third, the practitioner's personal workspace becomes part of the administrative-safeguard scope: home network security, visible PHI on screens, household members within auditory range, and shared family devices are all Risk Analysis inputs. Fourth, the patient's end of the call is uncontrolled: the practice cannot prevent the patient from being in a public space, on a shared device, or with another person present. The Risk Analysis must address how the practice handles each.

Platform	BAA Status	Notes
Doxy.me	All tiers	Free tier includes BAA per Doxy.me's own help documentation. Probably the most accessible option for solo practitioners.
Zoom	Business+ only	Zoom Business, Business Plus, and Enterprise tiers sign BAAs. Free and Pro plans do not include a BAA. Confirm tier on signup.
SimplePractice	All paid plans	Practice management + telehealth in one. Standard plans include BAA.
TherapyNotes	All paid plans	Behavioral health-focused EHR with built-in telehealth. BAA in all paid tiers.
Spruce	All paid plans	HIPAA-secure messaging and video for healthcare. BAA included.
Google Meet	Workspace only	Google Workspace plans support BAA. Consumer Gmail does not.
Microsoft Teams	M365 healthcare	Microsoft 365 healthcare-specific plans support BAA. Personal Teams does not.
FaceTime / Skype / Free Google Meet	No BAA	Consumer products. Not permitted for clinical care since August 9, 2023.

HIPAA Compliance for
Telehealth Practices.

Four Compliance Pressure Points
That a Generic Risk Analysis Misses.

The Platform Itself Is in Scope

Multi-State Practice Multiplies State-Privacy Exposure

Practitioner Workspace Becomes Administrative-Safeguard Scope

The Patient's End Is Uncontrolled

Which Telehealth Platforms
Actually Sign BAAs.

Your Telehealth Practice
Has Higher Compliance Stakes, Not Lower.

HIPAA Compliance forTelehealth Practices.

Four Compliance Pressure PointsThat a Generic Risk Analysis Misses.