HIPAA compliance is non-negotiable for telehealth providers, but the requirements can feel overwhelming when you are building a practice from scratch. The good news: for a solo telehealth practice, the compliance surface is much smaller than a hospital or large group. This checklist covers everything you need to be compliant from day one.
Why telehealth has extra HIPAA considerations
Telehealth introduces risks that in-person care does not. Video calls transmit PHI (protected health information) over the internet. Electronic records live on cloud servers. Patients connect from home networks you do not control. Every one of these touchpoints is a potential compliance gap.
The core requirement is straightforward: any technology that touches PHI must be encrypted, access-controlled, and covered by a Business Associate Agreement (BAA).
The HIPAA compliance checklist for telehealth
1. Business Associate Agreements (BAAs)
A BAA is a legal contract between you and any vendor that handles, stores, or transmits patient data on your behalf. You need a signed BAA with every vendor in your stack before seeing your first patient.
Common vendors that require BAAs:
- EHR/EMR system
- Telehealth video platform
- Scheduling software (if it stores patient names or contact info)
- Cloud storage (Google Workspace, Microsoft 365, Dropbox)
- Email provider (if you send any patient communications)
- Billing and claims clearinghouse
- Answering service or virtual receptionist
Most HIPAA-compliant vendors will have a BAA available on their website or will send one on request. If a vendor refuses to sign a BAA, do not use them for anything involving patient data.
2. Telehealth platform requirements
Your video platform must meet specific technical requirements:
- End-to-end encryption for all video and audio
- Access controls (unique login, session timeouts)
- Audit logging that tracks who accessed what and when
- A signed BAA from the platform vendor
Platforms that are HIPAA-compliant and offer BAAs include Doxy.me, Zoom for Healthcare, SimplePractice Telehealth, and TherapyNotes. Standard Zoom, FaceTime, Google Meet, and Skype are not HIPAA-compliant for ongoing clinical use.
3. Privacy policies and notices
You need two documents:
- Notice of Privacy Practices (NPP): Tells patients how you use and protect their information. Must be provided to every new patient.
- Website privacy policy: Required if your website collects any information (contact forms, email signups, scheduling).
4. Security Risk Assessment
HIPAA requires every covered entity to conduct a Security Risk Assessment (SRA) annually. For a solo practice, this does not need to be a massive audit. It is a structured review of how you store, transmit, and access PHI, and what risks exist.
The HHS Office for Civil Rights offers a free SRA Tool at healthit.gov. Walk through it, document your findings, and note any risks with a plan to mitigate them. Keep the completed assessment on file. It is the first thing an auditor will ask for.
5. Encryption and access controls
- Enable full-disk encryption on every device you use for patient care (laptop, tablet, phone)
- Use strong, unique passwords for every system. Use a password manager.
- Enable two-factor authentication on your EHR, email, and cloud storage
- Set automatic screen lock after 2-5 minutes of inactivity
- Never access patient records on public WiFi without a VPN
6. Telehealth-specific consent
Many states require a separate telehealth-specific informed consent form in addition to your standard treatment consent. This form should cover:
- The nature of telehealth services and their limitations
- Technology requirements and potential risks (connectivity issues, security)
- The patient's right to refuse telehealth and request in-person care
- How PHI is transmitted and stored during telehealth sessions
- Emergency protocols if the patient is in crisis during a virtual session
7. Breach notification procedures
If a breach occurs, HIPAA requires notification within 60 days. For breaches affecting fewer than 500 individuals, you report annually to HHS. For 500+, you must notify HHS, affected individuals, and local media within 60 days.
Document your breach notification procedure before you need it. Know who to contact, what to report, and how to notify patients.
The TelemedLaunch SOP template includes a HIPAA compliance tab with 20 trackable requirements, completion dates, and renewal reminders. Every item on this checklist maps to a row in the tracker. See the full system.
Common mistakes that trigger HIPAA violations
- Texting patients from your personal phone without a HIPAA-compliant messaging platform
- Storing patient files on a personal Google Drive without a BAA
- Using regular Zoom instead of Zoom for Healthcare
- Not encrypting your laptop or tablet
- Forgetting to re-attest your CAQH profile (not HIPAA, but related compliance)
- Skipping the annual Security Risk Assessment
Bottom line
HIPAA compliance for a solo telehealth practice comes down to three things: sign BAAs with every vendor, encrypt everything, and document your policies. The risk assessment takes a few hours once a year. The rest is about choosing the right tools and building good habits from the start.
Get compliant from day one
The Telehealth Practice Launch Kit includes a HIPAA compliance tracker, consent templates, and a step-by-step walkthrough for every requirement on this list.
Get the Launch System: $299