HIPAA documentation for telehealth practices. Built in 30 days.
A complete HIPAA-aligned documentation package for virtual care providers, scoped to your video platform, secure messaging stack, and the states where your patients actually live. ComplianceArmor delivers 33 policy templates, the Security Risk Analysis at 45 CFR § 164.308(a)(1)(ii)(A), BAA register, breach notification plan, and OCR-ready evidence library.
Telehealth changes your HIPAA scope. The package has to match.
Whether you launched virtual visits during the public health emergency or built telehealth into your model from day one, your protected health information now travels across states, devices, and vendor platforms in ways an in-person practice never has to think about.
This page is for telehealth-first medical groups, behavioral health platforms, virtual urgent care providers, hybrid in-person practices that added video visits, and digital-health startups that route PHI through a video API or asynchronous messaging product. If your patients connect from their phones, your clinicians see patients from a home office, and your platform stack includes any of Zoom for Healthcare, Doxy.me, SimplePractice, VSee, eClinicalWorks telehealth, athenaTelehealth, or a custom WebRTC build, your HIPAA scope is in scope here.
What makes telehealth scope unique is the combined reach of a virtual practice. A single video visit can touch a patient in one state, a clinician in a second state, a video platform hosted in a third, recordings stored on a cloud bucket in a fourth, and a transcription vendor that reads PHI in a fifth. Every one of those legs needs an executed Business Associate Agreement, a documented data flow, and a breach-response path that names the right state attorney general.
Telehealth also brought scrutiny. The post-public-health-emergency relaxations on platform choices have largely sunset; HHS Office for Civil Rights ended its discretionary enforcement on non-public-facing video platforms in August 2023, which means the temporary tolerance for FaceTime and Skype is gone. Telehealth groups that locked in their stack during 2020 and never went back through scoping are the ones OCR is most likely to find lacking when a complaint surfaces.
Where OCR finds telehealth practices coming up short.
These are the failure patterns that show up in HHS resolution agreements, state attorney general settlements, and class-action filings against virtual care providers.
Unsigned BAAs with video vendors
A consumer Zoom or Microsoft Teams account is not HIPAA-aligned. The BAA-eligible variants (Zoom for Healthcare, Teams for Healthcare) require executed agreements before the first PHI-bearing visit. Many practices upgraded the license but never countersigned the BAA.
Recording retention with no policy
If your platform records visits, those recordings are PHI. Retention windows, encryption at rest, access controls, and deletion procedures all need to be written down. State medical record retention laws (often 7-10 years) may exceed your platform's default.
Cross-state breach notification confusion
A breach affecting patients in 12 states means notifying 12 attorneys general under their respective laws, not just OCR. Telehealth groups frequently treat HIPAA's 60-day clock as the only deadline and miss state-specific 30-day or 45-day windows.
Mobile patient access with no MDM
Patients connect from personal phones, but so do clinicians. If a clinician's personal device shows the patient queue, the clinical chart, or chat threads, that device is in scope. Mobile device management, encryption, remote wipe, and acceptable use policies all need documentation.
Secure messaging policies that contradict practice
Many platforms enable patient-clinician chat by default. If a patient texts your front desk number from their phone, you have an inbound PHI channel. Without a documented secure messaging policy, the practice is operating outside of HIPAA's transmission security rule.
Home office workforce security
Clinicians providing care from a home office are still in scope. Workstation security, network controls, family member access, printer placement, and physical document destruction all need to be addressed in your administrative and physical safeguards.
Recent OCR enforcement against telehealth-adjacent organizations has averaged seven-figure resolution agreements, and the trend lines from HIPAA breach notification response data show telehealth platforms are increasingly the named entity. The good news: the documentation that prevents an OCR finding is the same documentation a Series A or strategic acquirer will ask for in due diligence.
Telehealth-scoped HIPAA documentation. In one package.
The full ComplianceArmor HIPAA library, with telehealth-specific scoping baked into every artifact. Branded, editable, yours forever, no subscription.
33 HIPAA Policy Templates
Administrative, Physical, Technical, and Organizational safeguards, scoped to a virtual practice.
Security Risk Analysis
Required at 45 CFR § 164.308(a)(1)(ii)(A), scored for video, messaging, and recording flows.
Telehealth Platform Vetting
BAA status check for Zoom for Healthcare, Doxy.me, SimplePractice, VSee, and your existing stack.
Business Associate Register
BAA tracker with executed agreements for video, transcription, e-prescribing, and cloud storage.
Multi-State Breach Plan
HIPAA four-factor risk assessment plus state-by-state notification clocks for the states you serve.
Recording Retention Policy
Retention windows, encryption, access controls, and deletion procedure for recorded visits.
Mobile Device Management Policy
Clinician device standards, patient portal access controls, encryption, and remote wipe procedures.
Secure Messaging Policy
Patient-clinician chat, asynchronous care, and inbound PHI handling for non-secure channels.
Workforce Training Program
Telehealth-specific privacy training, recorded for distributed staff, with annual refresh and sign-in logs.
ePHI Inventory & Boundary
Where electronic protected health information lives across the video, EHR, and messaging stack.
OCR Interview Prep Guide
The questions investigators ask telehealth practices, with confident, plain-English answers.
Risk Management Plan
Remediation roadmap with owners, target dates, and the cadence to retire each finding.
Telehealth HIPAA done-for-you. Fixed price.
No hourly billing. No surprise invoices. No external auditor required to attest to HIPAA. You own every document forever.
Delivered in 30 days, scoped to your video platform, messaging stack, and the states where your patients live. Self-attested under HHS rules: there is no HHS-recognized HIPAA certification.
Where the price moves: A single-state telehealth practice with one video platform and a clean EHR sits at the $7,997 base. Multi-state practices, recording-heavy specialties, integrations with three or more clinical platforms, and groups that already have an active OCR matter add scoping time. We tell you the number before you sign, in writing. Bundle pricing with SOC 2 ($18,997) and PCI ($24,997 for HIPAA + PCI + SOC 2) is also available.
If we missed something, we fix it free.
Every ComplianceArmor HIPAA engagement carries the Petronella Technology Group Audit-Ready Promise. If any artifact has a gap, we fix it at no charge within 30 days. If your package fails an OCR review or audit because of our work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Telehealth HIPAA questions buyers ask.
Do the post-public-health-emergency telehealth relaxations still apply?
No. HHS Office for Civil Rights ended its discretionary enforcement on non-public-facing video platforms in August 2023. The temporary tolerance for consumer-grade tools like FaceTime and Skype is over. If you stood up telehealth in 2020 and have not re-scoped since, you are operating against the current enforcement posture. The ComplianceArmor package includes a current platform assessment and an executed-BAA verification across your stack.
How does the package handle cross-state PHI flow?
Your scoping intake captures the states your patients live in, the states your clinicians are licensed in, and where your video, recording, and EHR vendors host data. The Breach Notification Plan includes a state-by-state notification clock so the response team is not improvising under pressure. The BAA register tracks where each business associate's data center actually sits, which matters for cross-border transfer policies and for some state attorney general questionnaires.
HIPAA preempts less protective state laws but is itself preempted by more protective ones. The package documents which states impose tighter rules (notably California, Texas, New York, and Massachusetts) and what additional notification language is required.
What about state telehealth licensure rules separate from HIPAA?
State telehealth licensure (where your clinician must be licensed in the patient's state, the limits on prescribing controlled substances by telehealth, and consent-to-treat formalities) is not a HIPAA matter, but the documentation overlaps. The Notice of Privacy Practices, the patient-consent record, and the workforce training program need to reflect the licensure constraints your medical director has already accepted. The package includes a hand-off section so your legal counsel and compliance officer can layer state licensure language onto the HIPAA program without rewriting it.
Are session recordings PHI? How long do we keep them?
If a recording contains identifiable patient information (their face, voice, name, condition discussed), it is PHI under HIPAA and a medical record under most state laws. Retention is set by state law, not HIPAA, and ranges from 5 years (some states) to 10 years past the patient's last visit, with longer windows for minors. Pediatric specialties typically need to keep records until the patient turns 21, plus the state's general retention period.
The Recording Retention Policy in the package writes down your retention rule, the encryption standard at rest, who has access, the deletion procedure, and the legal hold process when a recording is requested in litigation or by subpoena.
Our clinicians work from home offices. What does that mean for HIPAA?
The home office is in scope. Your administrative safeguards have to address remote workforce security: who is allowed to see the screen, where the printer is, how documents are destroyed, what the network looks like, and what happens if the device is lost. Your physical safeguards have to acknowledge that the workstation is not in your facility and adapt accordingly. The package includes a Remote Workforce Policy and a Home Office Workstation Standard that distributed clinicians can sign and meet without a site visit from compliance.
What if a patient texts or emails our front desk number?
If your front desk responds with PHI on a non-secure channel, you have a transmission security gap. The Secure Messaging Policy in the package documents your acceptable channels, your in-bound handling rule (acknowledge the message and route the patient to the secure portal), and the patient-consent language for any time you use a less-secure channel because the patient asked you to. The 2024 OCR guidance on patient-initiated communications is reflected in the policy text.
How is this different from buying SimplePractice's HIPAA bundle?
Platforms like SimplePractice, TheraNest, and Doxy.me will sign a BAA with you and provide certain technical safeguards inside their product. They do not write your policies, run your Risk Analysis, document your physical safeguards, or train your workforce. ComplianceArmor produces the practice-level program around the platforms you already use. We treat the platform's BAA as one input to your program, not a substitute for the program itself.
What happens if we get an OCR complaint?
OCR opens HIPAA investigations through complaints, breach reports, or its periodic audit program. The first ask is always the same: a current Risk Analysis, written policies for each safeguard category, evidence of workforce training, BAAs for vendors who handle PHI, and a documented breach notification process. Your ComplianceArmor package delivers all of these in a single binder, with an OCR Interview Prep Guide that walks through the exact questions investigators ask telehealth practices and how to answer them with the documentation in hand. For active incident response, see our incident response services.
Stop authoring HIPAA policies. Start the program.
Schedule a 30-minute demo. We will walk through your video platform, messaging stack, multi-state footprint, and home-office workforce, scope your HIPAA package live, and show the deliverables an OCR investigator would expect to see for a virtual practice.
Related: HIPAA software hub · ComplianceArmor · HIPAA compliance services · HIPAA for mental health · HIPAA for medical billing · SOC 2 software