Patient Privacy in Telehealth Visits: A Compliance Guide for Small Practices (42 CFR § 410.78(g))

Telehealth has become a critical care delivery model for small practices, but it comes with strict Medicare rules on patient privacy. Under 42 CFR § 410.78, providers must use secure technology, verify patient identity, and maintain confidentiality during virtual encounters. Noncompliance risks audits, financial penalties, and reputational harm. For resource-limited practices, practical strategies such as encrypted platforms, documented consent, and affordable compliance tools can ensure adherence. This guide explains how small practices can align telehealth operations with privacy requirements while protecting patients and maintaining Medicare reimbursement eligibility.

The COVID-19 pandemic accelerated telehealth adoption, and small practices continue to rely on it for accessible and cost-effective care. However, with increased usage comes heightened scrutiny from CMS and the Office for Civil Rights (OCR). Section 42 CFR § 410.78 sets conditions for Medicare telehealth services, including requirements for safeguarding patient data and ensuring privacy during remote encounters. For small practices, compliance is not optional, it directly affects billing legitimacy, patient trust, and legal liability. Understanding and implementing these requirements allows practices to deliver high-quality care while avoiding costly enforcement actions.

Understanding Telehealth Privacy Under 42 CFR § 410.78

Section 410.78(g) establishes explicit conditions for telehealth coverage:

• Technology Standards: Telehealth services must be furnished via an interactive telecommunications system with real-time audio and video. Platforms must safeguard patient privacy and comply with HIPAA confidentiality rules (42 CFR § 410.78(a)(3)).

• Patient Location and Consent: Providers must verify the patient’s location at the time of service and obtain informed consent when applicable. Documentation of these elements are essential (42 CFR § 410.78(a)(4), (b)(3)).

• Record keeping: Telehealth encounters must be documented in the medical record, including patient identification, service location, and practitioner authentication.

• Confidentiality: Sessions must occur in private settings where unauthorized individuals cannot overhear or access PHI, consistent with HIPAA’s Privacy Rule.

Understanding these obligations reduces risk of billing disallowances and ensures compliance with CMS and HIPAA standards.

OCR enforces HIPAA rules when PHI is created, transmitted, or stored during telehealth visits. OCR investigations may be triggered by:

• Patient complaints about overheard telehealth sessions or unauthorized disclosures.

• Data breaches caused by insecure telehealth platforms.

• Random audits assessing whether telehealth workflows comply with HIPAA Privacy and Security Rules.

OCR has emphasized that providers must use technology that implements encryption, authentication, and access controls. Small practices must therefore align 42 CFR § 410.78 requirements with HIPAA safeguards to prevent enforcement actions.

Step 1: Select a HIPAA-Compliant Telehealth Platform

• Use platforms that provide encryption, business associate agreements (BAAs), and audit logging.

• Avoid consumer-grade tools (e.g., FaceTime, Skype) unless approved under OCR’s temporary discretion policies, which have largely expired.

Step 2: Verify Patient Identity and Location

• At the start of each visit, confirm the patient’s identity with two identifiers (e.g., name and date of birth).

• Document the patient’s location to comply with coverage rules and emergency response planning.

Step 3: Obtain and Document Consent

• Inform patients about telehealth limitations and privacy risks.

• Record verbal consent in the medical record or use electronic consent forms.

Step 4: Secure the Physical Environment

• Conduct visits from private offices, not public spaces.

• Train staff to prevent unauthorized access to screens or conversations.

Step 5: Document the Encounter

• Note telehealth as the service modality, confirm platform used, and authenticate provider entry.

• Retain documentation consistent with medical record standards.

Step 6: Train Staff and Test Systems

• Provide annual training on HIPAA and telehealth-specific privacy rules.

• Test telehealth systems for encryption, access controls, and failover capacity.

Case Study

A behavioral health clinic used a free video platform for telehealth visits without a BAA in place. During one session, unauthorized parties gained access to the meeting link and overheard sensitive patient discussions. The breach was reported to HHS, triggering an OCR investigation that uncovered systemic gaps in risk analysis and vendor oversight. The clinic ultimately faced a $50,000 settlement and a mandatory corrective action plan for failing to implement secure technology under 42 CFR 410.78(g) and HIPAA. Leadership acknowledged that the decision to cut costs by avoiding licensed platforms exposed patients to serious privacy risks and damaged community trust.

Conversely, a small pediatric practice proactively implemented a HIPAA-compliant telehealth system with clear documentation of patient consent and annual staff training on remote care protocols. The practice also worked with its vendor to establish a robust BAA and monitored usage through detailed access logs. When audited by CMS, the practice demonstrated compliance with ease by providing logs, written policies, and staff certifications. The audit closed without penalties, and patients expressed strong confidence after the practice publicized its commitment to privacy and security. This proactive approach not only ensured regulatory compliance but also enhanced the clinic’s reputation as a safe, modern healthcare provider.

Common Pitfalls to Avoid Under 42 CFR § 410.78

• Using noncompliant platforms: Consumer-grade tools without encryption or BAAs fail compliance.

• Failing to verify patient identity/location: Omitting this step risks billing denials and liability.

• Lack of consent documentation: Verbal consent must be documented in the record.

• Conducting visits in public or shared spaces: Unauthorized disclosures may trigger OCR enforcement.

• Insufficient staff training: Without documented training, practices cannot demonstrate compliance.

Avoiding these errors protects small practices from CMS audits and HIPAA penalties.

• Maintain written telehealth privacy policies aligned with 42 CFR § 410.78.

• Use encrypted email or portals for pre-visit communication and document sharing.

• Provide patients with clear telehealth privacy instructions before appointments.

• Monitor system access logs to detect unauthorized use.

• Perform annual self-audits of telehealth compliance using CMS and OCR guidance.

These best practices reduce compliance risk and build patient confidence in telehealth services.

Telehealth privacy compliance must be embedded in daily operations. Leadership should emphasize privacy in staff meetings, onboarding, and ongoing training. Policies must be easily accessible, and compliance responsibilities should be assigned to a designated officer. Encouraging staff to report privacy concerns without fear of retaliation fosters a proactive compliance environment.

Telehealth under 42 CFR § 410.78 requires providers to safeguard patient privacy through secure technology, consent documentation, and staff training. For small practices, practical steps such as choosing HIPAA-compliant platforms, verifying patient identity, and maintaining private environments provide affordable paths to compliance.

Advisers

Small practices can strengthen compliance by:

• Using CMS Telehealth Toolkits for official guidance.

• Accessing OCR HIPAA Privacy and Security Rule FAQs for privacy alignment.

• Leveraging OIG compliance toolkits for policy development.

• Implementing affordable compliance platforms such as Compliancy Group or HIPAA One to track training, policies, and BAAs.

By combining free government resources with cost-effective software, small practices can deliver secure telehealth services while maintaining regulatory compliance.

To further strengthen your compliance posture, consider using a compliance regulatory tool. These platforms help track and manage requirements, provide ongoing risk assessments, and keep you audit-ready by identifying vulnerabilities before they become liabilities, demonstrating a proactive approach to regulators, payers, and patients alike.

• 42 CFR § 410.78 Telehealth Services

• Medicare Telehealth Services Guidance

• HIPAA and Telehealth Guidance

• Compliance Guidance for Physicians