The HITECH Act and Telehealth: Securing Remote Patient Communications

Executive Summary

The rapid growth of telehealth has transformed how small healthcare practices deliver care, offering patients convenient access to providers through secure video conferencing, messaging, and remote monitoring tools. However, telehealth also introduces new risks to electronic Protected Health Information (ePHI). Under the Health Information Technology for Economic and Clinical Health (HITECH) Act, small practices are legally obligated to secure all remote patient communications in compliance with HIPAA’s Privacy, Security, and Breach Notification Rules 45 CFR § 164.306(a); § 164.308(a)(1)). This guide provides small practices with a step-by-step roadmap for implementing HITECH-compliant telehealth services that protect patient privacy, maintain trust, and minimize the risk of costly violations.

Introduction

Telehealth platforms, mobile apps, and connected devices now allow providers to conduct virtual visits, send lab results securely, and monitor patients in real time. While these technologies improve care access, especially for rural and underserved populations, they also present a larger “attack surface” for cybercriminals.

Under HITECH, small practices must ensure that any system used for telehealth communication meets the same security and privacy standards required for in-person care. This means securing every channel, whether it’s video conferencing, secure email, chat, or patient portals, against interception, unauthorized access, and data breaches.

Failing to meet these standards not only risks patient trust but can result in steep civil monetary penalties, breach notification costs, and reputational damage.

Understanding HITECH’s Telehealth Security Requirements

Understanding HITECH’s Telehealth Security Requirements

HITECH enhances HIPAA’s Security Rule by making breach notification mandatory, increasing penalties for noncompliance, and expanding obligations to business associates, including telehealth vendors. For telehealth, this means:

  • Administrative Safeguards – Risk analysis, vendor management, workforce training, and security policies specific to telehealth (§ 164.308(a)(1)(ii)(A)–(B))

  • Physical Safeguards – Securing devices used for telehealth (laptops, tablets, smartphones) to prevent theft or unauthorized access (§ 164.310(d)(1); § 164.310(a)(1))

  • Technical Safeguards – Implementing encryption, access controls, and secure transmission methods for all remote communications (§ 164.312(a)(2)(iv); § 164.312(d); § 164.312(e)(2)(ii))

  • Breach Notification – Reporting breaches of unsecured ePHI to affected individuals, the Office for Civil Rights (OCR), and sometimes the media (§§ 164.404–164.410; § 164.414(b))

HITECH also requires that practices ensure business associates, such as telehealth platform providers, sign and comply with Business Associate Agreements (BAAs) (§ 164.308(b)(1)–(3); § 164.314(a); § 164.504(e)).

Common Risks in Telehealth Communications

  1. Unencrypted Video Calls – Using consumer-grade video apps without end-to-end encryption exposes patient data to interception.

  2. Weak Authentication – Allowing access without multi-factor authentication increases unauthorized login risks.

  3. Device Theft or Loss – Mobile devices with stored ePHI are a prime breach risk.

  4. Public Wi-Fi Use – Conducting telehealth sessions over unsecured networks exposes transmissions to cyber threats.

  5. Poor Vendor Security Practices – Partnering with platforms that lack strong security controls leaves ePHI vulnerable.

Step-by-Step Guide to Securing Telehealth Under HITECH

Step-by-Step Guide to Securing Telehealth Under HITECH

Step 1: Conduct a Telehealth-Specific Risk Analysis (§ 164.308(a)(1)(ii)(A))

Identify all systems, devices, and processes used for telehealth. Assess potential threats, including:

  • Data interception during transmission.

  • Unauthorized access to session recordings.

  • Device vulnerabilities from outdated software.

Document all risks and outline mitigation strategies.

Step 2: Select a HITECH-Compliant Telehealth Platform(§ 164.308(b)(1)–(3); § 164.314(a); § 164.504(e))

Choose a platform that:

  • Offers end-to-end encryption.

  • Allows secure user authentication.

  • Stores data on HIPAA-compliant servers.

  • Provides a signed BAA.

Step 3: Implement Strong Authentication Controls (§ 164.312(a)(2)(i); § 164.312(d); § 164.308(a)(4)(ii)(B))

  • Require unique logins for each user.

  • Enable multi-factor authentication (MFA).

  • Limit access based on user roles.

Step 4: Encrypt All Data in Transit and at Rest (§ 164.312(e)(2)(ii); § 164.312(a)(2)(iv))

  • Use AES-256 encryption for stored data.

  • Ensure all transmissions use TLS 1.2 or higher.

  • Verify that recordings and chat logs are encrypted and stored securely.

Step 5: Secure End-User Devices (§ 164.310(d)(1); § 164.310(c))

  • Require antivirus and firewall protections.

  • Enable automatic device lockout after inactivity.

  • Prohibit storage of ePHI on personal devices.

Step 6: Train Staff on Telehealth Privacy and Security (§ 164.308(a)(5))

Provide workforce training on:

  • Using approved platforms only.

  • Avoiding telehealth over public Wi-Fi.

  • Recognizing phishing attempts targeting telehealth logins.

Step 7: Maintain Ongoing Monitoring and Incident Response
(§ 164.308(a)(1)(ii)(D); § 164.312(b); § 164.308(a)(6)(ii); § 164.308(a)(8))

  • Log and review all telehealth access events.

  • Establish procedures for handling suspected breaches.

  • Conduct annual telehealth security audits.

Vendor Management Under HITECH

Your telehealth vendor is a business associate and must comply with HIPAA and HITECH requirements. Ensure that your BAA covers:

  • Data encryption requirements.

  • Breach notification timelines.

  • Subcontractor compliance obligations.

Request regular security audit reports from the vendor to confirm ongoing compliance (45 CFR § 164.316(b)(1)–(2).

Case Study: Insecure Telehealth Platform Leads to Breach

A small primary care practice began offering telehealth visits to meet growing patient demand but opted for a free, publicly available video conferencing tool without verifying its security capabilities. The platform lacked end-to-end encryption and, critically, there was no signed Business Associate Agreement (BAA) in place. During one telehealth session, a cybercriminal intercepted the video stream, capturing sensitive patient details, including the individual’s diagnosis, prescribed treatment plan, and follow-up instructions.

The breach was reported to the Office for Civil Rights (OCR), which launched an investigation. OCR determined that the practice had failed to perform a formal risk analysis before adopting the telehealth platform and had not implemented adequate technical safeguards. Furthermore, the absence of a BAA with the vendor constituted a direct violation of HIPAA’s requirements for handling protected health information (PHI).

As part of the settlement, the practice paid $75,000 in civil monetary penalties and was placed under a corrective action plan mandating the use of HIPAA-compliant telehealth tools, documented vendor vetting, and ongoing staff training on secure technology use.

Lesson Learned: Selecting telehealth tools should never be a rushed decision. From the start, ensure the platform is encrypted, HIPAA-compliant, and backed by a signed BAA to protect both patients and your practice.

Common Pitfalls to Avoid

Pitfall

Description

Using consumer-grade video apps

Lack of encryption and HIPAA compliance.

Allowing staff to use personal devices without controls

Risk of data leakage and device theft.

No vendor BAA

Leaves legal responsibility unclear.

Failing to train staff

Leads to accidental disclosures.

Not monitoring telehealth access logs

Misses early signs of unauthorized activity.
Telehealth Security Compliance Checklist

Telehealth Security Compliance Checklist

Task

Responsible Party

Timeline

Reference

Conduct telehealth risk analysis

HIPAA Officer / IT

Annually

45 CFR § 164.308(a)(1)

Select HIPAA-compliant platform

HIPAA Officer

Before launch

45 CFR § 164.308(b)

Implement MFA

IT / Vendor

At setup

45 CFR § 164.312(d)

Encrypt data in transit and at rest

IT / Vendor

At setup and ongoing

45 CFR § 164.312(e)

Secure staff devices

IT / Staff

Ongoing

45 CFR § 164.310(d)

Train workforce on telehealth security

HIPAA Officer

Annually

45 CFR § 164.530(b)

Monitor and log telehealth access

IT

Monthly review

45 CFR § 164.312(b)

Maintain BAAs with vendors

HIPAA Officer / Legal

Annually

45 CFR § 164.308(b)(3)

Official References

Concluding Recommendations and Next Steps

To secure telehealth under HITECH, small practices should adopt a proactive, layered approach that combines the right technology, vendor partnerships, staff training, and documentation. The following steps are essential for ongoing compliance:

  • Conduct regular telehealth-specific risk analyses.

  • Only use platforms that offer encryption, authentication, and a signed BAA.

  • Secure all devices used for telehealth communications.

  • Train staff on privacy, security, and breach reporting procedures.

  • Maintain comprehensive documentation of all security measures and audits.

By integrating these practices into daily operations, small healthcare providers can deliver telehealth services that protect patient privacy, reduce breach risk, and fully comply with HITECH requirements, while building trust in their ability to provide safe, accessible care.

Strengthening compliance isn’t just about checking boxes. A compliance platform helps your practice stay ahead by tracking regulatory requirements, running proactive risk assessments, and keeping you audit-ready, proving to patients and regulators that you prioritize accountability.