Hand pointing at digital code on laptop screen, emphasizing telehealth cybersecurity.

HIPAA and Telehealth in 2026: What Remote Providers Are Still Getting Wrong

ByGareth

The COVID-era HIPAA exemption for telehealth ended back in 2023, but a lot of providers are still operating like it’s in effect. Most of what OCR is actually finding isn’t exotic. It’s basic gaps that built up once nobody was paying close attention anymore.

Why Can’t You Still Use FaceTime or Regular Zoom for Sessions?

Because the cover that allowed it ended a long time ago. OCR’s Notification of Enforcement Discretion for Telehealth expired at 11:59 p.m. on May 11, 2023, with a 90-day transition period that ran out August 9, 2023. Every telehealth session since then is held to the full HIPAA Privacy, Security, and Breach Notification Rules, no exceptions for good-faith pandemic-era habits.

Consumer platforms like FaceTime, WhatsApp, Skype, and the free tiers of Zoom or Microsoft Teams don’t offer a Business Associate Agreement at all. But here’s the part that catches people out: even paying for a platform doesn’t automatically fix this. Standard Zoom Business or Pro doesn’t include BAA coverage either. Only the specific healthcare-tier product does. Having a paid plan isn’t the same thing as being on a compliant one.

Is Your Website Quietly Leaking PHI to Advertisers?

This is the one most practices haven’t thought about. OCR issued a bulletin in December 2022 warning that tracking tools like Meta Pixel and Google Analytics, embedded on scheduling pages or patient portals, can transmit protected health information to advertisers without anyone realizing it. In July 2023, OCR and the FTC jointly warned around 130 hospital systems and telehealth providers about exactly this.

One update worth knowing: a federal court partially vacated part of that guidance in 2024, narrowing what counts as protected information when it comes from an unauthenticated visitor to a public webpage. The legal picture is less settled than the original 2022 bulletin suggested. Still, if you haven’t checked what trackers sit on your scheduling or portal pages, that’s worth doing regardless of how the legal question eventually shakes out.

Is the New HIPAA Security Rule Already in Effect?

No, and this is a common point of confusion. OCR published a proposed update to the HIPAA Security Rule in the Federal Register on January 6, 2025, with the comment period closing that March. As of today, it still hasn’t been finalized. The agency’s own target for finalizing it was spring 2026, and that window has already passed without a final rule. More than 100 hospital and provider groups have asked HHS to withdraw the proposal entirely, citing cost.

That means provisions like mandatory multi-factor authentication and technology asset inventories aren’t enforceable requirements yet. They’re still just proposed. Don’t build your compliance program around them as if they’re law, but don’t assume they’re going away either.

What’s the Most Commonly Cited Violation, Telehealth or Not?

A missing or outdated risk analysis. It’s the single most frequently cited deficiency across OCR enforcement actions, telehealth or otherwise. The pattern with telehealth practices specifically: they added video platforms, messaging tools, or remote monitoring devices sometime after 2020 and never went back to update the risk analysis to reflect any of it.

What Should Remote Providers Do Right Now?

  1. Confirm every platform touching PHI, video, messaging, remote monitoring, recording storage, has a signed BAA and is actually on a tier that includes one.
  2. Audit your scheduling and patient portal pages for tracking pixels like Meta Pixel or Google Analytics, and remove or properly authorize anything you find.
  3. Update your risk analysis to cover every piece of telehealth technology you’ve added since it was last reviewed, not just what existed when it was first written.
  4. Track the HIPAA Security Rule proposal’s progress, but don’t treat its provisions as mandatory until a final rule actually publishes.
  5. Consult your compliance counsel.

Source

HHS Office for Civil Rights, March 2024: Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates

This post is for educational purposes only and does not constitute legal or compliance advice. Consult a qualified attorney or compliance professional before acting on this information.

Similar Posts

Woman lying on sofa during telehealth medical consultation at home.

Telehealth and Mental Health Prescribing: What the Latest DEA Rules Mean for Psychiatry Platforms

ByGareth

Yes, but the rule that actually matters most for psychiatry platforms hasn’t taken effect yet. DEA’s pending Special Registration proposal would give psychiatrists a path that generalist telehealth platforms wouldn’t get, and that’s a meaningful competitive detail worth understanding now, before it’s final. What’s Actually in Effect Right Now for Psychiatric Telehealth Prescribing? The operative…

Healthcare professional conducting telehealth consultation via laptop.

DEA Buprenorphine Telemedicine Rule: What OUD Providers Need to Know

ByGareth

Yes, this rule is permanent, and it’s separate from the temporary extension everyone’s watching expire in December. If you treat opioid use disorder via telemedicine, this is the rule that’s actually built around your patients specifically, not the broader one covering all controlled substances. What Does This Rule Actually Let OUD Providers Do? Under the…

Medical professional reviewing patient records for telehealth consultation.

CMS 2026 Medicare Fee Schedule: Key Telehealth Changes for Providers

ByGareth

Yes, CMS made real changes to telehealth in this year’s fee schedule, a streamlined process for adding services, new codes, a higher originating site fee, and a permanent supervision rule. It also turned down a few things telehealth advocates were pushing for, which matters just as much. What’s the Biggest Procedural Change to the Telehealth…

Medication bottles with pills and tablets in gloved hands for telehealth medication management.

Compounding Pharmacy and Telehealth: What Providers Need to Know About the DEA Rules

ByGareth

DEA’s compounding rules aren’t really about whether a pharmacy can compound a controlled substance. They’re about who’s doing it, how much, and whether the volume crosses from individualized dispensing into something that looks more like unregistered manufacturing. What Does DEA Actually Allow a Pharmacy to Compound? Under DEA’s compounding policy, a registered pharmacy can compound…

Healthcare professional using calculator and notebook for telehealth financial planning.

CMS Telehealth Reimbursement Changes for 2026: What Every Provider Needs to Know

ByGareth

Yes, but the headline change isn’t really a CMS decision at all. It’s that Congress let Medicare telehealth coverage lapse twice in the past nine months before finally locking in a genuine multi-year extension. If you missed either lapse, here’s what actually happened and where things stand now. What Actually Happened to Medicare Telehealth Coverage…