Telehealth exploded across Federally Qualified Health Centers during the pandemic and has remained a permanent fixture of community health delivery. For patients who face transportation barriers, live in rural areas, or have work schedules incompatible with in-person appointments, virtual visits remove a real barrier to care.
For HIPAA compliance officers and IT leaders at FQHCs, telehealth introduced a new layer of complexity: every virtual visit generates ePHI transmitted across networks the health center does not control, on devices the health center may not manage, through platforms whose security posture varies considerably.
Getting telehealth security right is not optional. It is a HIPAA obligation, an HRSA program requirement, and increasingly a cyber insurance underwriting condition.
The HIPAA Requirements for Telehealth
The HIPAA Privacy and Security Rules apply to telehealth in the same way they apply to in-person care. The ePHI generated in a virtual visit — the video recording if retained, the clinical notes, the diagnosis, the prescription, and the patient's identifying information — is protected health information requiring the same safeguards as any other ePHI.
The 2026 HIPAA Security Rule update's mandatory requirements apply fully to telehealth:
Encryption: All telehealth video and audio transmissions must be encrypted in transit. This is a baseline requirement of any HIPAA-compliant telehealth platform, but the platform's encryption only covers the transmission itself, not the device endpoints on either side.
MFA: The clinician's account in the telehealth platform must require MFA. If your health center's physicians and nurses log into the telehealth portal without MFA, you are out of compliance with the 2026 update regardless of how secure the platform itself is.
Audit logging: The telehealth platform must maintain logs of session participants, duration, and access events. These logs must be retained per HIPAA's six-year requirement.
BAA: Your telehealth vendor must sign a Business Associate Agreement with your FQHC before any patient visits occur on the platform. This is non-negotiable.
Platform Selection: What Makes a Telehealth Platform HIPAA-Compliant
Not all telehealth platforms are equal from a HIPAA compliance perspective. When evaluating or reviewing your current platform, confirm:
BAA availability: The vendor must provide a signed BAA. Consumer video platforms such as Zoom's free tier, Google Meet without a Google Workspace subscription, or FaceTime do not offer BAAs and are not HIPAA-compliant for telehealth.
End-to-end encryption: Video and audio streams must be encrypted end-to-end, meaning the content cannot be decrypted by the platform provider in transit. Confirm this in the vendor's security documentation, not just their marketing materials.
No recording without consent: The platform should not record sessions by default. If recording is available, it must require explicit consent from the patient, and recordings must be encrypted at rest and access-controlled.
Access controls: Session links should not be publicly shareable. Waiting room features, password protection, and authenticated participant links prevent unauthorized access to virtual visits.
Data residency: Patient data and any session recordings should be stored in the United States, in facilities covered by the BAA.
HIPAA-compliant platforms used by FQHCs include Doxy.me, Zoom for Healthcare with a signed BAA, Teladoc Health, and EHR-integrated telehealth modules from eClinicalWorks, Greenway, and NextGen.
Device Security for Telehealth
The telehealth platform's security covers the transmission and the platform infrastructure. The devices on both ends — the clinician's laptop and the patient's smartphone — are outside the platform's security boundary.
Clinician device security: Every device used by health center staff to conduct telehealth visits must meet the same security standards as any device accessing ePHI: encryption at rest, MDM enrollment, EDR deployment, and current OS and application versions. A physician conducting telehealth from a personal laptop on home WiFi, without MDM or encryption, is a compliance exposure regardless of the platform's security.
Patient device considerations: HIPAA does not require you to secure your patient's device — that is beyond the scope of the covered entity's obligations. But your patient-facing telehealth materials should include basic guidance: use a private location, avoid public WiFi for sensitive visits, and use a personal rather than shared workplace device when possible.
Network security for clinical staff: Clinicians conducting telehealth from home or satellite sites should use VPN or zero trust network access to ensure the connection to the telehealth platform is protected end-to-end. Home WiFi networks used by clinical staff are not controlled environments.
Telehealth-Specific Privacy Considerations for FQHCs
Community health centers serve populations with unique privacy sensitivities: undocumented patients, patients receiving substance use disorder treatment protected by 42 CFR Part 2, patients in domestic violence situations, and patients with stigmatized conditions.
For these patients, the location privacy of a telehealth visit matters as much as the data security. Train clinical staff to:
- Ask patients at the start of every virtual visit whether they are in a private location and can speak freely
- Have a protocol for when a patient signals that they cannot speak openly, such as a code word or a yes/no question structure
- Never conduct telehealth visits on behalf of a patient without the patient's knowledge and consent
- Be alert to signs that a patient may be observed by an abusive partner or family member
These are clinical and ethical obligations that sit alongside, and sometimes exceed, the technical HIPAA requirements.
Telehealth Incident Response
If a telehealth session is accessed by an unauthorized party — through a compromised session link, a platform breach, or an unauthorized recording — the incident must be assessed under HIPAA's breach notification framework.
The key questions: Was ePHI disclosed to the unauthorized party? What was the likelihood of harm to the patient? These questions must be documented and assessed by the HIPAA Security Officer.
Your incident response plan should include a telehealth-specific scenario: what to do if a session link is shared without authorization, if a recording is accessed by an unauthorized party, or if the telehealth platform reports a security incident.
Secure telehealth at your FQHC — including platform assessment, device management, and BAA review.
ShieldForce delivers HIPAA-compliant telehealth security for community health centers as part of our managed security program.
Explore Community Health Center Solutions →
Get a free HIPAA assessment that covers your telehealth security posture.