Telehealth became a standard component of home health care delivery during the pandemic and has remained so. Home health agencies now conduct video check-ins with patients between in-person visits, use remote patient monitoring devices to track vitals, and communicate care updates through digital messaging platforms.
Each of these activities involves electronic protected health information. And each creates specific HIPAA security obligations that many home health agencies have not fully addressed.
The 2026 HIPAA Security Rule update — with mandatory encryption and MFA — applies directly to telehealth activities. This guide explains where the HIPAA obligations fall in home health telehealth, what the common compliance gaps are, and how to build a compliant telehealth security program.
The Three Components of Home Health Telehealth — and Their HIPAA Implications
Component 1: Video Visits
Video visits between home health nurses or case managers and patients are the most common form of telehealth in home health care. The HIPAA implications depend entirely on the platform.
HIPAA-compliant platforms: Platforms that provide a Business Associate Agreement and offer end-to-end encryption for video sessions — including Zoom for Healthcare, Microsoft Teams with HIPAA configuration, Doxy.me, and Telehealth.HQ — are appropriate for home health telehealth.
Consumer platforms: FaceTime, regular Zoom (without a BAA), WhatsApp, and similar consumer video applications do not provide BAAs and may not offer end-to-end encryption. Using these platforms for patient video visits is a HIPAA violation, regardless of how convenient they are for staff and patients.
The compliance gap at most home health agencies: nurses use FaceTime or WhatsApp for quick video check-ins because it is faster than logging into the agency's telehealth platform. The agency policy says to use the approved platform. The actual practice does not match the policy.
The fix: Deploy a telehealth platform that is as frictionless as FaceTime. If using the compliant platform is harder than using FaceTime, staff will use FaceTime. Train staff specifically on why the approved platform is required and make it the path of least resistance.
Component 2: Remote Patient Monitoring (RPM) Devices
Blood pressure cuffs, pulse oximeters, glucose monitors, and weight scales that transmit readings wirelessly to the agency's care platform generate ePHI with every reading. The data flowing from the device to the care platform — and from the care platform to the nurse reviewing the readings — must be:
- Transmitted with encryption (TLS 1.2 or higher)
- Stored with encryption at rest
- Accessible only to authorized clinical staff
- Included in your HIPAA risk analysis
The compliance gap: many RPM devices connect to consumer apps (Apple Health, Google Health) before routing to the agency's platform. This intermediate stop in a consumer application may not be covered by a BAA and may not meet HIPAA encryption standards.
The fix: Verify with your RPM vendor that their data flow is end-to-end HIPAA-compliant and covered by a BAA. If the vendor cannot provide a BAA covering the full data flow, the RPM solution is not HIPAA-compliant.
Component 3: Patient Messaging and Digital Communication
Agencies that message patients or families through digital platforms — appointment reminders, care updates, medication reminders — must use HIPAA-compliant messaging tools if those messages contain ePHI.
The compliance gap: patient communication often happens via personal text messages from nurses' personal phones ("Your nurse will be there at 2pm, she's running 15 minutes late"). Text messages are not encrypted, are not covered by a BAA, and may contain ePHI if they reference care details.
The fix: Deploy a HIPAA-compliant patient communication platform with a BAA. Several platforms (Klara, OhMD, TigerConnect) provide secure messaging designed for home healthcare workflows.
The Telehealth-Specific HIPAA Documentation Your Agency Needs
Beyond the general HIPAA Security Rule requirements, a telehealth-active home health agency needs specific documentation:
Telehealth-specific BAAs: Separate BAAs or BAA amendments with your video platform vendor, RPM device vendor, and patient communication platform vendor.
Telehealth use policy: Written policy covering which platforms are approved for patient communication, what staff may and may not use personal devices for, and what constitutes a telehealth encounter requiring documentation.
Telehealth risk analysis addendum: Your HIPAA risk analysis must specifically cover the ePHI flows through telehealth — video visit recordings (if any), RPM data transmission, and patient messaging. These are distinct from the risk analysis of your EHR and email systems.
Staff training on telehealth compliance: Nurses, aides, and case managers must understand specifically that consumer video apps are not permissible for patient visits and why personal text messaging of care information creates HIPAA exposure.
The 2026 HIPAA Security Rule and Telehealth
The 2026 HIPAA update's mandatory encryption requirement has a direct telehealth application: any ePHI transmitted via telehealth must be encrypted. This means:
- Video visit platforms must encrypt the video stream — not just the login
- RPM data transmissions must use TLS 1.2 or higher
- Patient messaging must use end-to-end encryption
- Any recordings of telehealth sessions must be encrypted at rest
If your telehealth platform cannot confirm it meets these standards in writing, it is not a compliant platform for 2026 onwards.
Make your home health telehealth program fully HIPAA-compliant. ShieldForce assesses your telehealth security posture and deploys the controls and documentation required for 2026 compliance.
Explore Home Healthcare Cybersecurity →
Start with a free HIPAA assessment that specifically covers your telehealth activities.