How does HIPAA apply to virtual consultations?

Virtual consultations and appointments follow the same requirements as in-person ones, so it is extremely important to ensure compliance. There are no differences in your duty to protect patient data and files, and it goes even a bit further by protecting any images or video recordings from patient sessions.

I use FaceTime at home, are these compliant?

No. You will need to go beyond the consumer-level of video conferencing software and get a platform that is tailored specifically to medical practitioners to make sure you are adhering to HIPAA compliance.

Is Zoom HIPAA Compliant?

As mentioned in the detailed review, the consumer-facing free version of Zoom is not HIPAA compliant, and even the paid version for businesses doesn’t hit the mark. If you choose Zoom, you must choose Zoom for Healthcare.

Are my video sessions stored on the platform I choose?

There is no reason that your platform should be storing video logs of patient calls and chats, as this creates a dangerous risk of exposing patient data and other security breaches. Ensure that the platform you choose does not store any of these files on their own system in any way.

What is a Business Associate Agreement and why is it important?

HIPAA laws require that a business associate performs the activities on behalf of the provider, such as transcription, legal consultation, and accounting. Software platform vendors also fall under this category, so it is required by HIPAA laws that these vendors also sign an agreement similar to your office’s legal team to protect health information. Any pushback from a vendor on this is a red flag, so look elsewhere if the software you choose is unwilling to sign a BAA.

HIPAA-Compliant Video Conferencing Software for Telehealth

Jump to ↓

Healthcare professionals need HIPAA-compliant web conferencing software to provide secure telehealth appointments, integrate with remote patient monitoring devices, and collaborate with other care team members.

As conversations around privacy and security persist in both SaaS and healthcare spaces, many still struggle to understand what to look for in HIPAA-compliant video conferencing tools.

Medical professionals must understand the difference between public-facing and private web conferencing tools to ensure their video conferencing software is truly HIPAA-compliant.

Here, we outline HIPAA compliance standards within video conferencing, best practices, and top providers.

What is HIPAA?
Requirements
Best Practices
Top Software
FAQs

What is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a 1996 federal law implemented by the US Department of Health and Human Services that standardizes the ways in which covered entities and business associates share, use, and store protected health information (PHI).

PHI is defined as individually identifiable health information and includes:

Past/present medical records
Physical and mental health diagnoses
Demographic data (name, address, social security number, phone/fax numbers, email address, etc.)
Health and insurance plan information
Biometric data

HIPAA was established to:

Give patients some control over who can access their protected health information and why
Establish the legal, technical, physical, and organizational requirements covered entities must adhere to when dealing with electronic protected health information (e-PHI)
Allow covered entities to disclose PHI only when developing/coordinating the individual’s treatment plan, collecting payment, and/or managing basic provider operations

“Covered entities” are individuals, organizations, and institutions that electronically transmit health information in connection with standardized HHS transactions like insurance claims/coverage and healthcare billing/payments. Covered entities include healthcare providers, insurers offering healthcare plans, and healthcare clearinghouses. There are some exceptions to HIPAA requirements relating to specific definitions of covered entities.

“Business Associates” are not necessarily healthcare professionals/healthcare staff, but are entities or individuals that perform tasks/services requiring access to PHI. BAs can be IT professionals, legal/consulting service providers, administrators, data transmission service providers, and more.

HIPAA Compliance Requirements for Video Conferencing

HIPAA regulations require compliance with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must meet HIPAA standards and follow HIPAA rules and compliance requirements.

The HIPAA Privacy Rule

The HIPAA Privacy Rule outlines legal disclosure and confidentiality requirements for written, oral, and electronic PHI. It focuses on maintaining patient privacy and allowing the patient to control how their PHI is used and shared. It advocates for the “minimum necessary rule,” which states that covered entities/business associates should disclose the least possible amount of PHI required to complete an action.

It also requires covered entities and BAs to:

Give patients a Notice of Privacy Practices (NPP) that outlines an individual’s right to privacy and how PHI is used/disclosed
Provide individuals with written/electronic copies of their health records
Obtain consent to disclose PHI
Allow individuals to make corrections to their PHI
Allow individuals the right to restrict certain PHI data
Provide individuals with an accounting of disclosures outlining the name, data, description, and purpose of external PHI disclosure
Keep PHI and other patient records physically and technically secure
Create and maintain workplace rules for maintaining PHI/patient confidentiality, and appoint a person to manage and monitor the implementation of these rules in the workplace

The HIPAA Security Rule

Specific to electronic protected health information (e-PHI), the HIPAA Security Rule outlines physical, technical, and administrative security standards/practices covered entities must have in place to prevent unauthorized access/disclosure of e-PHI. Because the Security Rule deals exclusively with digital/electronic health data, it is especially relevant to HIPAA-compliant video conferencing.

HIPAA Security Rule requires covered entities and BAs to put the below physical, technical, and administrative security practices and safeguards in place:

Administrative Safeguards:

Conduct risk analysis and apply risk management strategies to protect e-PHI
Create an emergency plan to respond and restore to leaked/lost data
Develop access management strategies to limit who has access to e-PHI data
Train staff to create/maintain uniform e-PHI security standards

Physical Safeguards:

Use physical locks, alarms, privacy screens, and more to prevent unauthorized data access and hardware theft
Limit physical access to buildings housing e-PHI data and relevant servers (security guards, ID, locks, etc.)
Develop an employee acceptable use policy/code of conduct to control workstation access and activities

Technical Safeguards:

Ensure any equipment/software storing e-PHI data has access and integrity controls, auditing and activity monitoring, and secure data transmission

The HIPAA Breach Notification Rule

The HIPAA Breach Notification Rule requires all covered entities to notify affected individuals, the Secretary of HHS, and (in some cases) the media in the event of a data breach.

A HIPAA data breach is defined as the impermissible use or disclosure of unsecured PHI.

Best Practices for HIPAA-Compliant Video Conferencing

All covered entities, including healthcare providers offering telehealth services via video conferencing platforms, must follow HIPAA compliance requirements.

Many video calling platforms come with built-in HIPAA compliance, though often only on higher-tiered plans. However, video chat apps like Facetime and Skype, do not meet HIPAA standards. Even if the software is HIPAA-compliant, the covered entity will still be held responsible for any breaches–so follow these additional best practices:

Business Associate Agreement (BAA): Only work with webinar and video conferencing tools offering a BAA (Business Associate Agreement) in addition to standard HIPAA compliance. A BAA is a legal contract that defines how the video conferencing platform–and any third-party vendors it works with–protects PHI to maintain HIPAA compliance. BAAs establish the liabilities and consequences the web conferencing provider will face if HIPAA compliance is breached, as well as the protocols the provider must follow to properly alert healthcare providers and patients.
Peer-to-Peer Connection: Peer-to-peer routing establishes a direct connection between your device and your client’s, avoiding transmitting data through an additional server that may not provide secure data transmission. Look for providers offering peer-to-peer connection verification for audio and video–especially if employees use personal devices with custom configuration settings.
End-to-End Encryption: SSL/TLS end-to-end encryption (E2EE) encrypts data in transit and at rest, preventing hackers from intercepting audio and video data exchanged during a video conference. E2EE essentially “scrambles” this data, rendering it unreadable to anyone without an enrolled device encryption key. Not all web conferencing software offers E2EE for both audio and video calls, so confirm with your provider.
Access Control and User Authentication: A quality telehealth video conferencing app includes extensive access control and user authentication features like multi-factor authentication, user verification via biometric data, and password-protected video calling. Many providers send out real-time desktop and mobile device alerts for suspicious or unfamiliar login attempts.
Audit Logging and Activity Monitoring: Choose a video conferencing solution offering 24/7/365 activity and network monitoring, which gives covered entities a complete record of all user logins/attempted logins, network activity, data access, session timestamps, and logouts. Having a detailed audit trail is especially essential in the event of an audit or data breach.
Secure Network Access: Instruct employees and patients to use a secure, password-protected Internet connection when attending telehealth appointments–never public WiFi.
Patient Consent Workflows: Many telehealth providers allow users to create customized patient conset workflows which automates the process of obtaining a patient's verbal or digital consent.
Mobile and BYOD Policies: Allowing team members to use their own mobile devices is both cost effective and convenient, but it comes with some security risks. Make sure that your chosen platform has a secure mobile app that employees can access from any device, wherever they are without risking sensitive data.
Disaster Recovery: Make sure that you choose a provider with disaster recovery and safeguards in place to ensure that you can access data in the event of an outage. Some things to look for are global points of presence (POPs), redundancy, guaranteed uptime, etc.

Top HIPAA-Compliant Video Conferencing Software

Provider	Pricing	Key Features	Top Healthcare Integrations
Zoom for Healthcare	Quote based	Automated transcription AI Meeting notes and summaries End-to-end encryption	CarePatron Epic Practice Better
SimplePractice	$49-$99/user/mo.	AI powered note taker Billing and payments Insurance	Smartlink ePrescribe Stripe
RingCentral for HealthCare	$20-$35/user/mo.	Enriched portals Team messaging Omnichannel support	Epic Cerner Allscripts
doxy.me	$29-$42/user/mo.	Virtual waiting room with notifications Patient queue Teleconsent	Adhere.ly Dokbot Luminello
GoTo Meeting for Healthcare	Quote based	Call transfers Multi-channel communication 99.999% uptime	EMR integrations Curve Dental Microsoft Teams
VSee	$29-$49/user/mo.	Waiting room management SSO, MFA Custom intake	APIs and SDKs for telehealth

Zoom for Healthcare

Zoom for Healthcare is a cloud-based HIPAA, HITECH, and PIPEDA-compliant web conferencing platform with in-meeting whiteboarding, chat, screen and file sharing, and real-time captioning. Medical professionals can opt to add a VoIP phone system to streamline business communications to one platform. Pricing is quote-based.

Key Features:

Medical device integration for remote patient monitoring (integrates with exam cameras, digital stethoscopes, electronic health records (EHR), etc.
Zoom Rooms hardware (Kiosk Mode for patient check-ins, digital signage for in-room alerts
In-meeting access to third-party integrations
Local on-demand/automatic video call recording and transcription, recordings can be shared with other clinicians
Integrations with healthcare software/apps like Epix, Medicare PRO, TherapyAppointment, IntakeQ
AI Companion with automated clinical note taking in multiple specialties with templates

Zoom Pros

Dozens of EHR and medical device integrations available
Intuitive platform is easy to set up and use with lots of features
All plans include basic AI driven features such as expanded web knowledge

Zoom Cons

Lack of transparency in pricing
Healthcare specific AI tools like tailored lexicon and automated clinical notes are paid add-on
Voice services are not as reliable as other competitors

Best For

Medium-sized healthcare practices: Zoom for Healthcare is best for practices needing a BAA, scalability, and a familiar interface
Telehealth teams: The integration with Zoom Rooms hardware blends telehealth services between patients and in-house/remote care teams

SimplePractice

SimplePractice is a practice management software and EHR solution offering HIPAA-compliant telehealth sessions alongside appointment management, insurance claims filing assistance, a client communication portal, and billing assistance. All SimplePractice plans include unlimited clients, progress notes, telehealth, online payment capabilities and access to live support. The platform is quick and easy to set up and built specifically for medical practices.

Pricing

SimplePractice offers both solo and group practice plans, ranging from $49-$99 per month. Add ons include AI-powered note taking and ePrescibe for an extra $49 per month plus a one time $89 set up fee. SimplePractice also offers a 7 or 30 day free trial.

Key Features

Desktop/mobile client portal functionality for appointment scheduling, bill payment, form completion, secure chat messaging, and notifications
Pre-built templates for consultation intake forms, patient information collection, treatment plans, client assessments, note-taking, etc.
Instant video calls via link sharing, in-call features like whiteboarding, chat, recording, telehealth timer to track elapsed session time and enforce time limits
Meeting waiting rooms, HIPAA/HITRUST certification, E2EE, 24/7 network monitoring, penetration testing
Digital whiteboard with drawing tools, screen sharing, etc.

SimplePractice Pros

Platform is specifically tailored to the medical industry with appropriate templates, treatment plans, etc.
Includes many tools to grow your practice such as waitlist manager, contact form widget, etc.
Allows user to create custom library of frequently used phrases for progress notes and custom treatment plans

SimplePractice Cons

Does not include voice communication services
Telehealth is limited to one-on-one unless you have the Plus plan (starts at $99/month)
Reporting and analytics features are limited- only a few options for customizing analytics dashboard

Best For

Enterprises and established healthcare professionals: SimplePractice is best for companies needing complete EHR software with advanced video calling features like high-quality screen sharing and co-annotation for in-session patient engagement
Growing practices: SimplePractice is a great solution for healthcare offices that are expanding and need to keep medical records and client information both safe and organized as they do so

RingCentral for HealthCare

RingCentral for Healthcare is a user-friendly HIPAA-compliant cloud UCaaS platform offering telehealth video calling with in-session chat, live meeting transcriptions, breakout rooms, screen/file sharing, and delegate scheduling for easier appointment management.

RingCentral users create enhanced patient portals for appointment adherence and tailored care. Plans include built-in AI-powered cloud calling and team messaging with dozens of customizations and advanced features.

Pricing

RingCentral business phone system plans range from $20-$35 per user, per month and contact center plans start at $65 per month. Telehealth and video conferencing is included on all plans. Add ons include Live reports, AI Receptionist, additional vanity numbers, etc.

For more information, please see our RingCentral pricing guide.

Key Features

File sharing and co-annotation (ideal for updating patient charts, enabling care team coordination and in-appointment collaborative note-taking)
Compliance exports activity log
AI noise cancellation, virtual background, HD video call quality
Omnichannel appointment scheduling via (phone, website chat, etc.) with automated appointment reminders and customizable follow-ups
24/7 customer support, 99.999% SLA, SOC 3, and HITRUST certification, end-to-end encryption for video and messaging

RingCentral Pros

End-to-end encryption on both calls and video meetings
Many advanced video features such as closed captions, noise cancellation, breakout rooms, etc.
All in one solution with business calling features, team messaging, video, and AI-driven coaching and assistance

RingCentral Cons

Complex interface with lots of customizations and a steep learning curve
Expensive compared to competitors, especially if contact center features are needed
Storage is limited on some plans

Best For

Mobile teams: RingCentral has a robust and secure mobile app with in-call flip ideal for health professionals and patients on the go
Large hospitals and enterprises: RingCenral offers a high level of security along with advanced AI analytics providing greater insight into the patient experience

doxy.me

doxy.me is a browser-based, HIPAA-compliant telehealth solution offering advanced real-time patient management, teleconsent, SMS text and email patient/provider notifications, file sharing, whiteboarding, and real-time interpreters.

doxy.me users can create a completely custom and branded telehealth interface for patients to use on their laptop or mobile device. An appointment screen includes patient information, communication, and controls to keep everything organized.

Pricing

doxy.me has one free plan and 3 paid plans from $29-$42/provider/month and up. doxy.me also offers discounts to students, non-profits, and researchers at accredited institutions.

Key Features

HIPAA/GDPR/PHIPA/PIPEDA compliance, custom BAA, E2EE, SOC 2 compliance, breach insurance, custom security review, virtual waiting room, meeting passcode
Shared room and shared room access for coordination between medical care teams and family members, etc.
Transfer Patient feature lets users digitally transfer patients between waiting rooms and assign patients to specific providers
Patient Queue lets users see which patients have checked in, where patients are in the check-in process, who is in the secure video chat waiting room, etc.
Custom branding, custom waiting room with video/text/pictures, dedicated landing page for telemedicine appointments

doxy.me pros

Reliable and high quality video with affordable plans and a free version
Customizable waiting room and a branded interface for patients and users
Mobile app is easy to use for patients, invites can be sent via text or email

doxy.me cons

Unlimited calling is included but advanced VoIP features like IVR are not
Free version is limited and does not include features like group calls, screen sharing, etc.

Best For

Solo practitioners and small practices: doxy.me's free version is a great choice for small practices that need a basic telehealth solution
Practices that need workflow automation: doxy.me allows users to automate routine tasks like payment and appointment reminders and data/form collection

GoTo for Healthcare

GoTo Video

GoTo Meeting is a HIPAA-compliant web conferencing solution with unlimited meetings, chat messaging, personal custom meeting room links, and screen sharing/co-annotation. It can be used as a standalone tool or as a part of the larger GoTo business communications system.

GoTo Connect combines secure telehealth features with mult-channel communication including voice, SMS, and more. AI-driven features include topic tracking, automated summaries, sentiment analysis, and AI assistance. Pricing is quote based.

Key Features

AES 256-bit encryption, signed BAA, risk-based authentication, one-time passwords, meeting locks, disable meeting recordings, 24/7 customer support, SSO
APIs Integrations with third-party apps like Epic, Curve Dental, MacPractice, Calendly, Slack, Microsoft Teams, etc.
Smart Assistant for automated in-meeting note-taking
Meeting recording/transcription
Commuter Mode for on-the-go telehealth with color-coded, distraction-free buttons, reduced bandwidth usage, and data savings

GoTo Pros

Packed with advanced features such as sentiment analysis, AI assistance, automated summaries, closed captioning, etc.
High level of security with 99.999% uptime guarantee, single sign-on, etc.
Unlimited calling to 50 countries included in all plans

GoTo Cons

Lack of transparency in pricing- all plans are quote based making budgeting difficult
Large number of features and customizations that may be overkill for smaller practices
Steep learning curve and contacting customer support is difficult

Best For

Medium size medical practices: GoTo Meeting for Healthcare is best for healthcare organizations that need a user-friendly all-in-one communication and HIPAA-compliant video conferencing solution
Hybrid practices: GoTo Connect includes a centralized hub for team collaboration, updates, discussions, etc. making it a great platform for practices with remote and in-house team members

VSee

VSee is a patient-focused HIPAA and Business Associate Agreement-certified video communications and practice management platform.

VSee’s Everyday Health feature directly engages patients outside of a single telemedicine appointment by allowing providers to both set and monitor patient wellness goals. It integrates with devices like Fitbit, blood pressure monitors, wireless scales, and more. Through the VSee mobile app, patients can also send photographs to their healthcare provider, create and share mood charts, and even upload food diaries.

Pricing

Vsee offers 1 free plan and 3 paid plans from $29-$49 monthly, per provider and up. Vsee users can add on e-Prescription EPCs to the Premium or Enterprise plan. There is a $200 one-time setup fee for the Premium plan.

Key Features

Waiting room for scheduled patient video calls and virtual walk-in patients with wait time monitoring, live chat support, and waiting room entertainment
PTZ camera control with peripheral streaming for remote examinations (shows ultrasound, EKG, and otoscope images alongside patient video stream)
Electronic prescriptions and virtual custom intake forms
Live annotation and screen sharing for lab test result sharing, CT scans, patient photographs, etc.
Patient self-scheduling and post-visit patient surveys
Auto-confirmations via SMS and email
VSee compatible medical equipment

Vsee Pros

Free plan that includes unlimited 1-1 HIPAA compliant video chat
Tailored intake with up to 10 customizable fields
Custom domain and patient portal capabilities

Vsee Cons

SMS text messages have limited sends per day
SSO and MFA only available with the quote-based Enterprise plans
No native voice or team collaboration features

Best For

Walk-in clinics: VSee is best for walk-in clinics that are looking for a Zoom alternatives for telemedicine
Therapy offices: Vsee offers a lot of features that are helpful for therapists such as custom EMR notes, central scheduling, and virtual intake

How to Choose HIPAA-Compliant Video Conferencing Software

Selecting a video conferencing provider can seem like a daunting process as there are many options out there. With a little research, you can find a platform that will work for your practice and fit in your budget. Here is a mini step-by-step guide to choosing a HIPAA-compliant video meeting platform for telehealth.

Step 1: Determine What Features You Need

You will first want to think through what features you need to be included in your software. Do you need appointment scheduling capabilities? Voice services? Task assignment? Workflow automations? You will also want to think through what video features you need for telehealth sessions such as waiting room notifications, closed captions, multiple participants, screen sharing, etc. This will help you determine which platforms will fit your needs and which pricing plan you will need to purchase.

Step 2: Research Customer Support Options

Even with reputable platforms, there is always a good chance that you will run into issues and need support, especially in the beginning. Before choosing a provider, be sure to research customer support hours as well as channels, and whether they offer premium support options or onboarding assistance. It is also helpful to read customer reviews and find out how responsive and effective customer support is.

Step 3: Think Through Apps Your Practice Already Uses

Take an inventory of app that your practice already uses such as VoIP, task management, productivity tools, collaboration, etc., and make sure that your new provider can either integrate with those apps or completely replace them.

Step 4: Narrow Down Options And Pick A Winner

Once you know what features, support and integrations you need, you should be able to narrow down your options to two or maybe three providers that fit within your budget. At this point you can request a demo or free trial from each of those providers and see what works best for you and your team.

FAQs

Below, we've answered top FAQs about HIPAA-compliant video conferencing software.