SideGuy · Healthcare compliance · reviewed 2026-06-09
A telehealth platform touches PHI from the first video call, so HIPAA applies from day one. The recurring trap isn't the obvious stuff — it's the BAAs you forgot and the transmission-security details. Here's the operator reality.
Every vendor that could touch PHI needs a signed Business Associate Agreement: your video infrastructure, EHR/EMR integration, cloud host, SMS/notification provider, analytics, transcription, and any AI scribe. The classic failure is shipping with a consumer video tool that won't sign a BAA. If a vendor in the PHI path won't sign one, they're not usable.
Consumer-grade tools without BAAs; PHI in support tickets, chat logs, or analytics; recordings stored without encryption or retention rules; and missing breach-notification procedures. The Privacy Rule (minimum necessary, patient rights) is also easy to under-build when teams focus only on the technical Security Rule.
Yes — the moment you handle PHI (which a telehealth visit does), you're a covered entity or business associate and HIPAA applies. There's no grace period for early-stage.
Only if it will sign a BAA and meet the Security Rule. Most consumer tools won't sign a BAA, which makes them non-compliant for PHI. Use a vendor built for healthcare that signs the BAA.
Every business associate that could access PHI: video infrastructure, EHR, cloud host, notification/SMS, analytics, transcription, and AI scribes. If a vendor in the PHI path won't sign a BAA, you can't use them for PHI.
Yes — it evidences most of the Security Rule for enterprise/partner buyers in one artifact, while you handle the HIPAA-only pieces (BAAs, Privacy Rule, breach notification) separately.
Written by PJ Zonis · SideGuy Solutions · operator-honest, vendor-neutral · Compliance hub