HIPAA Guidelines on Telemedicine - Updated for 2025

Telemedicine has been a factor in the provision of healthcare since the invention of the telephone. As video and digital technologies evolved throughout the twentieth century, healthcare providers adopted the technologies to improve the quality of remote care – not only by replacing physical visits with virtual ones, but also by facilitating faster collaboration between healthcare units. Historically, the adoption of physician-to-patient telemedicine accelerated following the passage of the Affordable Care Act and the subsequent Hospital Readmissions Reduction Program introduced by the Centers for Medicare and Medicaid Services (CMS).

Healthcare providers found that, by monitoring patients’ health remotely, hospital readmissions dropped significantly – generating massive savings. As health plans and the CMS identified the financial benefits of telemedicine, the number of covered remote services – and who they were available to – increased substantially. Consequently, Congress authorized more allowable uses of telehealth under the Social Security Act ( §1834(m)), and Fee For Service (FFS) Medicare telehealth was expanded to cover all counties outside metropolitan areas.

Core Requirements and Compliance Standards

The HIPAA guidelines on telemedicine start with preparing for the remote delivery of healthcare by auditing procedures, analyzing risks, training healthcare professionals, and entering into Business Associate Agreements with the vendors of communication services. Thereafter, procedures must be developed for verifying patient identities and obtaining consent where necessary, and for securing PHI collected or disclosed in patient encounters.

To ensure full compliance, providers should follow these specific guidelines:

• Conduct an audit to identify how healthcare professionals communicate with patients and business associates.
• Identify and analyze risks to the privacy of health information and the security of electronic transmissions.
• Develop policies to mitigate the risk of violations and breaches, and provide HIPAA training on the policies.
• Ensure compliant business associate agreements are in place with each business associate and software vendor.
• Implement verification procedures for first contacts and when access credentials are known to have been compromised.
• Develop policies for recording patient consent when the confidentiality of a remote consultation cannot be guaranteed.
• All remote patient encounters should be documented and securely retained to comply with the HIPAA document retention requirements.

Summary of Telemedicine Implementation Steps

The following table outlines the foundational elements required for compliant remote healthcare delivery as defined in the 2025 guidelines:

Professional Standards and Documentation

Regulatory updates emphasize that all remote patient encounters should be documented and securely retained. This is essential to meet HIPAA document retention requirements and to maintain the integrity of Protected Health Information (PHI) in digital environments.