HIPAA Business Associate Agreement for Telehealth Providers

By BAA Generator Editorial  ·  Updated Apr 19, 2026  ·  5 min read

Telehealth exploded during COVID — and with it, HIPAA compliance shortcuts became normalized. The enforcement discretion period that let providers use FaceTime or standard Zoom ended on May 11, 2023. Since then, full HIPAA requirements apply. If your telehealth practice is still using non-compliant video tools or operating without BAAs, this is what you need to fix.

Which Telehealth Providers Are Subject to HIPAA?

Any healthcare provider who delivers clinical services via telehealth and transmits health information electronically is subject to HIPAA as a covered entity. This includes:

• Physicians, NPs, and PAs conducting video visits
• Mental health providers (therapists, psychologists, psychiatrists)
• Behavioral health platforms
• Telemedicine startups providing clinical services directly to patients
• Chronic care management platforms with provider oversight
• Remote patient monitoring companies with clinical staff

If you or your platform employs licensed clinicians who interact with patients and bill for services, HIPAA applies.

Video Platform BAA Requirements

This is the most common compliance gap in telehealth. Not every video tool qualifies for HIPAA use:

Platforms That Can Sign a BAA

• Zoom for Healthcare — dedicated healthcare plan with built-in HIPAA compliance and BAA
• Doxy.me — healthcare-specific video platform; free tier includes HIPAA BAA for individual providers
• Microsoft Teams — BAA available on Business Basic and above via Microsoft's OST
• Google Meet — covered under Google Workspace's HIPAA BAA on paid plans
• Teladoc / Amwell / MDLive — enterprise telehealth platforms with built-in HIPAA compliance

Platforms That Cannot Sign a BAA

• Standard Zoom (Free, Pro, Business+) — not eligible; use Zoom for Healthcare instead
• Apple FaceTime — no BAA available; consumer product not covered
• Google Meet (personal/free) — personal Google accounts not covered
• Skype (personal) — consumer product; no BAA
• WhatsApp — no BAA; do not use for patient communications

Full Telehealth Vendor BAA Checklist

Beyond your video platform, a complete telehealth operation involves multiple vendors who all need BAAs:

• EHR / clinical documentation platform — stores all clinical notes, diagnoses, and orders
• Practice management / scheduling software — links patient identities to appointment times
• Billing company or clearinghouse — processes claims with patient names and diagnosis codes
• Video platform — transmits PHI during live sessions
• Cloud storage — for session recordings, documents, images
• Patient communication platform — secure messaging, appointment reminders
• Identity verification — if you verify patient identity before visits
• IT support / MSP — any provider with system access
• Transcription services — if you use AI or human transcription of sessions

Remote Patient Monitoring (RPM) BAA Considerations

RPM adds additional complexity. Device manufacturers, data aggregation platforms, and monitoring software companies are all potential business associates if they handle PHI. For RPM specifically:

• The device manufacturer may not be a business associate if they only transmit data to you and don't store it — but most RPM platforms do store data
• Data aggregation platforms (Validic, Aidea, etc.) are typically business associates
• Alerting/notification services that transmit readings to clinicians may be business associates

When in doubt, execute a BAA. The cost of an unnecessary BAA is zero. The cost of a missing required BAA can be substantial.