HIPAA Business Associate Agreement for Telehealth Providers
By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read
Key Takeaways
- ✓ Telehealth providers are HIPAA covered entities — all BAA requirements apply in full
- ✓ The COVID enforcement discretion period ended May 11, 2023 — full HIPAA compliance required
- ✓ Standard Zoom, FaceTime, and Google Meet cannot be used for telehealth involving PHI
- ✓ Every technology vendor in your telehealth stack needs a signed BAA
- ✓ A telehealth platform's BAA covers only that platform — not your other vendors
Telehealth exploded during COVID — and with it, HIPAA compliance shortcuts became normalized. The enforcement discretion period that let providers use FaceTime or standard Zoom ended on May 11, 2023. Since then, full HIPAA requirements apply. If your telehealth practice is still using non-compliant video tools or operating without BAAs, this is what you need to fix.
Which Telehealth Providers Are Subject to HIPAA?
Any healthcare provider who delivers clinical services via telehealth and transmits health information electronically is subject to HIPAA as a covered entity. This includes:
- Physicians, NPs, and PAs conducting video visits
- Mental health providers (therapists, psychologists, psychiatrists)
- Behavioral health platforms
- Telemedicine startups providing clinical services directly to patients
- Chronic care management platforms with provider oversight
- Remote patient monitoring companies with clinical staff
If you or your platform employs licensed clinicians who interact with patients and bill for services, HIPAA applies.
Video Platform BAA Requirements
This is the most common compliance gap in telehealth. Not every video tool qualifies for HIPAA use:
Platforms That Can Sign a BAA
- Zoom for Healthcare — dedicated healthcare plan with built-in HIPAA compliance and BAA
- Doxy.me — healthcare-specific video platform; free tier includes HIPAA BAA for individual providers
- Microsoft Teams — BAA available on Business Basic and above via Microsoft's OST
- Google Meet — covered under Google Workspace's HIPAA BAA on paid plans
- Teladoc / Amwell / MDLive — enterprise telehealth platforms with built-in HIPAA compliance
Platforms That Cannot Sign a BAA
- Standard Zoom (Free, Pro, Business+) — not eligible; use Zoom for Healthcare instead
- Apple FaceTime — no BAA available; consumer product not covered
- Google Meet (personal/free) — personal Google accounts not covered
- Skype (personal) — consumer product; no BAA
- WhatsApp — no BAA; do not use for patient communications
Full Telehealth Vendor BAA Checklist
Beyond your video platform, a complete telehealth operation involves multiple vendors who all need BAAs:
- EHR / clinical documentation platform — stores all clinical notes, diagnoses, and orders
- Practice management / scheduling software — links patient identities to appointment times
- Billing company or clearinghouse — processes claims with patient names and diagnosis codes
- Video platform — transmits PHI during live sessions
- Cloud storage — for session recordings, documents, images
- Patient communication platform — secure messaging, appointment reminders
- Identity verification — if you verify patient identity before visits
- IT support / MSP — any provider with system access
- Transcription services — if you use AI or human transcription of sessions
Remote Patient Monitoring (RPM) BAA Considerations
RPM adds additional complexity. Device manufacturers, data aggregation platforms, and monitoring software companies are all potential business associates if they handle PHI. For RPM specifically:
- The device manufacturer may not be a business associate if they only transmit data to you and don't store it — but most RPM platforms do store data
- Data aggregation platforms (Validic, Aidea, etc.) are typically business associates
- Alerting/notification services that transmit readings to clinicians may be business associates
When in doubt, execute a BAA. The cost of an unnecessary BAA is zero. The cost of a missing required BAA can be substantial.
Generate BAAs for your entire telehealth stack
Preview the full BAA structure free, or pay $49 one-time for a clean PDF and Word file. If you're a telehealth platform sending BAAs to many covered entities, the $19/month Vendor Plan is designed for your workflow.
Generate BAA for Free →