BAA Templates

HIPAA BAA Template for Telehealth Vendors

Q: Do I need a BAA for each component of my telehealth platform?

Yes, if those components are separate vendors. A telehealth setup may involve separate vendors for video conferencing, scheduling, patient messaging, e-prescribing, and the patient portal — each is a separate business associate requiring its own BAA. If a single vendor provides all components under one contract, one BAA covering all services may suffice.

Q: Can I use Zoom for telehealth without a BAA?

No — not if you are using Zoom for clinical telehealth visits. Standard Zoom is not HIPAA-compliant. Zoom for Healthcare offers a BAA and HIPAA-compliant configuration for covered healthcare entities. You must execute a BAA with Zoom before using it for telehealth visits involving patient PHI.

By BAA Generator Editorial · Published Apr 20, 2026 · Last reviewed Apr 20, 2026 · 5 min read

Key Takeaways

✓ Telehealth BAA must address session recording storage and access controls
✓ Video platform, scheduling, and patient messaging may be separate vendors requiring separate BAAs
✓ COVID-era telehealth HIPAA waivers have expired — standard HIPAA rules now apply
✓ Zoom for Healthcare, Doxy.me Professional, and Teladoc all offer BAAs for covered entities

Direct answer: A HIPAA BAA for a telehealth vendor must cover video session data, session recordings, patient communications, and any PHI captured during virtual visits. The BAA must specify whether session recordings are stored by the vendor, who can access them, and how long they are retained.

What PHI Flows Through a Telehealth Platform

A telehealth platform creates and handles PHI in ways that differ from traditional EHR data. Understanding what data the platform generates is essential for drafting a BAA that addresses all PHI flows:

Video session data — The content of the clinical encounter itself, which constitutes PHI when it identifies the patient and relates to their health condition or treatment
Session recordings — If sessions are recorded (with appropriate patient consent), recordings constitute highly sensitive PHI and require specific handling provisions in the BAA
Patient intake forms and questionnaires — Submitted before or after the visit, these may contain detailed health history, current medications, and symptom information
Secure messaging and chat — Messages between patient and provider during or after the session are PHI
Appointment scheduling data — The fact that a patient scheduled and attended a mental health, substance use, or other sensitive specialty telehealth visit may itself constitute sensitive PHI

Components That May Require Separate BAAs

A complete telehealth stack often involves multiple vendors, each of which may be a separate business associate requiring its own BAA:

Video conferencing platform — Zoom for Healthcare, Doxy.me, VSee, or a proprietary platform. Standard consumer video tools are not HIPAA-compliant without a BAA. See does Zoom for Healthcare sign a BAA and does Doxy.me sign a BAA.
Scheduling and appointment management — Often a separate tool from the video platform; if patients' identity and appointment type are stored, this is PHI
E-prescribing — Prescription data is PHI; e-prescribing tools integrated into telehealth workflows require BAAs
Patient portal — If a separate vendor from the video platform, requires its own BAA
Payment processing — If health-related payment data is processed by a third party, a BAA may be required depending on what PHI is included

Key Clauses for Telehealth BAAs

In addition to the required HIPAA BAA elements, a telehealth-specific BAA should address:

Session recording retention and access: Specify whether the vendor stores recordings, for how long, who can access them (provider, patient, vendor support staff), and under what circumstances the vendor may access recordings (e.g., only for technical support with prior notice)
End-to-end encryption obligation: Require the vendor to use end-to-end encryption for video sessions and messaging, and to document the encryption standard used
Subprocessor disclosure: Require the vendor to disclose all subprocessors that handle PHI (CDN providers, cloud infrastructure, analytics tools) and to notify you before adding new ones
Geographic data restrictions: For providers subject to state-specific requirements, include restrictions on where session data and recordings may be stored
Patient-accessible recordings: Address whether and how patients can access recordings of their sessions under HIPAA's right of access provisions

Post-COVID: Standard HIPAA Rules Now Apply

During the COVID-19 public health emergency, OCR exercised enforcement discretion allowing covered entities to use non-HIPAA-compliant consumer video platforms (such as standard Zoom, FaceTime, or Skype) for telehealth visits without obtaining a BAA. That enforcement discretion policy expired when the public health emergency ended.

As of now, standard HIPAA rules apply in full to telehealth. Covered entities must use HIPAA-compliant video platforms, must have BAAs with those platforms, and cannot rely on the COVID-era waivers. Any practice still using consumer video tools for telehealth without a BAA is in violation of HIPAA.

Post-Visit PHI Handling

A telehealth BAA should also address what happens to PHI after the visit concludes. This includes: the disposition of chat/messaging logs, the period during which recordings remain accessible to the provider, the vendor's right to retain de-identified session metadata for product analytics, and the process for patient requests to delete or restrict access to their visit data. These provisions are often absent from vendor-provided telehealth BAAs and should be added during negotiation.

Frequently Asked Questions

What should a HIPAA BAA for telehealth include?

A HIPAA BAA for a telehealth vendor should cover: permitted uses of PHI captured during virtual visits (video data, session recordings, patient messages, e-prescribing data); obligations for session recording storage, access controls, and retention periods; breach notification requirements with a specific timeline; subcontractor BAA requirements for all third-party components that handle PHI; and data return or deletion provisions at contract termination.

Do I need a BAA for each component of my telehealth platform?

Yes, if those components are from separate vendors. A telehealth setup may involve separate vendors for video conferencing, scheduling, patient messaging, e-prescribing, and the patient portal — each is a separate business associate requiring its own BAA. If a single vendor provides an integrated platform covering all components under one contract, one BAA covering all services may be sufficient — verify that the BAA explicitly covers each component.

Can I use Zoom for telehealth without a BAA?

No — not for clinical telehealth visits involving patient PHI. Standard Zoom (consumer or business plans) does not offer a BAA and is not HIPAA-compliant for telehealth use. Zoom for Healthcare is a separate offering specifically designed for covered entities and includes a BAA. Before using any video platform for clinical telehealth, confirm HIPAA-compliant configuration is available and execute a BAA with the vendor.

What happened to the COVID telehealth HIPAA waivers?

The COVID-era OCR enforcement discretion policies that allowed covered entities to use non-HIPAA-compliant consumer video platforms (like FaceTime or standard Zoom) for telehealth have expired following the end of the COVID-19 public health emergency. Standard HIPAA rules now apply to telehealth in full. Covered entities must use HIPAA-compliant platforms with BAAs in place for all telehealth visits involving PHI.

Generate a Telehealth BAA in Minutes

BAA Generator produces HIPAA-compliant BAAs for telehealth platforms and all your other healthcare vendors — free, customizable, downloadable.

Generate Your BAA Free →