Telehealth BAAs & Security (HIPAA, SOC 2, HITRUST) — A Practical Checklist

If you plan to launch GLP-1, TRT, ED, or any virtual clinic, start here. The steps below protect patients and help you grow with confidence. This guide is for general information, not legal advice. Speak with legal counsel about your specific situation.

Understanding Telehealth BAAs

A Business Associate Agreement sets the ground rules for privacy and security in telehealth. It is the contract that makes vendors legally bound to safeguard patient data.

What is a Business Associate Agreement (BAA)?

A Business Associate Agreement is a required contract between you and any vendor that handles Protected Health Information, also called PHI. PHI includes any data that can identify a patient, like names, diagnoses, or billing details.

Under HIPAA, cloud hosts, telehealth platforms, payment processors, analytics tools, and marketing systems all need a BAA when they process or store PHI. A BAA defines responsibilities for safeguarding data, breach notification, subcontractor agreements, and audit rights.

When Do You Need a BAA in Telehealth?

You need a signed BAA before any vendor touches PHI. Examples include:

Video visit platforms storing or transmitting patient health information
Cloud storage for electronic health records
Pharmacy partners fulfilling prescriptions
Lab services processing diagnostic orders
Marketing and analytics platforms if they see patient identifiers or health data
Payment processors handling transaction details tied to diagnoses

If the vendor can see PHI, a BAA is mandatory. Missing BAAs lead to enforcement actions. The Office for Civil Rights has issued more than 31,000 corrective actions since 2003.

What Goes Into a Telehealth BAA?

A compliant BAA covers the following elements:

Permitted Uses and Disclosures: Define what the business associate may do with PHI
Safeguards: Require administrative, physical, and technical protections for PHI
Reporting: Mandate notification of breaches or security incidents within a specified time frame
Subcontractors: Require downstream BAAs if the vendor shares PHI with third parties
Data Return or Destruction: Outline what happens to PHI at contract end
Audit Rights: Grant the covered entity the right to review security practices

The Department of Health and Human Services publishes sample BAA language. Many vendors have pre‑drafted BAAs, but you should review them with legal counsel to verify they meet your state and federal obligations.

HIPAA Compliance Essentials

HIPAA stands for the Health Insurance Portability and Accountability Act. In telehealth, you must follow the Privacy Rule, Security Rule, and Breach Notification Rule.

Privacy Rule

The Privacy Rule governs how you use and disclose PHI. It sets standards for patient consent, minimum necessary use, and individual rights.

Key requirements include:

Written Notice of Privacy Practices explaining how you use PHI
Patient consent for most uses and disclosures of PHI
Minimum necessary principle: Only access the data needed for a specific purpose
Patient rights to access, amend, and request accounting of disclosures

Telehealth platforms often handle prescription refills, lab orders, and scheduling. Each interaction must respect privacy rules. For example, marketing messages about a new GLP-1 program require patient authorization if they reference treatment history.

Security Rule

The Security Rule establishes safeguards for electronic PHI, also called ePHI. It is organized into administrative, physical, and technical safeguards.

Administrative Safeguards include risk analysis, workforce training, and incident response plans. You must:

Conduct an annual risk assessment of ePHI handling
Designate a privacy officer and security officer
Implement policies and procedures for access control, data backup, and disaster recovery
Train staff on HIPAA requirements and security practices

Physical Safeguards protect hardware, workstations, and data centers. Steps include:

Facility access controls for server rooms and clinician workstations
Workstation security policies that limit PHI display in public areas
Device and media disposal procedures to prevent data leakage

Technical Safeguards address encryption, access controls, and audit logs:

Unique user IDs and strong authentication for any system with ePHI
Automatic logoff after inactivity
Encryption in transit (TLS 1.2 or higher) and at rest (AES-256)
Audit logs tracking who accessed which records and when

Breach Notification Rule

A breach is an impermissible use or disclosure of PHI that compromises security or privacy. If a breach affects 500 or more individuals, you must notify the Department of Health and Human Services, affected individuals, and the media within specific time frames.

For smaller breaches, individual notification is still required within 60 days.

The Office for Civil Rights publishes a breach portal. Since the portal launched, OCR has resolved 152 cases resulting in $144.9 million in financial penalties. Prevention is far less expensive than fines and reputation damage.

SOC 2 for Telehealth

SOC 2 is a framework created by the American Institute of CPAs. It evaluates controls for security, availability, processing integrity, confidentiality, and privacy.

What is SOC 2?

SOC 2 is a voluntary audit that verifies your organization has appropriate controls in place. Many healthcare partners, payers, and enterprise clients require a SOC 2 Type II report before signing contracts.

Type I evaluates whether controls are designed properly at a single point in time.

Type II tests whether those controls operated effectively over a minimum observation period, typically six to twelve months.

SOC 2 Trust Service Criteria

SOC 2 audits focus on five trust service criteria. Security is required; the others are optional depending on your service model.

Security: Protection against unauthorized access, both physical and logical
Availability: System uptime and disaster recovery capabilities
Processing Integrity: System processing is complete, valid, accurate, and timely
Confidentiality: Data designated as confidential remains protected
Privacy: Personal information is collected, used, retained, and disclosed in alignment with privacy policies

For telehealth, Security is almost always required. If you handle sensitive patient data beyond what HIPAA mandates, Confidentiality and Privacy may also be necessary.

Preparing for a SOC 2 Audit

SOC 2 preparation involves documenting controls and collecting evidence:

Document Policies: Write formal policies for access control, incident response, change management, vendor management, and data retention
Implement Technical Controls: Multi‑factor authentication, encryption, logging, and intrusion detection
Conduct Risk Assessments: Identify and remediate vulnerabilities before the audit observation period
Train Your Workforce: Ensure all team members understand security policies
Engage an Auditor: Choose a CPA firm experienced in healthcare technology

The audit period for Type II runs six to twelve months. During this window, the auditor tests whether you followed documented procedures and whether controls operated effectively.

HITRUST for Healthcare Compliance

HITRUST is a risk‑based certification framework specifically designed for healthcare. It unifies multiple standards including HIPAA, NIST, ISO, and PCI DSS into one assessment.

What is HITRUST?

HITRUST stands for the Health Information Trust Alliance. The HITRUST Common Security Framework, or CSF, provides a comprehensive set of controls tailored to healthcare organizations. HITRUST certification signals to partners, payers, and regulators that you have mature security and compliance programs.

HITRUST data shows that fewer than one percent of certified organizations reported breaches during 2022 and 2023. This is a strong indicator that the framework reduces risk.

Why Pursue HITRUST Certification?

HITRUST certification provides several advantages:

Industry Recognition: HITRUST is widely accepted by health systems, payers, and enterprise partners
Reduced Audit Burden: Many organizations accept HITRUST in lieu of multiple vendor questionnaires
Risk Reduction: Fewer than one percent of certified organizations suffered breaches in 2022 and 2023
Regulatory Alignment: The framework incorporates HIPAA requirements and other federal and state regulations

HITRUST Assessment Levels

HITRUST offers multiple assessment options. The level you choose depends on organizational size, risk profile, and partner requirements.

i1 Assessment: Self‑assessment for small organizations or low‑risk environments
e1 Assessment: Externally validated assessment with a HITRUST assessor, suitable for medium‑risk organizations
r2 Assessment: The most rigorous option, requiring an on‑site validated assessment for high‑risk or large organizations

For telehealth platforms handling GLP-1, TRT, or other sensitive programs, the e1 or r2 assessment is common.

Practical Security Measures for Telehealth

Compliance frameworks set the baseline. Day‑to‑day security practices protect patient data and reduce breach risk.

Encryption

Encryption in Transit: Use TLS 1.2 or higher for all data moving between systems. Video visits, patient portals, and API calls all require encrypted connections.

Encryption at Rest: AES-256 is the standard for data stored in databases, file systems, and backups. Most cloud providers offer built‑in encryption, but you must enable it.

Access Controls

Role‑Based Access Control (RBAC): Assign permissions based on job function. Clinicians see patient records; billing staff see payment details; administrators manage user accounts.

Multi‑Factor Authentication (MFA): Require MFA for any system containing PHI. SMS codes, authenticator apps, or hardware tokens all work.

Automatic Logoff: Implement session timeouts after 15 to 30 minutes of inactivity.

Audit Logs

Track who accessed which records and when. Audit logs help detect unauthorized access, support breach investigations, and satisfy regulatory requirements. Retain logs for at least six years, the HIPAA standard.

Workforce Training

Train staff annually on HIPAA, phishing, password security, and breach response. Document training completion and test comprehension. Workforce errors cause many breaches, so training is a high‑return investment.

Incident Response

Write an incident response plan before a breach occurs. The plan should define:

Who to contact internally and externally
How to contain and investigate the incident
Notification timelines for affected individuals, the Department of Health and Human Services, and media
Communication templates and escalation procedures

Test the plan annually with tabletop exercises. Document lessons learned and update procedures.

Vendor Management

Review vendor security practices before signing contracts. Request SOC 2 reports, HITRUST certifications, or security questionnaires. Verify that vendors sign BAAs and maintain insurance.

Conduct annual reviews of high‑risk vendors. If a vendor suffers a breach, your patients are affected and you share liability.

Common Pitfalls and How to Avoid Them

Even well‑intentioned teams make mistakes. The following pitfalls are common in telehealth startups.

Using Consumer Apps for Clinical Communication

WhatsApp, personal email, and unencrypted SMS are not HIPAA‑compliant. If clinicians text patients about diagnoses or treatments, you risk fines and breaches.

Use HIPAA‑compliant messaging platforms with signed BAAs, encryption, and audit logs. Examples include secure patient portals or white‑label telehealth platforms with built‑in messaging.

Skipping Risk Assessments

HIPAA requires an annual risk assessment. Many startups skip this step or treat it as a one‑time checkbox. Risk assessments identify vulnerabilities before attackers do.

Conduct assessments annually and after major system changes. Document findings, remediation plans, and completion dates.

Overlooking Subcontractor BAAs

If your vendor uses subcontractors that access PHI, those subcontractors also need BAAs. For example, a telehealth platform might use AWS for hosting and Twilio for notifications. Both AWS and Twilio must sign BAAs.

Ask vendors for a list of subcontractors. Verify that BAAs are in place before PHI flows through the system.

Neglecting Physical Security

Laptops left in cars, unlocked workstations, and unsecured paper records cause breaches. Physical safeguards are as important as technical ones.

Enforce clean desk policies, encrypt laptops, and restrict access to areas where PHI is stored or displayed.

Checklist Summary

Use this checklist to verify your telehealth program has the necessary compliance and security measures in place:

Business Associate Agreements

☐Signed BAAs with all vendors that access PHI
☐Subcontractor BAAs verified and documented
☐BAAs reviewed by legal counsel

HIPAA Compliance

☐Notice of Privacy Practices published and available to patients
☐Annual risk assessment completed and documented
☐Privacy and security officers designated
☐Workforce training on HIPAA requirements completed
☐Breach notification procedures documented and tested

Technical Security

☐TLS 1.2 or higher for data in transit
☐AES-256 encryption for data at rest
☐Multi‑factor authentication enabled
☐Role‑based access controls implemented
☐Automatic session timeouts configured
☐Audit logs enabled and retained for six years

SOC 2 & HITRUST

☐Security policies documented
☐SOC 2 Type II audit scheduled or completed
☐HITRUST assessment planned or in progress
☐Controls tested and evidence collected

Operational Security

☐Incident response plan documented and tested
☐Vendor security reviews completed annually
☐Physical safeguards in place for workstations and data centers
☐Clean desk and screen lock policies enforced
☐No use of consumer apps (WhatsApp, personal email) for clinical communication

Frequently Asked Questions

Do I need a BAA for Google Workspace or Microsoft 365?

Yes, if you store or transmit PHI using these services. Both Google and Microsoft offer HIPAA‑compliant plans with signed BAAs. Standard consumer plans do not include BAAs and should not be used for PHI.

How long does SOC 2 certification take?

SOC 2 Type II requires a minimum observation period of six months. Preparation, including policy documentation and control implementation, can take an additional three to six months. Plan for at least nine to twelve months from start to final report.

Is HITRUST required for telehealth startups?

HITRUST is not legally required, but many healthcare partners, payers, and enterprise clients prefer or require it. If you plan to work with health systems or large payers, HITRUST certification gives you a competitive advantage and reduces audit burden.

What happens if I have a breach and no BAA in place?

Missing BAAs are a direct HIPAA violation. The Office for Civil Rights can impose corrective action plans, fines, and mandatory compliance audits. If a breach occurs, you face patient notification requirements, media scrutiny, and potential lawsuits. The average cost of a healthcare data breach in 2023 was $10.93 million.

Can I use AWS or Azure for PHI without extra steps?

AWS and Azure both offer HIPAA‑eligible services and will sign BAAs. However, you must enable encryption, configure access controls, and follow their HIPAA guidance. Simply using the cloud does not guarantee compliance; you remain responsible for configuring services correctly.

How often should I conduct a HIPAA risk assessment?

HIPAA requires risk assessments at least annually. You should also conduct an assessment after major changes like launching new services, adding vendors, or migrating infrastructure. Document findings, remediation plans, and completion dates.

What is the difference between HIPAA and SOC 2?

HIPAA is a federal law that applies to covered entities and business associates handling PHI. SOC 2 is a voluntary audit framework that evaluates security and privacy controls. HIPAA is mandatory for healthcare; SOC 2 is not legally required but is often expected by enterprise partners.

Do I need a separate BAA for each vendor product or service?

One BAA per vendor is typical, but the agreement should cover all services that access PHI. If a vendor offers multiple products, ensure the BAA lists each product or service that will handle PHI. Review and update BAAs when you add new services.