What Video Platforms Are HIPAA Compliant? (w/Examples) + FAQs

Yes, several video platforms are HIPAA compliant, but only when you use the correct paid tier, sign a Business Associate Agreement (BAA) with the vendor, and configure the platform to meet the HIPAA Security Rule. The most widely trusted HIPAA-eligible video tools in 2026 include Zoom for Healthcare, Doxy.me, Microsoft Teams, Google Meet (Workspace), VSee, TheraPlatform, SimplePractice, thera-LINK, Updox, Mend, Webex by Cisco, and GoTo Meeting.

The problem is that most free or consumer video apps, like personal Zoom, FaceTime, standard Google Meet, Skype, or Discord, do not qualify. Under 45 CFR 164.504(e), a covered entity cannot share protected health information (PHI) with a vendor unless that vendor is contractually bound as a business associate. When the OCR’s COVID-19 telehealth enforcement discretion ended in August 2023, providers lost the temporary pass to use non-compliant tools like FaceTime.

According to the American Medical Association’s 2024 telehealth survey, roughly 74% of physicians work in practices that offer telehealth, and video is the dominant channel. Here’s what you will take away from this guide.

• 🔒 How HIPAA’s Privacy, Security, and Breach Notification Rules apply to video
• 📋 The exact features a platform needs before it can sign a BAA
• 🎥 Named examples of 12 HIPAA-eligible video platforms with pricing context
• ⚠️ The most common mistakes that turn a “compliant” tool into a violation
• 🧭 A step-by-step process to evaluate any new video vendor

How HIPAA Governs Video Communication

HIPAA is a federal law passed in 1996 and expanded by the HITECH Act of 2009 and the 2013 Omnibus Rule. Together, these laws decide which technology you can use to share PHI with patients or colleagues. The rules apply to covered entities like clinics and hospitals and to their business associates, which now includes most software vendors.

Video calls create live audio, live video, chat transcripts, session recordings, and metadata. Every one of those items can contain PHI. The HIPAA Security Rule demands that each of those data streams stay confidential, intact, and available only to approved users.

When a practice ignores these rules, the consequences are steep. The Office for Civil Rights can fine a practice up to $2,134,831 per violation category per year under the 2024 civil penalty tiers. In 2022, Doctors’ Management Services paid $100,000 after a ransomware incident exposed PHI, a reminder that weak endpoints matter as much as the platform itself.

The Privacy Rule and Video

The Privacy Rule controls who can see or hear PHI. On a video call, this means only the patient and the clinician should be in frame or on mic. The rule also limits any recording, screen-share, or transcript that captures identifiers like names, dates, or diagnoses.

A common misconception is that the Privacy Rule only bans outright disclosure. In reality, it also requires the “minimum necessary” standard, so even internal use of video for training should strip identifiers. If Dr. Ortiz records a session for peer review without patient consent, she risks a Privacy Rule violation even if no one outside the clinic sees it.

The Security Rule and Video

The Security Rule sets the technical safeguards a platform must meet. These include access controls, audit logs, integrity checks, transmission security, and encryption of data in motion and at rest. The NIST SP 800-66 Rev. 2 guidance published in February 2024 is the current federal playbook for meeting those controls.

Violating the Security Rule is the most common path to a big fine. If a platform does not log who joined a visit, OCR treats that as a failure of audit control under 45 CFR 164.312(b). A clinic using a tool without audit logs could face a Tier 2 penalty even if no breach occurred.

The Breach Notification Rule

The Breach Notification Rule forces you to tell affected patients within 60 days of discovering a breach. It also forces you to post a notice on your website if more than 500 people are involved. Your video vendor must agree, in the BAA, to tell you fast enough that you can meet those deadlines.

If your vendor hides a breach for six months, the covered entity still gets blamed. That is why the 2013 Omnibus Rule made business associates directly liable and why the BAA must set the notification clock in plain language. A misconception is that insurance covers the cost; most cyber policies exclude regulatory fines.

What Makes a Video Platform HIPAA Compliant

A platform itself is never “HIPAA certified” because HHS does not run a certification program. Instead, a platform is HIPAA-eligible, which means it can be used in a compliant way if you sign a BAA and configure it right. The HHS FAQ on telehealth confirms this point clearly.

Required Technical Safeguards

Every compliant platform must offer end-to-end or transport-layer encryption at AES-128 or higher, unique user IDs, automatic logoff, audit logs, and integrity controls. It must also let administrators disable risky features like public meeting links or cloud recording without consent.

The consequence of missing any of these controls is simple: the vendor cannot legally sign a BAA. For example, consumer FaceTime lacks enterprise audit logs, which is why Apple does not sign BAAs for it. A practitioner who relies on it after August 2023 is operating outside HIPAA.

The Business Associate Agreement

The BAA is the contract that turns a software vendor into a legally bound partner. Under 45 CFR 164.504(e), it must spell out permitted uses of PHI, the vendor’s safeguards, breach notification timelines, and what happens at termination. No BAA, no PHI, period.

If you use a free or personal plan of a tool that otherwise has a healthcare tier, the BAA does not apply to you. That is the trap with free Zoom, personal Google accounts, and Teams for Home. The consequence, as OCR’s 2022 settlement with Banner Health illustrated, can reach into the millions.

Administrative and Physical Safeguards

Technical controls alone will not save you. You also need written policies, workforce training, a designated Security Officer, and physical controls over the devices that connect to the platform. The HHS Security Risk Assessment Tool is free and is the baseline regulators expect you to run every year.

A clinic that adopts Zoom for Healthcare but lets staff join visits from unsecured home Wi-Fi without training still fails HIPAA. The platform can be perfect, yet the practice can still be the weak link. That is why documentation and training matter as much as vendor choice.

12 HIPAA-Eligible Video Platforms (With Examples)

Below are 12 platforms that will sign a BAA in 2026, grouped by use case. Pricing is accurate as of Q2 2026 and may shift, so always confirm with the vendor. Every platform listed here meets the baseline Security Rule technical safeguards.

Zoom for Healthcare

Zoom for Healthcare is the market leader for hospital systems because it supports Epic and Cerner EHR integration, AES-256 encryption, and BAA coverage across Meetings, Webinars, and Zoom Phone. Plans start around $18.32 per user per month for Business tier with the healthcare add-on, and enterprise deals scale from there.

The catch is that free Zoom and basic Pro accounts are not covered by the BAA. A solo therapist named Marcus who uses his personal Zoom Pro plan for client sessions would be in violation. He must upgrade to a healthcare-eligible plan and sign the BAA before the first visit.

Doxy.me

Doxy.me is a browser-based tool built only for clinicians. It offers a free tier that does include a signed BAA, which is rare. Paid tiers at $35 and $50 per provider per month add group calls, payments, and HITRUST-aligned features.

Dr. Lena Ortiz, a pediatric therapist in Ohio, uses Doxy.me’s free plan for individual sessions because it needs no patient download. She still runs her own risk analysis and trains her staff, because the tool alone does not create compliance.

Microsoft Teams

Microsoft Teams is covered under Microsoft’s HIPAA BAA for Microsoft 365 when you are on Business Basic or higher. It shines for hospital systems already running Microsoft 365 because single sign-on, Intune device controls, and Purview audit logs come bundled.

Teams for Home and personal Microsoft accounts are not covered. A nurse practitioner who invites a patient from her @outlook.com account rather than the clinic tenant has just exposed PHI outside the BAA.

Google Meet (Workspace)

Google Meet is HIPAA-eligible when used inside a Google Workspace account with a signed BAA. Workspace Business Standard is $14 per user per month. The free @gmail.com version is not compliant because Google will not sign a BAA for consumer accounts.

A small clinic named Hill Country Family Medicine moved to Workspace, enabled the HIPAA control in the admin console, and now uses Meet for follow-ups. Without that admin toggle, even paid Workspace accounts are not fully configured for PHI.

VSee

VSee is a purpose-built telehealth platform used by NASA, the DoD, and more than 2,000 health systems. It offers FIPS 140-2 validated encryption and a free clinic plan that includes a BAA. Paid plans add scheduling, e-prescribing, and kiosk deployments.

A rural critical-access hospital named Blue Ridge Regional uses VSee kiosks to connect patients to specialists hundreds of miles away. The kiosk hardware plus VSee’s software stack meets HIPAA without the hospital building its own platform.

TheraPlatform

TheraPlatform targets mental health, speech, and occupational therapists. It combines video with EHR, scheduling, client portal, and billing for about $39 per provider per month. The BAA is included.

A speech-language pathologist named Priya uses TheraPlatform because its built-in resource library is designed for pediatric sessions. The single login for notes and video reduces the chance she pastes PHI into the wrong app.

SimplePractice

SimplePractice is popular with solo and small-group behavioral health practices. Plans range from $29 to $99 per month and include a signed BAA, Telehealth video, client portal, and superbill generation.

Its Telehealth video is browser based and does not require patient downloads. That lowers the no-show rate, which matters because a JAMA Network Open 2023 study found video no-show rates were 7.5% lower than in-person visits.

thera-LINK

thera-LINK offers HIPAA-compliant video at roughly $30 per provider per month. It focuses on therapists, offers waiting-room branding, and will sign a BAA on every paid plan. It is simpler than SimplePractice but also narrower in scope.

A licensed professional counselor named Jordan picked thera-LINK because she wanted video without a full EHR. The lighter stack cut her tech overhead during her first year in private practice.

Updox

Updox is part of EverCommerce and bundles HIPAA video with secure text, fax, and patient reminders. It is priced per provider per month and is often sold through EHR resellers like athenahealth and eClinicalWorks.

A primary care group named Cedar Medical uses Updox to send appointment reminders and then launch a video visit from the same link. The integrated workflow reduces how many tools staff must juggle and, with it, the risk of mis-sent PHI.

Mend

Mend focuses on patient engagement, with AI-driven no-show prediction, digital intake, and HIPAA-compliant video. Pricing is custom and typically sits in the $49 to $79 per provider per month band for mid-size practices.

Mend signs a BAA on all paid plans. A multi-site orthopedic group named Summit Ortho uses Mend because the platform’s predictive models fill empty slots that used to cost the group money.

Webex by Cisco

Webex offers HIPAA-eligible tiers with end-to-end encryption, meeting lobbies, and integration to Cisco room hardware. It is strong for large health systems that already own Cisco networking gear.

Cisco will sign a BAA for its Webex Meetings, Calling, and Messaging services on Business or Enterprise plans. The free plan is not eligible, and features like AI Assistant must be toggled off or on according to the BAA schedule.

GoTo Meeting

GoTo Meeting will sign a BAA on its Business and Enterprise plans, which start at $14 per organizer per month. It supports 256-bit AES encryption, one-time passwords, and the ability to disable recording.

GoTo’s strength is simplicity for a covered entity that just wants video and nothing else. A solo cardiologist named Dr. Fox picked GoTo because he wanted a tool that did not try to become his EHR.

Comparing the Top Platforms

The chart below shows the key distinctions among the three most common picks for small practices. Pricing is per provider per month unless noted. All three will sign a BAA, but they differ in scope.

A second comparison helps hospital-scale buyers. Here the question is less about price and more about how well the tool plugs into existing IT stacks. The table below summarizes the trade-offs.

Three Real-World Scenarios

Scenarios make the abstract rules concrete. Each table below follows the “choice leads to outcome” format that OCR investigators use when they review a case. All examples below use fictional names but mirror patterns in real enforcement actions.

Scenario 1: Solo Therapist Picks the Wrong Plan

A therapist wants to save money and uses a free consumer video tool. The consequence shows up only when a patient files a complaint months later.

Scenario 2: Hospital Misconfigures Teams

A hospital already owns Microsoft 365 but forgets to enable HIPAA controls in the admin center. Staff start using Teams for video visits anyway.

Scenario 3: Telehealth Startup Skips the BAA

A new telehealth startup launches before its legal team finishes the vendor BAA for its video partner. Leadership assumes the platform’s “HIPAA ready” marketing is enough.

Mistakes to Avoid

Most HIPAA video failures come from a small set of repeat errors. The list below captures the ones OCR, state attorneys general, and breach lawyers see most often.

• Using a free or consumer plan that is not covered by the vendor’s BAA
• Recording sessions to a personal cloud drive outside the BAA’s scope
• Sharing meeting links on public channels like social media or open calendars
• Skipping the annual Security Risk Analysis required by 45 CFR 164.308(a)(1)
• Letting staff join visits from unsecured home Wi-Fi without a VPN
• Ignoring the 60-day breach notice clock when a vendor reports an incident
• Failing to train workforce members on platform-specific settings at hire and yearly
• Using personal email addresses to invite patients instead of the clinic tenant
• Leaving cloud recording turned on by default for every user
• Not revoking access for staff who leave the practice within a reasonable window
• Assuming state law, like California’s CMIA or Texas HB 300, does not add stricter rules than HIPAA

Each of these carries a direct negative outcome, from a six-figure fine to a reputational hit that scares off referrals. The mandatory annual risk analysis is the single biggest miss, because OCR has opened investigations for this alone since 2016.

Do’s and Don’ts

The rules are long, but a short list helps front-line staff remember them. Use this as a quick one-page handout.

• Do sign the BAA before the first patient visit
• Do run an annual risk analysis with documented results
• Do turn on multi-factor authentication for every provider account
• Do use the platform’s waiting room or lobby feature for every visit
• Do review audit logs at least monthly for anomalies
• Don’t use personal or free accounts for any PHI
• Don’t record without documented patient consent that fits state law
• Don’t reuse meeting links across patients
• Don’t store session notes inside chat transcripts
• Don’t share admin credentials across staff members

Every “do” maps to a HIPAA safeguard, and every “don’t” maps to a real enforcement case. The two columns together are how OCR auditors score a practice in the field.

Pros and Cons of HIPAA-Compliant Video Tools

Choosing any tool involves trade-offs. The lists below separate the shared upsides and downsides you will see across vendors.

Pros:
– Reduces no-show rates by offering a convenient option for busy patients
– Expands geographic reach without opening a new office
– Built-in audit logs make HIPAA documentation simpler than paper charts
– BAAs shift some liability to the vendor under the 2013 Omnibus Rule
– Encrypted transmission protects data better than phone or fax

Cons:
– Adds monthly software cost that small practices must budget for
– Requires ongoing staff training to prevent misconfigurations
– Relies on patient internet quality, which the clinic cannot control
– Creates a new attack surface that must be monitored for breaches
– State licensing rules may block cross-border care even when HIPAA allows it

Each “pro” is a revenue or risk win, and each “con” is a spending or operational cost. Knowing both helps a practice build a realistic telehealth budget, not a hopeful one.

How to Vet and Onboard a Video Platform

The vetting process is a seven-step checklist that every covered entity should run before signing any vendor contract. Skipping a step is the fastest route to a breach.

Step 1: Confirm BAA Availability

Ask the vendor for the actual BAA text, not a marketing page. Read the breach notification timeline; 24 to 48 hours is good, and 60 days is too long. If the vendor refuses to sign, the search is over.

The consequence of skipping this check is that you may buy a tool that markets itself as “HIPAA ready” but never actually signs a BAA. A misconception is that “HIPAA ready” and “HIPAA compliant” are synonyms. They are not.

Step 2: Run a Security Risk Analysis

Use the HHS SRA Tool or a vendor like Compliancy Group to document where PHI flows through the new platform. The output becomes the first page of your compliance binder.

If you do not document this, OCR will assume you never did it. The consequence is an automatic Security Rule finding, which carries tier-based fines starting at about $137 per violation and climbing fast for willful neglect.

Step 3: Configure the Admin Console

Every compliant platform has a “HIPAA mode” or equivalent set of toggles. These usually disable anonymous joins, enable encryption at rest, and turn on granular audit logs. Document every setting you change.

Missing a single toggle, like Google Meet’s Workspace HIPAA switch, means the rest of your controls sit on a cracked foundation. Do this before a single provider account goes live.

Step 4: Train the Workforce

HIPAA requires training at hire and at least once a year under 45 CFR 164.530(b). Focus on platform-specific scenarios like waiting rooms, recording consent, and how to report a lost device.

If a staff member fails to secure a visit, OCR will ask for training records. No records, no defense, and the penalty climbs by a tier for “willful neglect.”

Step 5: Publish Patient-Facing Notices

Update your Notice of Privacy Practices to mention telehealth. Tell patients which platform you use and how they can raise concerns.

The consequence of skipping this is that a patient can argue they never consented to electronic care. That undermines both your HIPAA and your malpractice positions in any dispute.

Step 6: Monitor Logs and Incidents

Set a monthly calendar task for the Security Officer to review audit logs. Keep an incident response plan that names the vendor’s breach hotline and the 60-day clock under the Breach Notification Rule.

If you find a problem in month three but do not log it, OCR treats the silence as concealment. That elevates a simple fix into a possible willful neglect finding.

Step 7: Reassess Yearly

Telehealth rules shift fast. The HHS 2024 cybersecurity performance goals and the proposed HIPAA Security Rule update from December 2024 will likely tighten encryption and risk analysis requirements in the next rule cycle.

A practice that signs a BAA once and forgets about it is likely to fail its next audit. Set a yearly recurring task to repeat steps 1 through 6.

Key Cases and Enforcement Takeaways

OCR enforcement paints a clearer picture than the statute text. A quick look at three matters shows how video and telehealth fit into the broader pattern. Each case below set a precedent that shapes how clinics vet vendors today.

The 2022 Anthem settlement at $16 million remains the largest HIPAA settlement on record and turned on a failure to run a risk analysis. The 2023 L.A. Care Health Plan settlement for $1.3 million tied directly to misconfigured access controls, similar to what a bad Teams setup could cause. The 2013 Skagit County case at $215,000 showed that even small public agencies face penalties for putting PHI in tools that were never meant for it.

State Nuances

HIPAA is the federal floor. California’s CMIA adds a private right of action, which means patients can sue directly rather than wait for OCR. Texas HB 300 requires clinic-specific training within 90 days of hire and every two years after.

New York’s SHIELD Act extends breach notification to private health information held by any business operating in the state. A clinic that uses a HIPAA-compliant platform but ignores state rules can still face state fines, even when its federal compliance is solid.

FAQs

Is Zoom HIPAA compliant?

Yes. Zoom for Healthcare and eligible Business or Enterprise plans sign BAAs. Free Zoom and personal Pro plans are not HIPAA compliant, so you must upgrade and sign the BAA before any PHI use.

Is FaceTime HIPAA compliant?

No. Apple does not sign a BAA for FaceTime, so it is not HIPAA-eligible. The OCR enforcement discretion that allowed it briefly during COVID-19 ended in August 2023.

Is Google Meet HIPAA compliant?

Yes. Google Meet is HIPAA-eligible inside a paid Google Workspace account with a signed BAA and the HIPAA control enabled. Free @gmail.com Meet sessions are never compliant.

Is Microsoft Teams HIPAA compliant?

Yes. Teams is covered by Microsoft’s BAA on Business Basic plans and higher in Microsoft 365. Teams for Home and personal Microsoft accounts are not covered and cannot transmit PHI.

Is Skype HIPAA compliant?

No. Microsoft does not sign a BAA for consumer Skype, so it fails the vendor requirement under 45 CFR 164.504(e). Use Teams or another eligible tool instead.

Is Doxy.me really free and HIPAA compliant?

Yes. Doxy.me’s free tier includes a signed BAA, full encryption, and a browser-based waiting room. Paid tiers add scheduling, payments, group calls, and other clinic workflow features.

Does a signed BAA alone make my practice compliant?

No. The BAA is necessary but not sufficient. You still need a risk analysis, written policies, workforce training, audit log reviews, and a breach response plan under the Security and Privacy Rules.

Can I record a telehealth session?

Yes. You can record, but only with documented patient consent, a lawful purpose, encryption at rest, and retention rules that match state law. Some states require two-party consent for any recording.

Are text messages inside a video app covered by HIPAA?

Yes. Any chat that contains PHI is covered and must meet the same encryption, access control, and audit log rules as the video stream. Disable chat if you cannot secure it.

Do I need HIPAA video if I only do in-person visits?

No. If no PHI leaves the exam room by video, you do not need a video BAA. Most practices still add telehealth for follow-ups, refills, and after-hours triage, which then requires a compliant platform.

What happens if my video vendor has a data breach?

Yes, you still must act. The vendor must tell you under the BAA, usually within 60 days or sooner, and you must then notify affected patients, HHS, and sometimes the media under the Breach Notification Rule.

How often should I reassess my video platform?

Yes, at least yearly. Rerun the risk analysis, reconfirm the BAA, and update training. OCR treats an outdated risk analysis as a Security Rule violation even if nothing else has changed.