Industry Guide

HIPAA for Telehealth Startups: The Founder's Compliance Guide

Q: Is my telehealth startup a covered entity or business associate?

It depends on who your customers are. If your platform delivers care directly to patients (you employ or contract with providers who see patients), you are a covered entity. If your platform provides services to other healthcare organizations (hospitals, practices) that see the patients, you are a business associate. Many telehealth companies are business associates, not covered entities. Some operate as both.

Q: What BAAs does a telehealth startup need?

If you are a covered entity: BAAs with all technology vendors who store or process your patients' PHI (cloud host, video platform, EHR, analytics tools, email/SMS providers). If you are a business associate: BAAs with each covered entity customer, plus BAAs with any subcontractors (cloud hosting, etc.) who handle PHI on your behalf.

Q: Does SOC 2 certification mean we are HIPAA compliant?

No. SOC 2 and HIPAA Security Rule requirements overlap significantly — both address access controls, audit logging, encryption, and incident response. But SOC 2 is an attestation framework covering security, availability, processing integrity, confidentiality, and privacy; it does not certify HIPAA compliance. You can be SOC 2 certified and still have HIPAA gaps (especially in Privacy Rule and Breach Notification areas). SOC 2 Type II is a strong foundation but must be supplemented with HIPAA-specific policies, BAAs, and risk assessments.

Q: Which video platforms are HIPAA-compliant for telehealth?

Platforms that offer HIPAA BAAs for telehealth include: Zoom for Healthcare (separate from standard Zoom), Doxy.me, Thera-Link, Vsee, SimplePractice's built-in video, and Microsoft Teams with HIPAA configuration. Standard consumer Zoom, FaceTime, Skype, and Google Meet without a BAA are not acceptable for telehealth. Always request and sign a BAA before using any video platform for patient sessions.

Q: What is the first HIPAA step for a new telehealth startup?

Determine your HIPAA role (covered entity or business associate). Then: (1) Conduct a Security Risk Analysis for your platform, (2) Execute BAAs with all PHI-handling vendors and/or customers, (3) Implement Security Rule safeguards (encryption, access controls, audit logging), (4) Designate a Security Official, (5) Develop written security policies and procedures, (6) Train all employees who access PHI. If you are a covered entity, also create and distribute an NPP to patients.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: The first HIPAA question for every telehealth founder is: are you a covered entity or a business associate? If patients receive care through your platform, you're likely a CE (needs NPP + BAAs). If you're selling technology to hospitals or practices, you're a BA (needs a BAA with each CE customer). Many startups are both.

The First Question: Are You a CE or BA?

Whether your telehealth startup is a covered entity (CE) or business associate (BA) determines your compliance obligations. Here's the distinction:

Covered entity path: If your platform delivers care directly to patients — you employ or contract with clinicians who see patients on your platform — you are a CE. You must comply with the full HIPAA framework, provide patients with an NPP, and sign BAAs with your technology vendors.
Business associate path: If your platform provides technology services to hospitals, practices, or other CEs that see the patients, you are a BA. You must comply with the Security Rule, Breach Notification Rule, and certain Privacy Rule provisions. You need a BAA with each CE customer, and BAAs with your own subcontractors who handle PHI.

Many telehealth companies operate in both roles simultaneously — for example, a platform that also employs physicians for direct patient care while also licensing its technology to independent practices.

The CE Path: Covered Entity Telehealth

If you are a CE, your primary obligations are:

Provide patients with an NPP at first service — generate one at NPPGenerator.com/npp-for-telehealth
Sign BAAs with all technology vendors who store or process patient PHI
Conduct a Security Risk Analysis
Implement Privacy Rule protections (minimum necessary, patient rights procedures)

The BA Path: Healthtech Vendor

If you provide technology to covered entities, you are a business associate. You must:

Execute a BAA with every CE customer before going live with their PHI — generate at BAAGenerator.com/baa-for-healthtech-startups
Execute BAAs with your subcontractors (cloud host, analytics tools, email/SMS vendors) who handle CE PHI
Implement Security Rule safeguards: encryption, access controls, audit logging, security policies
Conduct a Security Risk Analysis for your platform
Designate a Security Official
Implement a breach notification procedure (60-day notification to CEs)

Vendor Stack BAA Checklist for Telehealth Startups

The following vendors in a typical telehealth stack are business associates and require BAAs:

Cloud hosting: AWS, Google Cloud, Microsoft Azure — all three offer HIPAA BAAs and HIPAA-eligible services. You must sign their BAA before storing PHI in their environment.
Video platform: Zoom for Healthcare, Doxy.me, Vsee, Daily.co HIPAA plan, Twilio with HIPAA configuration — each provides a BAA. Consumer-grade video platforms without a BAA are not acceptable.
EHR/scheduling integration: Any EHR system your platform integrates with that involves PHI exchange.
Analytics and data warehouse: If you send patient encounter data to analytics tools (Mixpanel, Segment, Amplitude, Snowflake), each tool that receives PHI is a BA and requires a BAA. Note: de-identified data can be sent without a BAA.
Email/SMS providers: SendGrid, Twilio SMS, Mailchimp — if used for clinical communications containing PHI, BAAs are required.
Customer support tools: Zendesk, Intercom — if your support team accesses patient accounts with PHI, these are BAs.

SOC 2 vs HIPAA: What's the Overlap?

SOC 2 Type II and HIPAA Security Rule requirements overlap significantly. Both address: access controls and user authentication, audit logging, encryption in transit and at rest, incident response and breach notification, change management and software security, and vendor management. If you have a SOC 2 Type II report, you've already addressed many Security Rule requirements. However, SOC 2 does not satisfy HIPAA's Privacy Rule (NPP, patient rights, minimum necessary), Breach Notification Rule (specific 60-day notification to CEs), or documented risk analysis requirements. SOC 2 + HIPAA-specific supplementation is the typical path for healthtech startups.

HIPAA-Compliant Video Platforms for Telehealth

Platforms that offer HIPAA Business Associate Agreements for telehealth video: Zoom for Healthcare (separate SKU from standard Zoom with BAA available), Doxy.me (all plans, BAA included), Vsee Clinic, Thera-Link, SimplePractice's integrated video, Microsoft Teams (with HIPAA configuration and BAA through Microsoft), and Daily.co HIPAA plan. Always obtain a signed BAA from your video platform before conducting patient sessions. Consumer-grade video (FaceTime, standard Zoom, Google Meet without BAA) is not acceptable for telehealth.

Frequently Asked Questions

Is my telehealth startup a covered entity or business associate?

If your platform delivers care directly to patients, you are a CE. If you provide technology services to other healthcare organizations that see patients, you are a BA. Many telehealth companies are BAs — they provide the platform but clinicians who use it are employed by or contract with a separate CE. Determine your role before structuring your compliance program.

What BAAs does a telehealth startup need?

As a CE: BAAs with cloud host, video platform, EHR, analytics tools, email/SMS providers. As a BA: BAAs with each CE customer plus BAAs with your subcontractors (cloud host, analytics, etc.). Generate at BAAGenerator.com/baa-for-telehealth.

Does SOC 2 certification mean we are HIPAA compliant?

No. SOC 2 and HIPAA Security Rule overlap significantly, but SOC 2 does not cover HIPAA's Privacy Rule, patient rights, NPP requirement, or specific Breach Notification Rule provisions. SOC 2 Type II is a strong foundation that should be supplemented with HIPAA-specific policies, BAAs, and a documented risk analysis.

Which video platforms are HIPAA-compliant for telehealth?

Platforms offering HIPAA BAAs: Zoom for Healthcare, Doxy.me, Vsee, Thera-Link, SimplePractice video, Microsoft Teams (with HIPAA configuration), and Daily.co HIPAA plan. Always request and sign a BAA before using any platform for patient sessions. Standard consumer video platforms without a BAA are not acceptable.

What is the first HIPAA step for a new telehealth startup?

Determine your HIPAA role (CE or BA). Then: conduct a Security Risk Analysis, execute BAAs with all PHI-handling vendors and/or customers, implement Security Rule safeguards, designate a Security Official, develop written security policies, and train employees. If you are a CE, also create and distribute an NPP to patients.