The live video transmitted during telehealth sessions contains the likeness of the patient and therefore constitutes protected health information (PHI) protected under HIPAA. PHI must be safeguarded with encryption during transmission. Many other technical, Administrative, and Physical safeguards are required as well. The company that provides the telehealth technology should sign a HIPAA Business Associate Agreement with the Covered Entity. The HIPAA Omnibus Rule published in the Federal Register on January 25, 2013 makes business associates directly liable for violations of these requirements, as if they were covered entities themselves. A sample BAA has been published by the US Department of Health and Human Services (HHS) here.
According to the HIPAA Privacy Rule, "Covered entities that engage business associates to work on their behalf must have contracts or other arrangements in place with their business associates to ensure that the business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule" The Security Rule states that "covered entities must have contracts or other arrangements in place with their business associates that provide satisfactory assurances that the business associates will appropriately safeguard the electronic protected health information they create, receive, maintain, or transmit on behalf of the covered entities.
The HITECH amendment to HIPAA which is in effect as of March, 2013, lists "Health Information Organizations (HIO), E-Prescribing Gateways, and other persons that provide data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information ; as Well as Vendors of Personal Health Records" as Business Associates.