Healthcare IT / Compliance
Secure Telehealth IT for Los Angeles Providers: Staying Compliant Beyond the Video Call
Your practice signed a BAA with Doxy.me, locked down Zoom for Healthcare, and briefed staff on screen-sharing rules — and your last OCR audit still flagged four findings, none about the video call itself. That gap has a specific cause: HIPAA compliant IT services cover an infrastructure layer that every major telehealth platform explicitly disclaims in its own BAA.
In This Article
- The Platform Disclaimer Most LA Practices Never Read
- The Five IT Layers That Live Outside Your Video Platform
- Why Los Angeles Practices Face a Compounded Risk
- What a Full-Stack Telehealth IT Audit Actually Looks Like
- Frequently Asked Questions
- Your Video Platform Has a BAA. Does Your IT Infrastructure Have a Compliance Plan?
The Platform Disclaimer Most LA Practices Never Read
Every major HIPAA-compliant telehealth platform — Doxy.me, Zoom for Healthcare, and Teladoc — publishes a BAA limiting its liability to the encrypted video stream between endpoints. The device, network, cloud storage, and audit log environment around that call are explicitly the covered entity's responsibility.
What the BAA Actually Covers vs. What OCR Audits
| Layer | Covered by Platform BAA? | OCR Audits This? |
|---|---|---|
| Encrypted video transmission | Yes | Yes |
| Provider endpoint (laptop, tablet) | No — covered entity's responsibility | Yes |
| Office or clinic network | No — covered entity's responsibility | Yes |
| Cloud file storage (recordings, notes) | No — covered entity's responsibility | Yes |
| Access logs and user permissions | No — covered entity's responsibility | Yes |
| Backup and recovery | No — covered entity's responsibility | Yes |
Most LA practices treat a signed BAA as a compliance certificate. OCR does not. Auditors pull device inventories, network topology diagrams, cloud storage policies, and access logs — none of which Doxy.me or Zoom for Healthcare has any visibility into or obligation to manage.
The Five IT Layers That Live Outside Your Video Platform
HIPAA Technical Safeguards under §164.312 govern five infrastructure controls that telehealth platforms disclaim entirely. Each requires active management by the covered entity and is a documented finding category in OCR audits.
- Endpoint encryption and patch management (§164.312(a)(2)(iv) and §164.312(e)(2)(ii)): Every device used for telehealth must have full-disk encryption and OS/application patches applied on a documented schedule. An unpatched provider laptop is an open finding regardless of which video platform sits on it.
- Network segmentation (§164.312(e)(1)): Patient traffic must be isolated on a separate VLAN or segment. A flat network where a telehealth session shares routing with personal browsing is a transmission security failure under §164.312(e)(1).
- HIPAA-compliant cloud storage (§164.312(a)(1) and §164.312(c)(1)): Session recordings, intake forms, and clinical notes saved to personal Google Drive or a non-BAA Dropbox are unauthorized disclosures. HIPAA compliant cloud storage requires a signed BAA and role-based access controls — not a shared folder link.
- Identity and access management with MFA (§164.312(d)): MFA must be enforced on every system touching ePHI. Role-based permissions must restrict access — a front-desk scheduler cannot view clinical notes. §164.312(d) requires unique user identification and emergency access procedures.
- Immutable, geographically redundant backup with tested restore (§164.312(c)(1) and §164.308(a)(7)): HIPAA requires ePHI to be recoverable after disaster or ransomware. Immutable backup and tested recovery — backup data that cannot be altered by ransomware, with documented restore tests — satisfies §164.312(c)(1) and the Contingency Plan standard at §164.308(a)(7).
Practices that need ongoing management of all five layers benefit from IT compliance services in Los Angeles that map controls directly to the §164.312 Technical Safeguards framework.
Why Los Angeles Practices Face a Compounded Risk
Los Angeles group practices carry three risk amplifiers uncommon in smaller markets: a high concentration of multi-location endpoints, broad patient-facing attack surface from Covered California and Medi-Cal portals, and California-specific privacy obligations under CMIA that exceed federal HIPAA minimums.
The California Medical Information Act (CMIA) Layer
CMIA imposes stricter confidentiality and breach notification requirements than federal HIPAA and gives patients a private right of action for unauthorized disclosures — meaning a breach OCR might resolve with a corrective action plan can simultaneously expose a Los Angeles practice to civil litigation.
Three LA-Specific Risk Amplifiers
- Multi-location endpoint sprawl: LA's dense concentration of multi-site group practices in Santa Monica, Pasadena, Culver City, and Beverly Hills means more unmanaged devices and Wi-Fi networks that may not meet §164.312(e)(1) segmentation requirements.
- Covered California and Medi-Cal portal exposure: High-volume billing relationships with these programs extend the attack surface beyond the clinic's network — each portal integration requires its own BAA review and access log configuration.
- Personal device use across multilingual patient populations: LA patients frequently connect via personal Android and iOS devices the practice cannot enforce MDM policies on. The practice must compensate at the network and application access layer — a control gap the cybersecurity controls for your telehealth environment must explicitly document.
What a Full-Stack Telehealth IT Audit Actually Looks Like
A telehealth IT audit is a technical review of every layer OCR would examine — not a vendor questionnaire. Vitalpoints' audit produces documented findings against §164.312 Technical Safeguards, not a generic compliance checklist.
Vitalpoints Telehealth Audit Scope
- Device inventory and encryption verification: Every telehealth endpoint is catalogued, encryption confirmed, and patch currency documented against a defined patching policy.
- Network traffic analysis: Patient traffic segmentation and wireless environment are reviewed against §164.312(e)(1) transmission security requirements.
- Cloud storage policy review: Every cloud service touching ePHI — file sharing, recordings, intake forms — is reviewed for a current BAA and role-based access controls.
- Access log configuration: Audit log settings are verified on the EHR, video platform, and cloud storage against the HIPAA six-year documentation standard.
- BAA gap analysis: Every vendor with access to ePHI is reviewed to confirm a current, signed BAA is on file.
Practices with an existing EHR administrator or part-time IT resource don't need a fully outsourced arrangement. Vitalpoints' co-managed IT model layers HIPAA compliance depth onto existing internal capability. For practices seeking medical IT support built for LA practices, Vitalpoints structures engagements around CMIA, Medi-Cal portal requirements, and multi-site endpoint management.
Frequently Asked Questions
Does signing a BAA with my telehealth platform mean I'm fully HIPAA compliant?
No. A BAA with Doxy.me, Zoom for Healthcare, or Teladoc covers only the encrypted video transmission. The covered entity remains solely responsible for endpoint security, network configuration, cloud storage, access controls, and backup — all of which OCR audits independently of the platform BAA.
Are telehealth session recordings covered under HIPAA, and how long must I keep them?
Yes. Session recordings containing patient health information are ePHI and must be stored on a HIPAA-compliant cloud platform with a signed BAA. HIPAA requires covered entities to retain compliance documentation and ePHI-related records for six years from creation or last effective date.
What are the HIPAA requirements for patients connecting from personal devices?
HIPAA does not require covered entities to manage patient-owned devices. The covered entity must compensate at the application and network access layer — ensuring the provider-side environment, access controls, and session configuration meet §164.312 Technical Safeguard requirements regardless of what device the patient uses.
Does California have stricter telehealth privacy laws than HIPAA?
Yes. The California Medical Information Act (CMIA) imposes stricter confidentiality and breach notification requirements than federal HIPAA and gives patients a private right of action for unauthorized disclosures. Los Angeles practices must comply with both simultaneously — HIPAA compliance alone is not sufficient under California law.
What IT infrastructure do I need for HIPAA-compliant telehealth?
HIPAA-compliant telehealth requires endpoint encryption, documented patch management, network segmentation isolating patient traffic, BAA-backed cloud storage, multi-factor authentication with role-based access permissions, and immutable geographically redundant backup with tested restore — each mapped to specific §164.312 Technical Safeguard requirements.
What is the difference between a HIPAA-compliant telehealth platform and HIPAA-compliant IT?
A HIPAA-compliant telehealth platform secures the video stream and accepts BAA liability for that transmission only. HIPAA-compliant IT manages the surrounding infrastructure — devices, networks, cloud storage, access logs, and backup — which the platform BAA explicitly excludes and which represents the majority of what OCR examines in an audit.
How often should a telehealth practice conduct a HIPAA risk assessment?
HIPAA requires a risk analysis whenever there is a change to the environment — adding a telehealth platform, onboarding a new vendor, or opening a new location. At minimum, conduct a full risk assessment annually and document it to satisfy both OCR audit requirements and CMIA obligations in California.
Your Video Platform Has a BAA. Does Your IT Infrastructure Have a Compliance Plan?
Book a free telehealth IT compliance review with Vitalpoints — we'll map every layer of your LA practice's environment against HIPAA Technical Safeguards and show you exactly where the gaps are.
Book Your Free Compliance Review