Block 2. HIPAA and the Compliance Layer

1

HIPAA in Plain English for Product Teams

HIPAA compliant app development in plain English: the three rules, what counts as PHI, covered entity vs business associate, and the penalties for 2026.

2

The 2026 HIPAA Security Rule Update — What Changed and What It Means for Video

The 2026 HIPAA Security Rule update explained: mandatory encryption, MFA, asset inventories, annual audits — what each means for telemedicine video.

3

Business Associate Agreements (BAA): The Contract That Makes or Breaks Your Stack

What a HIPAA business associate agreement covers, who needs one, the clauses 45 CFR 164.504(e) requires, and the BAA gaps that sink telemedicine builds.

4

Encryption for Telemedicine: In Transit, at Rest, End-to-End

HIPAA encryption requirements for telemedicine: in transit, at rest, end-to-end — DTLS-SRTP, TLS, NIST standards, key custody, and the breach safe harbor.

5

Audit Logging and Access Controls for Clinical Video

HIPAA audit logging requirements for clinical video: 45 CFR §164.312(b), which events to log, RBAC and minimum necessary, immutable trails, retention.

6

Patient Consent, Recording, and Data Retention

Patient consent recording telehealth rules in plain English: the four consents, all-party recording laws, retention clocks, and the right of access.

7

De-Identification, Secondary Use, and Analytics on Health Data

De-identification under HIPAA explained: Safe Harbor vs Expert Determination, limited data sets, and a compliant analytics pipeline for telehealth.

8

Beyond HIPAA: GDPR, PIPEDA, and Global Health-Data Law

GDPR health data rules for telemedicine, plus PIPEDA, UK GDPR, and data residency: lawful bases, DPAs vs BAAs, breach clocks, one global architecture.

9

State and Specialty Rules: Telehealth Licensing, Prescribing, Mental Health

State telehealth licensing, the Ryan Haight Act and DEA prescribing rules through 2026, and 42 CFR Part 2 — translated into product requirements.

10

The Compliance Architecture Pattern: How to Wrap a Video Stack in HIPAA

The HIPAA compliant architecture pattern: PHI boundary, BAA-covered components, encryption on every hop, segmentation, and audit — with a one-page PDF.

11

Common HIPAA Mistakes in Telemedicine Builds

Ten HIPAA mistakes that sink telemedicine builds — PHI in URLs and logs, analytics SDKs, un-BAA'd buckets, push notifications — and the fix for each one.

12

The HIPAA Readiness Checklist and Audit-Prep Guide

The ordered HIPAA readiness checklist for telemedicine teams — risk analysis, BAAs, training, incident drills — and how to answer an OCR audit letter.