Telehealth Security for a Multi-Location Clinic
A behavioral health clinic with 4 locations needed a security review of their telehealth platform and patient portal before expanding virtual care services.
The Challenge
The clinic had rapidly adopted telehealth during COVID and continued expanding virtual appointments. They were using a third-party video platform integrated with their EHR, plus a patient portal for messaging and document sharing. No one had reviewed whether the telehealth stack met HIPAA requirements. Providers were occasionally using personal Zoom accounts for patient calls, and the patient portal had not been updated or penetration tested since deployment.
Services Used
Our Approach
- 1
Mapped the complete telehealth data flow — from patient scheduling through video consultation to clinical notes — identifying every system that touches PHI.
- 2
Reviewed the third-party telehealth platform's BAA, security certifications, and encryption standards against HIPAA Security Rule requirements.
- 3
Identified that 3 providers were using non-compliant personal Zoom accounts without BAAs, encryption, or audit logging.
- 4
Assessed the patient portal for vulnerabilities, finding an outdated TLS configuration, missing session timeouts, and inadequate access controls on document uploads.
- 5
Conducted a focused HIPAA SRA covering the telehealth-specific risks, including remote patient monitoring devices used by 40+ patients.
- 6
Delivered a prioritized remediation roadmap with quick wins (Zoom migration, TLS update) and longer-term items (portal penetration test, device management policy).
Results
14
Compliance Issues Found
3
Providers Migrated to Compliant Platform
40+
Patients on Secure Monitoring
3 weeks
Time to Complete
“We had no idea our providers were using personal Zoom accounts for patient calls. CitrusCS found the gaps we didn't know existed and gave us a clear plan to fix them without disrupting patient care.”
— Healthcare Client