How telehealth recordings, AI transcripts, and chat logs become unmanaged PHI — and a data handling standard to fix it
This post is part of the Telehealth & Healthcare Security Series. It builds on the foundational concepts in Why HIPAA Compliance Isn’t Enough: A NIST CSF 2.0 Guide for Telehealth, The Compliance Trap, and Identity Is the Perimeter — and focuses on the data security controls that telehealth convenience features demand.
The provider turned on “auto-record” for documentation purposes. Twelve months later, the practice had 14,000 telehealth recordings sitting in a cloud folder that three former employees still had access to.
Nobody had set a retention policy. Nobody had reviewed access. Nobody knew the recordings existed until the breach investigator found them. Fourteen thousand sessions — each containing patient names, diagnoses, treatment discussions, medication adjustments, and mental health disclosures — stored in a vendor’s cloud environment with no encryption at rest, no access controls beyond the original share link, and no expiration date.
The recording feature was enabled with a single click. The breach notification letters went out to 8,200 patients. The OCR investigation that followed asked a question the practice couldn’t answer: “What is your data retention and disposal policy for telehealth session recordings?”
They didn’t have one. Most practices don’t.
Artifact 1
Session recordings (audio + video) — Full visit captured including patient disclosures, provider assessments, and treatment planning
Artifact 2
AI-generated visit transcripts — Ambient scribes and auto-transcription create searchable text PHI from spoken conversation
Artifact 3
Chat messages during sessions — Medication names, symptom descriptions, scheduling details exchanged in real-time text
Artifact 4
File transfers (lab results, images) — Documents shared during visits stored in platform-managed locations
Artifact 5
Screen share recordings — Captured views of lab results, imaging, or EHR screens shared with patients
Artifact 6
Waiting room messages — Pre-visit communications including reason-for-visit and symptom descriptions
Artifact 7
Post-visit AI summaries — Auto-generated visit summaries containing diagnoses, treatment plans, and follow-up instructions
Artifact 8
Patient-uploaded documents — Insurance cards, medication lists, prior records shared through the platform
Artifact 9
Voicemail transcriptions — Telehealth callback messages transcribed by AI with patient names and clinical details
The pattern is consistent across every practice that has adopted telehealth convenience features. A vendor enables a feature by default — or a well-meaning staff member turns it on because it’s helpful. PHI is created and stored. Nobody classifies it. Nobody governs it. Nobody sets a retention period. The data accumulates indefinitely, access expands as staff members are added but never removed, and the sprawl continues until something breaks — usually a breach, a patient complaint, or a regulatory inquiry.
The problem isn’t that these features exist. They often serve legitimate clinical purposes. The problem is that nobody is treating the output as what it is: protected health information that requires the same governance as any other PHI in your environment.
The appeal: Automatic session recording supports clinical documentation, quality assurance, and training. Providers can review visits to complete notes accurately. It reduces documentation burden and improves care quality.
The risk: Every recording is a high-fidelity PHI repository. A single 30-minute telehealth session captures patient identity, diagnoses, treatment discussion, mental health disclosures, medication history, and provider recommendations — all in searchable audio/video format. When auto-recording is enabled without a corresponding retention policy, access control, and disposal process, you’re creating the richest possible PHI artifact and leaving it unmanaged.
The appeal: Ambient scribes and auto-transcription convert spoken conversation into structured clinical notes, reducing provider documentation time by 50–70%. The efficiency gains are real and meaningful for provider burnout.
The risk: AI transcription creates text PHI from audio PHI — often stored in a separate system from the recording itself. Now you have the same clinical content in two formats, in two locations, with potentially different access controls and retention policies. The transcript may live in the AI vendor’s cloud, the telehealth platform, and the EHR — three copies of the same PHI, each with different governance.
The appeal: In-session chat allows providers and patients to share information that’s easier to type than speak — medication names, dosages, specialist referral details, scheduling preferences. It’s a natural complement to video communication.
The risk: Chat logs contain PHI (medication names, symptoms, appointment details, insurance information) and are typically retained indefinitely by the telehealth platform. Most practices never review chat retention settings, never export chat data to the medical record, and never purge historical chat logs. The result is an ever-growing repository of PHI that exists outside the EHR, outside the practice’s data governance, and often outside anyone’s awareness.
The appeal: Patients can share lab results, medication lists, insurance cards, and images directly during a telehealth session. Providers can share educational materials, referral forms, and treatment instructions. It eliminates the need for separate fax or email exchanges.
The risk: Where do those files go? In most telehealth platforms, transferred files are stored in platform-managed cloud storage that the practice doesn’t control, doesn’t monitor, and may not even know exists. Lab results shared during a visit may sit in the vendor’s file storage indefinitely — separate from the EHR, separate from the practice’s backup and retention processes, and accessible to anyone with platform-level access.
The core problem is simple: unclassified data can’t be governed. If you haven’t defined what each type of telehealth data is, how sensitive it is, and what controls apply to it, then every artifact gets the same treatment — which in practice means no treatment at all.
Data classification is the bridge between “we’re HIPAA compliant” and “we actually know where our data is and who can access it.” It doesn’t require a six-figure consulting engagement. It requires a decision about how to treat each data type — and the discipline to enforce it.
Recording consent is not a simple checkbox. It varies by state, by context, and by the specific data type being created. A patient who consented to a “telehealth visit” may not have consented to a permanent cloud-stored recording of that visit. A patient who agreed to “session notes” may not have agreed to AI-generated transcription of their spoken words. The gap between what the consent form covers and what the technology actually does is a legal and regulatory exposure that most practices haven’t examined.
Review your current telehealth consent form against what your platform actually does. Does it specifically address:
If your consent form says “telehealth visit” but your platform creates recordings, transcripts, chat logs, and AI summaries, there is a gap between consent and practice. That gap is where regulatory risk lives — especially as state privacy laws continue to evolve beyond HIPAA’s baseline requirements.
This is the one-page artifact that most practices are missing. It doesn’t require new technology. It doesn’t require new staff. It requires a set of decisions about how each telehealth data type will be handled — and the operational discipline to enforce those decisions. Print it, post it, and make it part of your telehealth platform configuration.
| Data Type | Sensitivity | Retention Period | Storage Location | Access Allowed | Encryption | Disposal Method |
|---|---|---|---|---|---|---|
| Session recordings | High | 7 years or per state law | Encrypted cloud (vendor) | Treating provider + compliance | AES-256 at rest, TLS in transit | Automated deletion at retention expiry |
| AI transcripts | High | Same as clinical notes | EHR (attached to visit) | Treating provider | EHR encryption | Per EHR retention policy |
| Chat/messaging logs | Medium | 3 years | Telehealth platform | Treating provider + admin | Platform encryption | Vendor deletion + verification |
| File transfers | High | Per document type | EHR or secure storage | Treating provider | AES-256 | Secure deletion |
| Screen share recordings | High | 90 days unless clinical need | Encrypted cloud | Treating provider only | AES-256 | Auto-delete at 90 days |
| Waiting room messages | Low | 30 days | Platform cache | Admin staff | Platform encryption | Auto-purge |
| Post-visit AI summaries | High | Same as clinical notes | EHR | Treating provider | EHR encryption | Per EHR policy |
Implementation note: This table is a starting point. Your practice should adjust retention periods based on state-specific medical record retention laws, your malpractice insurance requirements, and any specialty-specific regulations (e.g., behavioral health records may have different retention requirements in your jurisdiction). The critical step is having a documented standard at all — most practices have none.
Do you know where your telehealth session recordings are stored right now?
Is there a retention policy for telehealth recordings, chat logs, and AI transcripts?
Who can access telehealth recordings — and does that include former employees?
Does your patient consent form specifically address session recording and AI transcription?
If a patient asked you to delete their telehealth recording, could you do it?
Have you classified your telehealth data types by sensitivity and assigned appropriate controls?
If you hesitated on any of these, your telehealth data is generating PHI sprawl right now — and nobody is governing it.
Venuto, J. (2026, February). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/telehealth_nist_csf_hipaa_guide.html
Venuto, J. (2026, February). The compliance trap: Why “HIPAA compliant” medical groups still get hacked. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/hipaa_compliance_trap.html
Venuto, J. (2026, March). Identity is the perimeter: Telehealth access control that actually holds. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/protect/pr-aa/telehealth_identity_access_control.html
National Institute of Standards and Technology. (2024). Cybersecurity framework 2.0. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2024). HIPAA security rule. https://www.hhs.gov/hipaa/for-professionals/security/index.html
If you don’t know where your telehealth recordings are, who can access them, or when they expire — you have a PHI sprawl problem. Let’s fix it before it becomes a breach.
A focused assessment of your telehealth data footprint: where recordings and transcripts are stored, who has access, what retention policies exist (or don’t), and a prioritized remediation plan to bring telehealth data under governance.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Data Security | Healthcare Privacy