A 35-year-old patient has a telehealth appointment with their psychiatrist today. They discuss a diagnosis of bipolar disorder, medication adjustments, and recent suicidal ideation. The session is conducted over a HIPAA-compliant video platform, encrypted with TLS 1.3 and SRTP. By today's standards, the call is secure.
Now consider the timeline. That patient's mental health history will remain sensitive for their entire life — another 50 or more years. The encryption protecting the telehealth session uses elliptic-curve key exchange, which a quantum computer will break. Conservative estimates place cryptographically relevant quantum computers at 2035. Aggressive estimates say 2030. In either scenario, the encryption will fail while the patient is still alive, still employed, still subject to stigma and discrimination based on mental health status.
This is not a theoretical edge case. It is the central risk that makes healthcare data uniquely vulnerable to the quantum threat, and it is the reason telehealth platforms need post-quantum encryption today — not when quantum computers arrive, but now, while the encrypted traffic is being generated and potentially recorded.
Healthcare Data Is Different: The Lifetime Sensitivity Problem
Most categories of sensitive data have a natural expiration. A financial transaction settles. A merger closes or falls through. A contract expires. The sensitive period has a boundary, and even if the encryption is eventually broken, the intelligence value has diminished.
Healthcare data does not work this way. A patient's medical history is cumulative, permanent, and sensitive for their entire life. Consider the categories of PHI (Protected Health Information) exchanged in telehealth sessions:
PHI categories with lifetime sensitivity
Every one of these conversations happens over telehealth video calls. Every one is encrypted with classical algorithms that quantum computers will break. And every one will remain sensitive for decades after the encryption fails.
HIPAA's Encryption Requirements and the Quantum Gap
HIPAA's Security Rule (45 CFR Part 164) requires covered entities to implement technical safeguards to protect electronic PHI (ePHI). Section 164.312(a)(2)(iv) specifically addresses encryption as an "addressable" implementation specification — meaning covered entities must implement it unless they can document why an alternative measure provides equivalent protection.
In practice, encryption of PHI in transit is universally expected. HIPAA does not mandate specific algorithms, but the HHS Office for Civil Rights (OCR) has referenced NIST guidelines as the benchmark. Prior to 2024, NIST-recommended algorithms meant AES for symmetric encryption and RSA or ECDH for key exchange. After NIST finalized FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA) in August 2024, the standard for "adequate encryption" has shifted.
HIPAA Section 164.306(a) requires covered entities to protect against "reasonably anticipated threats or hazards to the security or integrity of ePHI." The harvest-now-decrypt-later quantum threat is no longer speculative. The NSA publicly acknowledged it. NIST spent eight years developing standards to address it. Multiple nation-states are investing billions in quantum computing. The argument that quantum attacks are not "reasonably anticipated" is becoming untenable.
The regulatory trajectory is clear even if the timeline is uncertain. Healthcare organizations that adopt post-quantum encryption now are ahead of the compliance curve. Those that wait will face a scramble when OCR updates its guidance — and in the meantime, years of telehealth traffic will have been encrypted with breakable algorithms.
HIPAA sections relevant to quantum risk
Harvest-Now-Decrypt-Later: Healthcare Is Target Number One
Healthcare data is the most valuable data category on the black market. According to the 2025 IBM Cost of a Data Breach report, healthcare breaches have the highest average cost of any industry for the fifteenth consecutive year, at $10.93 million per incident. A single patient record sells for $250–$1,000 on dark web markets, compared to $5–$10 for a credit card number.
The harvest-now-decrypt-later threat amplifies this value by orders of magnitude. An adversary who records encrypted telehealth traffic today gains access to thousands or millions of patient records when quantum decryption becomes available — without ever needing to breach the healthcare organization's systems directly. The encrypted traffic flows over the public internet. Capturing it requires only network-level access, which is trivially available to nation-states and increasingly available to sophisticated criminal organizations.
The attack economics are compelling. Storage costs continue to decline. A terabyte of encrypted telehealth traffic can be stored for pennies per month. The decryption payoff — millions of patient records, each worth hundreds of dollars, plus the potential for targeted blackmail of high-profile patients — dwarfs the storage cost by many orders of magnitude. Rational adversaries are collecting this data now.
The Scale of the Exposure
Telehealth usage surged during the COVID-19 pandemic and has remained elevated. As of 2026, approximately 37% of U.S. adults have used telehealth in the past year. Mental health services account for the largest share of telehealth visits, followed by primary care and chronic disease management.
The numbers are staggering. An estimated 200 million telehealth visits occur annually in the United States alone. Each visit generates encrypted video and audio traffic that, if recorded, could be decrypted when quantum computers arrive. The most sensitive visits — psychiatry, substance abuse counseling, HIV treatment, genetic counseling — are disproportionately conducted via telehealth because patients prefer the privacy of a remote consultation.
Every one of those sessions is a discrete unit of encrypted traffic that can be captured, stored, and eventually decrypted. The aggregate exposure across the U.S. healthcare system is hundreds of petabytes of PHI, growing every day, protected by encryption that has a known expiration date.
V100: HIPAA Compliance Meets Post-Quantum Protection
V100 is the only video API that combines HIPAA-compliant telehealth infrastructure with production post-quantum encryption. This is not two separate products stitched together. The PQ encryption is built into the same video pipeline that handles HIPAA compliance requirements.
V100 HIPAA + PQ feature matrix
| Requirement | HIPAA Reference | V100 Implementation |
|---|---|---|
| Encryption in transit | 164.312(e)(1) | ML-KEM-768 + X25519 hybrid + AES-256-GCM |
| Integrity controls | 164.312(c)(1) | ML-DSA-65 signatures on all artifacts |
| Audit controls | 164.312(b) | Complete session logging with PQ-signed audit trail |
| Access controls | 164.312(a)(1) | Per-session authentication, role-based access |
| Automatic logoff | 164.312(a)(2)(iii) | Configurable session timeout, automatic disconnection |
| BAA availability | 164.308(b)(1) | Business Associate Agreement available |
End-to-end encryption with PQ key exchange: Every telehealth session uses ML-KEM-768 + X25519 hybrid key exchange. The video server (SFU) relays encrypted packets without the ability to decrypt them. PHI is protected end-to-end from the patient's device to the provider's device, using a session key that is quantum-safe.
PQ-signed recordings and transcripts: When recording is enabled (with patient consent), recordings and AI-generated transcripts are signed with ML-DSA-65. The signature proves the recording has not been tampered with, and the signature itself cannot be forged even by a quantum computer. For healthcare compliance audits that may span years or decades, this is a critical capability.
H33-74 attestation: Every V100 session generates an H33-74 substrate attestation — a 74-byte cryptographic proof that the session occurred, was properly encrypted, and was not tampered with. This attestation is anchored across three PQ algorithm families, providing an immutable audit record that satisfies the most stringent compliance requirements.
The Cost of Waiting
Every day that a healthcare organization conducts telehealth sessions with classical encryption is another day of PHI that may be captured and eventually decrypted. The cost compounds over time:
A mid-size health system conducting 500 telehealth sessions per day accumulates 182,500 sessions per year. Over five years of waiting for quantum computers to become a "real" threat, that is nearly one million sessions — each containing PHI that will remain sensitive for decades after the encryption fails. If any of that traffic was recorded by an adversary, the exposure is permanent and irrevocable. You cannot retroactively encrypt traffic with stronger algorithms.
The financial exposure is also significant. HIPAA penalties for willful neglect range from $50,000 to $1.5 million per violation category per year, with a maximum of $2.1 million per violation category. A breach affecting thousands of patient records from decrypted telehealth sessions would be a high-profile enforcement action. The OCR would certainly consider whether the organization used encryption that was known to be vulnerable to quantum attacks when stronger alternatives were available.
The reputational cost may be even larger. A healthcare system that loses patient records because it failed to adopt available quantum-safe encryption will face a level of scrutiny that no PR campaign can mitigate. The patients whose most intimate medical details were exposed will not care that quantum computers were not widely expected until 2035. They will care that their provider chose the cheaper, weaker encryption when a better option existed.
How to Start the Transition
Healthcare organizations do not need to overhaul their entire IT infrastructure to adopt post-quantum encryption for telehealth. V100 is a video API — it integrates into existing telehealth platforms, patient portals, and EHR systems via standard API calls. The PQ encryption is handled entirely by V100's infrastructure. No client-side PQ libraries are required.
Step 1: Inventory your telehealth traffic. Identify which video platform(s) your organization uses for telehealth. Determine what encryption algorithms they use for key exchange and digital signatures. If the answer is ECDH, RSA, or ECDSA, the traffic is vulnerable to quantum attacks.
Step 2: Assess your data sensitivity timeline. For mental health, HIV/AIDS, genetic testing, substance abuse, and reproductive health consultations, the sensitivity timeline is effectively permanent. These sessions should be the highest priority for PQ migration.
Step 3: Evaluate V100 for telehealth. The live demo shows the PQ-E2E encryption badge in action. The quantum security page provides the full cryptographic specification for your security and compliance team. Pricing includes PQ encryption at every tier — there is no premium add-on for quantum safety.
The window to protect your patients' data from quantum attacks is open now. Every telehealth session conducted with classical encryption is another session that will be decryptable in the post-quantum future. Your patients trust you with their most sensitive information. That trust deserves encryption that will last as long as the data is sensitive.
Protect patient data for a lifetime, not just today
V100 is the only telehealth video API with HIPAA compliance and post-quantum encryption. ML-KEM-768 key exchange, ML-DSA-65 artifact signing, end-to-end encryption, and BAA available. Start your free trial today.