HIPAA & Your Privacy in Telehealth

Your health information deserves strong protection, whether you see a provider in person or through telehealth. The Health Insurance Portability and Accountability Act (HIPAA) provides federal privacy protections that apply to your virtual healthcare. This guide explains how HIPAA protects you and what to look for in telehealth privacy practices.

What Is HIPAA?

HIPAA is a federal law enacted in 1996 that establishes national standards for protecting sensitive health information. It consists of several key rules:

• Privacy Rule: Establishes national standards for protecting individuals' medical records and personal health information
• Security Rule: Sets standards for protecting electronic health information (e-PHI)
• Breach Notification Rule: Requires covered entities to notify patients when their information is compromised
• Enforcement Rule: Contains provisions for compliance and penalties for violations

Who Must Comply with HIPAA?

HIPAA applies to "covered entities" and their "business associates":

Covered Entities

• Healthcare providers (doctors, therapists, psychiatrists, nurses, etc.)
• Health plans (insurance companies, HMOs, employer health plans)
• Healthcare clearinghouses (entities that process health information)

Business Associates

• Telehealth platform vendors
• IT companies that handle health data
• Billing services
• Cloud storage providers for health data

This means telehealth platforms like BetterHelp, Talkspace, Headway, and Teladoc must comply with HIPAA requirements.

Your Rights Under HIPAA

HIPAA gives you important rights regarding your health information:

Right to Access Your Records

• Request and receive copies of your health records
• Providers must respond within 30 days (extendable to 60 days)
• May request records in electronic format
• Reasonable fees may apply for copies

Right to Request Corrections

• Ask to amend inaccurate or incomplete information
• Provider must respond within 60 days
• If denied, you can add a statement of disagreement to your record

Right to Know Who Has Accessed Your Information

• Request an "accounting of disclosures" showing who received your information
• Covers disclosures made in the past six years
• Some exceptions apply (treatment, payment, healthcare operations)

Right to Request Restrictions

• Ask for limits on how your information is used or disclosed
• Providers don't have to agree to all requests
• Can request confidential communications (e.g., contact only by email)

Right to File Complaints

• File complaints with the provider/platform
• File complaints with the HHS Office for Civil Rights (OCR)
• Cannot be retaliated against for filing a complaint

How HIPAA Applies to Telehealth

HIPAA requirements apply equally to telehealth and in-person care:

Technical Safeguards

• Encryption: Video calls and messages must be encrypted during transmission
• Access controls: Only authorized users can access your information
• Audit controls: Systems must track who accesses what and when
• Automatic logoff: Sessions end after inactivity
• Transmission security: Protections against interception of communications

Administrative Safeguards

• Staff training on privacy and security
• Risk assessments and management
• Policies and procedures for handling health information
• Incident response plans for potential breaches

Physical Safeguards

• Secure data centers for stored information
• Workstation and device security
• Proper disposal of devices containing health information

HIPAA-Compliant Telehealth Platforms

Reputable telehealth platforms implement HIPAA compliance measures:

• BetterHelp – Uses encrypted video and messaging, HIPAA-compliant infrastructure
• Talkspace – Bank-grade encryption, SOC 2 certified, HIPAA compliant
• Headway – HIPAA-compliant platform connecting you with licensed providers
• Grow Therapy – Secure platform with HIPAA compliance
• Cerebral – HIPAA-compliant for psychiatry and therapy services
• Teladoc – Long-standing HIPAA compliance program

What's NOT Covered by HIPAA

Important: Not all health-related apps and services are covered by HIPAA:

• General wellness apps: Meditation apps, fitness trackers, sleep apps
• Consumer health apps: Apps you download directly (not through a healthcare provider)
• Educational resources: Health information websites and content
• Social media health groups: Online communities and forums

Apps like Calm, Headspace, and general wellness tools may not be bound by HIPAA. Review their privacy policies carefully.

Mental Health Records: Extra Protections

Mental health information often has enhanced privacy protections:

Psychotherapy Notes

Under HIPAA, "psychotherapy notes" have special protections:

• Separate from your general medical record
• Require specific authorization to release (with limited exceptions)
• Not included in standard record requests
• Not required for treatment, payment, or healthcare operations

Note: Not all therapy notes qualify as "psychotherapy notes" under HIPAA. The term has a specific legal definition.

Substance Abuse Records

Federal regulation 42 CFR Part 2 provides additional protections for substance abuse treatment records, requiring explicit consent for most disclosures.

Limits to Confidentiality

HIPAA allows (and sometimes requires) disclosure without your consent in certain situations:

• Imminent danger: Serious and imminent threat to health or safety
• Abuse or neglect: Reporting suspected child, elder, or dependent adult abuse
• Court orders: Valid court orders or subpoenas
• Law enforcement: Certain law enforcement purposes
• Public health: Required public health reporting
• Worker's compensation: Information needed for claims

Your provider should explain these limits during your first session.

Protecting Your Own Privacy

HIPAA protects your data in the healthcare system, but you also play a role in protecting your telehealth privacy:

During Telehealth Sessions

• Use a private space where you won't be overheard
• Wear headphones for audio privacy
• Position your screen so others can't see it
• Consider a white noise machine or app
• Lock doors if possible

Technical Security

• Use secure, private Wi-Fi (not public networks)
• Keep your devices updated with security patches
• Use strong, unique passwords
• Enable two-factor authentication
• Log out completely after sessions
• Be cautious about saving login credentials on shared devices

Communication Privacy

• Use the platform's secure messaging rather than regular email or text
• Be mindful of what you put in writing
• Set up notifications carefully to protect privacy

What to Do If You Think Your Privacy Was Violated

1. Document the issue: Write down what happened, when, and who was involved
2. Contact the provider/platform: Many issues can be resolved at this level
3. Request a breach determination: Ask if a breach occurred and what steps are being taken
4. File a complaint with HHS OCR: You can file online at hhs.gov/ocr/complaints
5. Contact your state: State attorneys general may also investigate
6. Consult an attorney: For serious violations with harm, legal consultation may be appropriate

Questions to Ask About Privacy

Before using a telehealth service:

• Is this platform HIPAA-compliant?
• How is my data encrypted during sessions and in storage?
• Who has access to my health information?
• Is any data shared with third parties? For what purposes?
• Are video sessions recorded? If so, how are recordings protected?
• How long is my data retained?
• How can I access, download, or delete my data?
• What happens to my data if I cancel my account?

Related Guides

• Telehealth Privacy, Security & Your Rights
• Telehealth Laws by State
• Using Telehealth Across State Lines
• Telehealth Technology Setup Guide
• How to Choose an Online Therapy Platform

Important Reminder