COVID-19 Telehealth Privacy: Rules, Risks, and How to Stay Secure

Telehealth Privacy and Security Risks

Where privacy breaks down

• Insecure video platforms or weak configurations can expose Protected Health Information (PHI) to unauthorized viewers.
• Unmanaged devices (personal laptops or smartphones) may store unencrypted visit notes, images, or recordings.
• Third‑party tracking technologies embedded in apps or portals can leak identifiers or visit context.
• Misdirected messages, screen shares, or file transfers can disclose PHI to the wrong recipient.
• Home environments introduce bystanders, smart speakers, and ambient audio that reduce confidentiality.
• Phishing, ransomware, and supply‑chain compromises target telehealth vendors and integrations.

Operational and compliance pitfalls

• Over‑collection of data without clear purpose conflicts with Telehealth Privacy Policies and the minimum‑necessary standard.
• Inadequate role‑based access, audit logging, or retention controls increase breach likelihood.
• Poor vendor management leaves Business Associate gaps and unclear incident responsibilities.

Make risk visible

Start with a Telehealth Risk Analysis that maps data flows end‑to‑end: patient device, network, video platform, EHR, cloud storage, and analytics. Identify threats, rank impact and likelihood, and select controls that reduce residual risk to an acceptable level.

HIPAA Compliance in Telehealth

Core rules to operationalize

• Privacy Rule: define permissible uses and disclosures, apply the minimum‑necessary standard, and publish clear Telehealth Privacy Policies.
• Security Rule: implement administrative, physical, and technical safeguards tailored to telehealth workflows.
• Breach Notification Rule: maintain processes to investigate incidents and deliver timely Data Breach Notification when required.

Business Associates and platforms

Use vendors that sign Business Associate Agreements, support access controls and audit trails, and offer configurable privacy settings. Validate data locations, subcontractors, and incident response obligations before go‑live.

Patient Authentication Protocols

• Verify identity at each visit using at least two elements (for example, date of birth plus a one‑time code).
• Bind identities to patient accounts, not links; expire links quickly and prevent reuse.
• Require strong passwords, protect session tokens, and auto‑logoff after inactivity.

Health Data Encryption

• Encrypt in transit with modern TLS; prefer video solutions that support end‑to‑end encryption for sessions.
• Encrypt at rest (including mobile device storage), manage keys securely, and restrict exports or local caching.
• Harden endpoints with device encryption, patching, and remote‑wipe capabilities for lost or stolen hardware.

Documentation and training

Keep Telehealth Privacy Policies, procedures, risk analyses, and training records current. Train clinicians and support staff on secure screen sharing, file transfers, and handling of images or recordings that contain PHI.

Temporary HIPAA Enforcement Discretion

What it allowed

During the COVID‑19 emergency, HIPAA Enforcement Discretion permitted good‑faith telehealth using common, non‑public‑facing communication tools. The goal was to preserve patient access when rapid deployment was essential.

Boundaries that still applied

• Safeguard PHI to the extent feasible, prefer privacy‑preserving settings, and inform patients of residual risks.
• Avoid public‑facing platforms and disable unnecessary tracking or recording features.
• Follow state privacy and security obligations and standard professional ethics.

Expiration of Enforcement Discretion

Return to standard enforcement

The temporary policy has expired, and standard HIPAA enforcement applies to telehealth again. Covered entities and Business Associates must use HIPAA‑compliant platforms, execute Business Associate Agreements, and meet Security Rule safeguards across all telehealth workflows.

What to do now

• Reassess vendors, ensure BAAs are active, and verify encryption, access, and logging controls.
• Repeat your Telehealth Risk Analysis, update policies and patient notices, and remove non‑compliant tools.
• Audit analytics and advertising trackers in websites and apps; disable or limit any that touch PHI.
• Retrain staff on approved tools, secure configurations, and incident escalation paths.

Documentation readiness

Keep evidence of platform configurations, training completion, policy updates, and vendor due diligence. This documentation supports accountability and expedites investigations if issues arise.

Patient Privacy and Security Tips

Before the visit

• Choose a private, quiet space; use headphones to reduce eavesdropping.
• Update your device and telehealth app; enable device encryption and a strong passcode.
• Join only through the official patient portal or app; avoid clicking links from unexpected messages.

During the visit

• Confirm the clinician’s identity and the practice name; never share multi‑factor codes with anyone.
• Close unrelated apps and disable smart speakers or voice assistants nearby.
• Share only what’s necessary; avoid showing documents that reveal unrelated PHI on camera.

After the visit

• Log out, clear downloaded files you no longer need, and store any notes inside the secure portal.
• Monitor your portal for results and messages; promptly report suspicious account activity.

Educating Patients on Privacy Risks

Make policies clear and practical

Convert Telehealth Privacy Policies into plain‑language checklists that explain what is collected, why, how it is protected, and with whom it is shared. Offer layered content so patients can skim essentials and dive deeper when needed.

Meet patients where they are

• Provide short, pre‑visit reminders covering private spaces, identity verification, and secure links.
• Offer materials in multiple languages and accessible formats to reach diverse audiences.
• Explain how to report concerns, and what Data Breach Notification would look like if an incident occurs.

Reinforce at every touchpoint

Embed privacy cues in appointment confirmations, waiting rooms, and portal dashboards. Small, consistent prompts drive safer behaviors more effectively than one‑time trainings.

Developing a Privacy and Security Strategy

Governance and ownership

• Assign a privacy lead and a security lead; define decision rights and escalation paths.
• Map PHI flows for telehealth, including third‑party APIs and storage locations.
• Set measurable objectives for availability, confidentiality, and integrity.

Telehealth Risk Analysis, step by step

• Inventory assets (platforms, devices, identities, data stores) and classify PHI.
• Identify threats and vulnerabilities; score likelihood and impact.
• Select controls (technical, administrative, physical); document residual risk and acceptance.
• Review at least annually or after major changes, and test controls through exercises.

Technical safeguards that matter

• Health Data Encryption in transit and at rest, strong key management, and secure backups.
• Single sign‑on with multi‑factor authentication, device management, and timely patching.
• Network segmentation, secure APIs, and centralized logging with continuous monitoring.

Administrative safeguards and response

• Maintain Telehealth Privacy Policies, workforce training, and a sanctions policy for violations.
• Vet vendors, maintain BAAs, and require incident cooperation and transparency.
• Build an incident response plan that includes containment, forensics, decisioning, and Data Breach Notification when triggered.

Conclusion

Telehealth can be private and secure when you pair clear policies with strong authentication, encryption, and disciplined vendor management. By performing a focused Telehealth Risk Analysis and educating patients, you reduce breach risk while sustaining convenient, high‑quality care.

FAQs

What are the main privacy risks in COVID-19 telehealth?

Top risks include insecure or misconfigured video tools, third‑party tracking that touches PHI, unencrypted storage on personal devices, and human errors like misdirected messages or screen shares. Home environments and social engineering add additional exposure if not addressed with good practices.

How does HIPAA apply to telehealth services?

HIPAA’s Privacy, Security, and Breach Notification Rules apply to telehealth just as they do to in‑person care. You must protect PHI with appropriate safeguards, execute Business Associate Agreements with vendors, authenticate patients, encrypt data, and follow your Telehealth Privacy Policies.

What changed after the expiration of HIPAA enforcement discretion?

Standard HIPAA enforcement resumed. Covered entities must use HIPAA‑compliant platforms, have BAAs in place, disable non‑essential trackers that could expose PHI, and document updated risk analyses, policies, and staff training for telehealth workflows.

How can patients protect their privacy during telehealth visits?

Use a private space and headphones, access visits only through your provider’s official portal or app, keep devices updated and encrypted, use strong passwords, verify the clinician’s identity, and log out when finished. Report suspicious messages or account activity immediately.