HIPAA Telehealth Privacy & Security Tips — Patient Handout

TELEHEALTH PRIVACY & SECURITY TIPS — PATIENT HANDOUT

Practice Name: [________________________________]
Practice Address: [________________________________]
Practice Phone: [________________________________]
Practice Website: [________________________________]
Privacy Officer Contact: [________________________________]
Telehealth Platform Used: [________________________________]

ABOUT THIS HANDOUT

This handout explains how to protect your privacy and security during telehealth visits. Telehealth allows you to see your healthcare provider using a computer, tablet, or phone instead of going to the office in person. Your telehealth visits have the same privacy protections as in-person visits. Federal law (HIPAA) and state laws protect your health information whether you are seen in person or through a screen.

Please read this handout before your first telehealth visit. If you have questions, contact our office at the number listed above.

SECTION 1: YOUR PRIVACY RIGHTS IN TELEHEALTH

You have the same rights during a telehealth visit as you do during an in-person visit:

• Right to Privacy. Your provider must keep your health information private and secure.
• Right to Know. You have the right to know how your health information is used and shared.
• Right to a Copy. You can request a copy of your health records, including telehealth visit notes.
• Right to Corrections. You can ask to correct errors in your records.
• Right to Restrict Sharing. You can ask your provider to limit how your information is shared.
• Right to Withdraw Consent. You can stop using telehealth at any time and request in-person visits instead.
• Right to File a Complaint. If you believe your privacy was violated, you can file a complaint (see Section 10 below).

SECTION 2: BEFORE YOUR TELEHEALTH VISIT

Choose a Private Location

☐ Find a room where you can close the door and be alone.
☐ If you cannot be alone, use headphones so others cannot hear your provider.
☐ Avoid having your telehealth visit in a public place (coffee shop, library, waiting room, workplace break room).
☐ If you must use a shared space, let your provider know at the start of the visit.
☐ Tell household members you need privacy during your appointment.

Set Up Your Technology

☐ Device: Use a personal computer, tablet, or smartphone. Avoid using a work computer or shared device if possible.
☐ Camera and Microphone: Test your camera and microphone before the visit. Most telehealth platforms have a "test" or "check" button.
☐ Internet Connection: Use a private, password-protected Wi-Fi network. Avoid public Wi-Fi (hotel, airport, coffee shop).
☐ Browser or App: Download or update the telehealth app or check your browser version before the visit.

• Supported platforms may include: Zoom for Healthcare, Doxy.me, Microsoft Teams for Healthcare, Amwell, Teladoc, Epic MyChart Video, athenahealth, or another platform identified by your provider.
  ☐ Charge Your Device: Make sure your device is fully charged or plugged in.
  ☐ Close Other Programs: Close email, social media, and other browser tabs before the visit.
  ☐ Software Updates: Install the latest security updates on your device and apps.
  ☐ Lighting: Sit facing a window or light source so your provider can see you clearly.

Gather Important Information

☐ Have your insurance card available.
☐ Have a list of your current medications (names, doses, how often you take them).
☐ Write down any questions or concerns you want to discuss.
☐ Have your pharmacy name and phone number available.
☐ If you are a new patient, have your photo ID ready for identity verification.

Disable Smart Devices

☐ Turn off or mute smart speakers (Amazon Echo/Alexa, Google Home, Apple HomePod, etc.).
☐ Turn off smart TVs or other devices that may listen or record in your room.
☐ If you use a smart watch, be aware it may record audio.

SECTION 3: DURING YOUR TELEHEALTH VISIT

Protect Your Privacy During the Visit

☐ At the start of the visit, your provider may ask you to confirm your name, date of birth, and location.
☐ Tell your provider if anyone else is in the room with you.
☐ If you want a family member or caregiver to join the visit, let your provider know in advance.
☐ Use headphones or earbuds to prevent others from hearing the conversation.
☐ Do not use speakerphone if others are nearby.
☐ Avoid moving to different locations during the visit (stay in one private place).

Recording and Screenshots

☐ Do NOT record your telehealth visit (audio or video) without telling your provider and getting permission.
☐ Do NOT take screenshots of your provider or the visit screen.
☐ Your provider will not record your visit without your written permission.
☐ If your provider asks to record for clinical or training purposes, you have the right to say no.

Screen Sharing Safety

☐ If your provider asks you to share your screen (for example, to show a medication bottle or a rash), only share what is needed.
☐ Close personal tabs, documents, or apps before sharing your screen.
☐ Stop sharing your screen as soon as you are done.

SECTION 4: AFTER YOUR TELEHEALTH VISIT

Accessing Your Records

☐ You can access your visit summary and medical records through your patient portal.

• Patient Portal: [________________________________]
• Portal Website/App: [________________________________]
  ☐ If you do not have a patient portal account, call our office to set one up.
  ☐ You can request a paper copy of your records at any time.

Secure Messaging

☐ Use the patient portal for non-urgent messages to your provider. This is more secure than regular email or text.
☐ Do not send sensitive health information through regular email, text message, or social media.
☐ Response time for portal messages: [________________________________]

Protecting Information on Your Device

☐ After your visit, clear any health information you saved or downloaded to your device if you no longer need it.
☐ Use a strong password or PIN to lock your device.
☐ Turn on auto-lock so your device locks after a short time.
☐ If you use multi-factor authentication (a code sent to your phone when you log in), keep it turned on.
☐ Do not save your patient portal password in a shared browser.

SECTION 5: WHAT TO DO IF TECHNOLOGY FAILS DURING YOUR VISIT

Technology problems can happen during any telehealth visit. Here is what to do:

Our backup plan: If your visit is interrupted and cannot be restored, we will:

☐ Call you at [________________________________] (your phone number on file)
☐ Send a secure portal message with instructions
☐ Reschedule if the visit cannot be completed

Important: If you are having a medical emergency during a visit, call 911 immediately. Do not wait for the technology to reconnect.

SECTION 6: SPECIAL PRIVACY PROTECTIONS FOR SENSITIVE VISITS

Behavioral Health and Mental Health Visits

• Your mental health records have the same HIPAA protections as other medical records.
• Psychotherapy notes (your therapist's personal notes taken during sessions) have extra protection under HIPAA. They cannot be shared without your specific written permission (45 C.F.R. § 164.508(a)(2)).
• If you are seeing a psychiatrist, therapist, counselor, or social worker by telehealth, the same confidentiality rules apply as in-person.

Substance Use Disorder (SUD) Treatment

• If you are receiving treatment for a substance use disorder, your records have additional federal protection under 42 C.F.R. Part 2.
• Your SUD treatment records generally cannot be shared without your specific written consent, even with other healthcare providers, except in limited circumstances (medical emergency, qualified research, internal program communication, or court order).
• The 2024 final rule aligning Part 2 with HIPAA allows certain disclosures for treatment, payment, and health care operations with a general consent, but your records still cannot be used against you in criminal proceedings without a court order.
• If you have questions about your SUD privacy rights, ask your provider or our Privacy Officer.

HIV/STI Testing and Treatment

• Many states have extra privacy protections for HIV status and sexually transmitted infection (STI) records.
• These records may require your specific written consent before they can be shared.
• Talk to your provider about your state's rules.

Reproductive Health

• If you are receiving reproductive health services via telehealth, be aware that some states have additional privacy protections for these records.
• Ask your provider what information will appear in your medical record and on insurance statements.

SECTION 7: CHILDREN AND ADOLESCENT TELEHEALTH PRIVACY

If You Are the Parent or Guardian

• You may have the right to access your child's medical records, but some states allow minors to consent to certain services (mental health, substance abuse treatment, reproductive health) without parental knowledge.
• During a telehealth visit, your child's provider may ask to speak privately with your child for part of the session.
• Make sure your child has a private space for their telehealth visit.

If You Are a Teen

• Depending on your state and the type of visit, you may have the right to keep parts of your visit confidential from your parents.
• Ask your provider what information will be shared with your parents and what will stay private.
• Use a private space where you feel comfortable talking openly.

Tips for Parents and Guardians

☐ Help your child set up a private space for the visit.
☐ Test the technology with your child before the appointment.
☐ For young children, be available nearby in case they need help.
☐ Ask the provider at the start of the visit whether you should stay or step out for any portion.

SECTION 8: CAREGIVER AND FAMILY MEMBER PARTICIPATION

If you want a family member, caregiver, or interpreter to join your telehealth visit:

☐ Tell your provider before the visit.
☐ Your provider will confirm your consent at the start of the visit.
☐ The other person must be identified by name and relationship.
☐ You can ask them to leave at any time during the visit.
☐ Your provider may ask you questions privately (without the other person present) as part of standard screening.

Important: If your provider suspects abuse, neglect, or coercion, they are required by law to report it, even during a telehealth visit.

SECTION 9: EMERGENCY PROCEDURES DURING TELEHEALTH

If you experience a medical emergency during a telehealth visit:

1. Call 911 (or your local emergency number) immediately.
2. Tell the 911 dispatcher your exact location (address, apartment number, floor).
3. Stay on the line with 911. Your provider may stay on the telehealth connection to provide information to emergency responders if needed.
4. If you are feeling suicidal or in a mental health crisis, call or text 988 (Suicide & Crisis Lifeline) or go to your nearest emergency room.

Your provider will confirm your physical location at the start of each visit so emergency services can be dispatched to you if needed.

SECTION 10: HOW TO FILE A PRIVACY COMPLAINT

If you believe your privacy was violated during a telehealth visit, you have the right to file a complaint:

Step 1: Contact Our Practice

• Privacy Officer: [________________________________]
• Phone: [________________________________]
• Email: [________________________________]

Step 2: File a Complaint with the U.S. Department of Health and Human Services (HHS)

• Online: https://www.hhs.gov/hipaa/filing-a-complaint/index.html
• Phone: 1-800-368-1019 (toll-free) / TDD: 1-800-537-7697
• Mail: Centralized Case Management Operations, U.S. Department of Health and Human Services, 200 Independence Avenue S.W., Room 509F HHH Bldg., Washington, D.C. 20201
• Deadline: You generally must file within 180 days of when the violation occurred.

Step 3: Contact Your State Attorney General or Health Department

Many states have their own health privacy enforcement agencies. You may also file with your state.

You will NOT be penalized for filing a complaint. It is against the law for anyone to retaliate against you for filing a privacy complaint.

SECTION 11: STATE-SPECIFIC PATIENT RIGHTS IN TELEHEALTH

California

• Under Cal. Bus. & Prof. Code § 2290.5, your provider must inform you about the use of telehealth and obtain your verbal or written consent before your first telehealth visit.
• You have the right to receive in-person care instead of telehealth.
• Medi-Cal beneficiaries have additional rights, including the right to transportation assistance to access in-person services.
• California's Confidentiality of Medical Information Act (CMIA) (Cal. Civ. Code § 56 et seq.) provides additional privacy protections beyond HIPAA.
• Minors age 12 and older may consent to mental health treatment without parental consent (Cal. Health & Safety Code § 124260; Cal. Fam. Code § 6924).

Texas

• Under Tex. Occ. Code § 111.001 et seq., your provider must obtain informed consent before providing telehealth services.
• The Texas Medical Board requires that the standard of care for telehealth is the same as for in-person visits.
• You have the right to request in-person care at any time.
• Beginning January 1, 2026, health benefit plans in Texas are required to cover telemedicine services (House Bill 1052).
• Texas law requires providers to verify your identity and location at each telehealth visit.

Florida

• Under Fla. Stat. § 456.47, providers must follow the same standard of care for telehealth as for in-person services.
• Out-of-state providers must register with the Florida Department of Health before providing telehealth to Florida patients.
• Telehealth records must be documented to the same standard as in-person visit records.
• You have the right to access your telehealth records under Florida law.
• Florida law requires telehealth providers to maintain professional liability coverage that covers telehealth services.

New York

• Under N.Y. Pub. Health Law § 2999-cc et seq., telehealth includes live video, audio-only, store-and-forward, and remote patient monitoring.
• New York extends telehealth reimbursement parity for private payers through April 2026, meaning your insurance must cover telehealth at the same rate as in-person visits.
• You have the right to informed consent before telehealth services begin.
• New York's Mental Hygiene Law provides additional protections for mental health and substance abuse treatment records.
• Providers must be licensed in New York or hold appropriate interstate compact authorization to provide telehealth to New York patients.

SECTION 12: FREQUENTLY ASKED QUESTIONS

Q: Is my telehealth visit as private as an in-person visit?
A: Yes. Federal law (HIPAA) requires the same privacy and security protections for telehealth visits as for in-person visits. Your provider uses a secure, encrypted platform.

Q: Can my employer see my telehealth visit if I use a work computer?
A: Your employer cannot access the content of your visit, but your employer may be able to see that you visited a telehealth website. For maximum privacy, use a personal device.

Q: Can my provider see my whole house through the camera?
A: Your provider can only see what your camera shows. You can use a virtual background or sit in front of a plain wall if you are concerned about privacy.

Q: What if someone in my home overhears my visit?
A: Use headphones and a private room. If someone overhears your visit, your provider's HIPAA obligations still apply, but you should take steps to protect your own privacy.

Q: Will my telehealth visit show up on my insurance statement?
A: Yes, telehealth visits are typically billed to insurance and may appear on your Explanation of Benefits (EOB). If you have concerns, ask our billing office about your options.

Q: Can I have my telehealth visit from another state?
A: Your provider must be licensed in the state where you are physically located during the visit. Let your provider know your location before each visit, especially if you travel.

Q: Is a phone-only (audio-only) visit as secure as a video visit?
A: Phone calls are generally secure, but standard phone lines do not have the same encryption as video platforms. Your provider will discuss the best option for your visit.

SECTION 13: GLOSSARY

ACKNOWLEDGMENT OF RECEIPT

I acknowledge that I have received and read (or had read to me) this Telehealth Privacy & Security Tips handout.

Patient Name (Print): [________________________________]

Patient Signature: ______________________________

Date: [__/__/____]

If signed by a legal representative:

Representative Name (Print): [________________________________]

Relationship to Patient: [________________________________]

Representative Signature: ______________________________

Date: [__/__/____]

Sources and References

1. U.S. Department of Health and Human Services, "Telehealth Privacy and Security Tips for Patients" — https://telehealth.hhs.gov/patients/telehealth-privacy-for-patients
2. HIPAA Privacy Rule, 45 C.F.R. Part 164, Subparts A and E — https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164
3. HIPAA Security Rule, 45 C.F.R. Part 164, Subpart C — https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
4. 42 C.F.R. Part 2, Confidentiality of Substance Use Disorder Patient Records (2024 Final Rule) — https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
5. HHS Fact Sheet on 42 C.F.R. Part 2 Final Rule — https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
6. Cal. Bus. & Prof. Code § 2290.5 — https://codes.findlaw.com/ca/business-and-professions-code/bpc-sect-2290-5/
7. Tex. Occ. Code § 111.001 et seq. — https://statutes.capitol.texas.gov/Docs/OC/htm/OC.111.htm
8. Fla. Stat. § 456.47 — https://www.flsenate.gov/Laws/Statutes/2025/456.47
9. N.Y. Pub. Health Law § 2999-cc — https://www.nysenate.gov/legislation/laws/PBH/2999-CC
10. HHS Office for Civil Rights, HIPAA Complaint Portal — https://www.hhs.gov/hipaa/filing-a-complaint/index.html
11. 988 Suicide & Crisis Lifeline — https://988lifeline.org/
12. FTC Health Breach Notification Rule, 16 C.F.R. Part 318 — https://www.ecfr.gov/current/title-16/chapter-I/subchapter-C/part-318