← Guides
TECH

How to Keep Your Telehealth Appointment Private: HIPAA, Video Platforms, and What to Ask Your Provider

med privacymed tech

A guide to understanding why telehealth privacy depends on your provider's setup, which video platforms are HIPAA-compliant, what a Business Associate Agreement is, and the specific questions to ask before your next online visit with a doctor or therapist.

April 14, 2026 · 6 min read
1

Why telehealth privacy depends on your provider's setup, not just the app you use

Most patients assume that any video call with a doctor or therapist is automatically private. Whether it is legally protected depends entirely on whether the provider has set up the right infrastructure on their end, specifically whether their video platform has a Business Associate Agreement in place.

How HIPAA applies to telehealth sessions
  • When you have a video visit with a licensed doctor, therapist, or specialist, HIPAA applies to that provider. They are a covered entity and are legally required to protect your health information, including what is discussed during the session
  • HIPAA's reach extends to the technology the provider uses through something called a Business Associate Agreement (BAA). When a healthcare provider uses a video platform to conduct sessions, that platform handles protected health information on the provider's behalf and becomes a business associate
  • If the provider's video platform has signed a BAA with the provider's practice, the platform is contractually and legally bound to handle session data under HIPAA standards. If there is no BAA, the provider is not meeting their HIPAA obligations, regardless of how secure the video connection itself may be
  • The privacy of your telehealth session is determined by two things: whether your provider is a licensed covered entity (yes, for doctors, therapists, and licensed clinicians), and whether they are using a platform that has a BAA with their practice
Why the same app can be compliant or not compliant
  • Zoom is the clearest example of this distinction. Standard Zoom (the consumer version most people use) does not offer a BAA and should not be used for clinical sessions. Zoom for Healthcare is a separate product tier that offers HIPAA compliance and a BAA for healthcare organizations
  • A provider using a personal or standard Zoom account for therapy or medical appointments is doing so without a BAA. That session is not HIPAA-protected regardless of whether the video connection itself is encrypted
  • Two patients could both use Zoom for their telehealth visits and have completely different levels of legal protection, depending entirely on whether their provider set up the correct account type and signed a BAA
  • The same logic applies to Google Meet, FaceTime, and other general-purpose video tools. Their consumer versions are not designed for healthcare and do not offer BAAs for standard accounts. Using them for clinical sessions creates a HIPAA compliance gap
2

Which video platforms are HIPAA-compliant and which are not

The platform your provider uses determines whether HIPAA protections apply to your session. Purpose-built healthcare platforms have BAA agreements built into their offering. General-purpose video tools require specific enterprise-level healthcare configurations that most individual providers do not have in place.

Platforms built for healthcare BAA available
  • Doxy.me: a telehealth platform designed specifically for healthcare providers. HIPAA-compliant, BAA available, and requires no software installation for patients (fully browser-based). Free for providers at the basic tier, making it common among independent therapists and small practices
  • SimplePractice: a practice management platform for mental health providers that includes HIPAA-compliant video sessions. Widely used by therapists in private practice and group practices
  • TherapyNotes and Therapy Brands: purpose-built for mental health and behavioral health providers, with HIPAA-compliant video included in both platforms
  • Zoom for Healthcare: Zoom's healthcare-specific product tier that includes a BAA. Distinguished from standard Zoom by the account type and the BAA. If your provider uses Zoom, ask specifically whether they are on Zoom for Healthcare
  • Teladoc, MDLive, and similar telehealth companies: platforms where the entire service, including the provider and the technology, operates within a HIPAA-compliant framework
Platforms that are not compliant for clinical use Not appropriate
  • Standard Zoom (free or standard paid plans): does not include a BAA for individual or standard business accounts. Not appropriate for clinical sessions regardless of how widely it is used in practice
  • Google Meet (standard Workspace): Google offers HIPAA-compatible configurations under specific enterprise agreements, but standard Google Meet accounts do not carry a BAA for healthcare use
  • FaceTime: no BAA is available. Not appropriate for clinical sessions despite Apple's end-to-end encryption
  • WhatsApp Video: not HIPAA-compliant, not appropriate for any clinical session
  • Standard Skype or Teams: Microsoft offers HIPAA-compliant Teams configurations for enterprise healthcare customers, but standard consumer accounts do not qualify
  • If your provider is using any of these for clinical sessions without a specific enterprise healthcare agreement and BAA, they are not meeting their HIPAA obligations, regardless of how convenient those tools are for them
3

What you can control on your end

Even when your provider is using a compliant platform, your own setup determines whether anyone else can access the session. These steps apply regardless of platform and take only a few minutes to put in place before your first visit.

Your network and device 5 min
  • Use your home WiFi or a trusted private network. Public WiFi (coffee shops, libraries, airports) transmits data across a shared network. Telehealth sessions carry sensitive audio and video, so use a private connection
  • If you need to join from a location without private WiFi, use your phone's cellular connection as a hotspot rather than connecting to public WiFi
  • Use a personal device, not a shared or work computer. Work devices may have IT monitoring software or screen capture tools installed at the operating system level, outside your control
  • Close unnecessary apps and browser tabs before the session starts. On iPhone, go to Settings, then Focus, and enable Do Not Disturb to prevent notifications from appearing during the call. On Android, go to Settings, then Digital Wellbeing, then Focus Mode
  • If you are on a shared device: log out of the telehealth platform completely after the session (do not just close the tab), and delete any downloaded files such as intake forms or shared documents from your downloads folder
Physical privacy and session recordings 2 min
  • Use headphones. Even in a private room, headphones prevent audio from reaching anyone nearby and reduce the risk of others overhearing your session through walls or doorways
  • Check whether the platform records sessions. Some platforms allow providers to record sessions with patient consent; others do not record at all. You have the right to ask whether your session will be recorded, how the recording is stored, who can access it, and how long it is retained
  • Prefer browser-based platforms (like Doxy.me) over platforms that require you to install a dedicated app. A browser session requires no new software on your device. For platforms that do require an app, review the permissions it requests: microphone and camera are expected; location, contacts, or storage are not
  • Be aware of who else is in the physical space during your session, including people in adjacent rooms who might overhear. A private room with a closed door is the minimum for sensitive sessions
4

Questions to ask your provider before your first telehealth session

The most important privacy steps for telehealth happen before the session begins, not during it. Asking your provider two specific questions up front establishes whether legal protections apply and whether you need to make any changes before proceeding.

What to ask and what the answers mean
  • "What platform do you use for video visits?" A provider using a purpose-built healthcare tool (Doxy.me, SimplePractice, TherapyNotes, Zoom for Healthcare) is a good signal. A provider using consumer Zoom, Google Meet, or FaceTime warrants a direct follow-up
  • "Does that platform have a signed BAA with your practice?" Any provider who has properly set up a HIPAA-compliant telehealth workflow can answer this directly. If they are unsure what a BAA is, that is a significant concern about their broader HIPAA compliance
  • "Do you record sessions?" If sessions are recorded, ask where recordings are stored, who can access them, how long they are kept, and your right to request deletion
  • "Can I see your Notice of Privacy Practices?" Covered entities are required under HIPAA to provide this document on request. It explains how your protected health information is used, stored, and shared. Any licensed provider should be able to provide this immediately
Red flags and what to do if already on a non-compliant platform
  • Red flags: a provider who cannot name the platform they use, a provider using a personal Gmail or consumer Zoom account without a healthcare-specific explanation, a provider who dismisses the BAA question, or a platform that requests device permissions beyond microphone and camera
  • If you are already using a non-compliant platform: your past sessions are not automatically exposed, but HIPAA protections did not apply to how the platform handled that session data. You can continue care while asking the provider to switch to a compliant tool
  • For ongoing sessions with a non-compliant setup: you can request that the provider migrate to a HIPAA-compliant platform. If they are unable or unwilling and your sessions involve sensitive mental health or medical information, it is worth weighing whether to continue with that provider
  • To file a complaint about a provider's HIPAA practices: go to hhs.gov/hipaa/filing-a-complaint. The HHS Office for Civil Rights (OCR) investigates HIPAA complaints against covered entities. Retain any documentation of your communications with the provider

The privacy of a telehealth session is largely invisible to patients. You see a video call, but what determines whether it is legally protected is entirely on the provider's side. Whether they have a BAA with their video platform, whether that platform meets HIPAA standards, and whether their practice has implemented compliant tools are decisions made before you ever join the call. The questions in Section 4 are the most actionable part of this guide: asking your provider directly what platform they use and whether it has a BAA takes under two minutes and establishes clearly whether HIPAA protections apply to your sessions. The network and device steps in Section 3 apply regardless of platform and add a meaningful layer of protection at no cost. Most patients have never asked their telehealth provider these questions. Most providers using compliant tools can answer them in one sentence.