Privacy and Security in Telemedicine: What to Know (2026)
Photo via Pexels
Quick note: Finance24Me is an independent information site. We do not provide medical care or telemedicine services. This article is educational only.
Telemedicine moves your most sensitive personal information — health conditions, medications, mental health discussions — through digital channels. HIPAA-compliant platforms protect this data, but not every “telehealth” app actually qualifies. Knowing what to look for and what your rights are protects both your privacy and the integrity of your medical care.
What HIPAA Compliance Means
The Health Insurance Portability and Accountability Act (HIPAA) sets federal rules for protected health information (PHI). HIPAA-compliant telemedicine platforms must:
- Use encryption in transit and at rest
- Implement access controls (only authorized users)
- Maintain audit logs
- Have Business Associate Agreements (BAAs) with vendors
- Provide breach notification within 60 days
- Offer patient access to records
- Allow patients to request restrictions
HIPAA-Compliant vs Non-Compliant Platforms
| HIPAA-Compliant | Often Non-Compliant |
|---|---|
| Doxy.me | FaceTime (general consumer) |
| Zoom for Healthcare (with BAA) | Standard Zoom |
| Microsoft Teams (with BAA) | Standard Teams |
| Amwell, Teladoc, Doctor on Demand | Skype |
| Provider-built portals | |
| Cerner, Epic, Athena platforms | SMS / standard texting |
During COVID-19 emergency, HHS temporarily allowed non-compliant platforms. That waiver ended in 2023. Healthcare providers must now use HIPAA-compliant tools.
What Encryption Looks Like
Look for:
- End-to-end encryption (E2EE) for video and audio
- TLS encryption for data in transit (HTTPS, not HTTP)
- AES-256 encryption for data at rest
- Multi-factor authentication for provider access
Most professional telemedicine platforms publish their security details. Check before signing up.
Your Privacy Rights Under HIPAA
You have the right to:
- Access your medical records (within 30 days of request)
- Amend records you believe are incorrect
- Request restrictions on how your information is shared
- Receive notice of how PHI is used
- File complaints for privacy violations
- Confidential communications (e.g., not call your home if you live with abusive partner)
File complaints with HHS Office for Civil Rights at hhs.gov/ocr.
Red Flags in Telemedicine Platforms
Avoid platforms that:
- Don’t mention HIPAA compliance prominently
- Have unclear privacy policies
- Sell or share data with third parties for marketing
- Don’t use encryption
- Use consumer messaging (SMS, regular email)
- Lack two-factor authentication
- Don’t offer patient access to records
Privacy of Mental Health Records
Mental health records have additional protections:
- Therapy session notes (“psychotherapy notes”) have stricter rules than medical records
- Substance abuse records have separate federal protections (42 CFR Part 2)
- Some states have additional mental health record protections
- HIV, sexually transmitted infections often have extra protections
Diagnoses and prescriptions still flow to insurance for billing.
What Insurance Companies See
When you file insurance claims, insurers see:
- Diagnosis codes (ICD-10)
- Procedure codes (CPT)
- Provider information
- Date and length of service
- Cost
They don’t see:
- Specific session content
- Detailed therapy notes
- Personal disclosures from sessions
Tips for Privacy-Protected Telemedicine
| Tip | Why |
|---|---|
| Use a private space | No one else hears |
| Wear headphones | Audio doesn’t leak |
| Close other browser tabs | Reduces tracking |
| Use private/incognito mode | Some history doesn’t save |
| Verify provider’s URL | Avoid phishing |
| Don’t screenshot sensitive content | Reduces leak risk |
| Update browser/device | Security patches |
What Happens to Recorded Sessions
Most telemedicine platforms don’t record sessions by default. If recording happens:
- Should require explicit consent
- Should be HIPAA-compliant storage
- Should follow standard medical records retention (typically 7+ years)
- You should know who has access
Always ask if a session will be recorded.
State Privacy Laws
Some states have stronger privacy laws than federal HIPAA:
- California Confidentiality of Medical Information Act (CMIA)
- Washington Health Privacy Act
- Texas Medical Records Privacy Act
These add patient protections. Check your state’s laws if you have specific privacy concerns.
Telemedicine and Tech Companies
Some “telehealth” services are run by tech companies whose business model includes data:
- Hims/Hers, Roman: Pharmacy and consultation focus, mostly compliant
- Cerebral: Faced 2022–2023 controversies about data practices
- Direct-to-consumer apps: Vary widely in compliance
If you have privacy concerns, prefer:
- Your existing provider’s portal
- Major telemedicine platforms (Teladoc, Amwell)
- Insurance-contracted platforms
- Hospital-affiliated virtual care
Helpful Resources
📖 HHS.gov Office for Civil Rights — file HIPAA complaints, get patient rights info.
📖 FTC Health Privacy — health-app privacy enforcement.
📖 State Attorney General — state-level privacy complaint authority.
What to Do If Your Privacy Is Violated
If you believe your medical privacy has been breached:
- Contact the provider/platform in writing
- File a complaint with HHS Office for Civil Rights at hhs.gov/ocr
- File a complaint with state AG for state law violations
- File a complaint with FTC if a non-HIPAA app misused data
- Consult an attorney for serious breaches
You can’t typically sue under HIPAA directly, but state laws may allow private action.
Common Telemedicine Privacy Mistakes
- Using consumer apps for medical visits (FaceTime, regular Zoom)
- Not reading privacy policies before sharing health info
- Sharing health info via unencrypted channels (regular email, SMS)
- Using public Wi-Fi for sensitive visits
- Not updating apps and devices with security patches
FAQ — Telemedicine Privacy and Security
Q: Is telemedicine secure? A: Yes when using HIPAA-compliant platforms. Always verify the platform you’re using.
Q: Are FaceTime / regular Zoom HIPAA-compliant? A: Standard versions are not. Zoom for Healthcare (with BAA) is. Use only what your provider’s office offers.
Q: Can my employer see my telemedicine records? A: No — your medical records are protected even with employer-sponsored insurance.
Q: What happens to my data if a telemedicine company shuts down? A: They must transition records to another provider or notify you. Records can’t simply disappear.
Q: Can I delete my telemedicine records? A: Generally no — medical records have legal retention requirements (typically 7+ years). You can amend errors and request restrictions on sharing.
Related Reading on Finance24Me
- Telemedicine Explained: Complete 2026 Guide
- Best Telemedicine Practices for Common Conditions
- How Telemedicine Works with Your Insurance
- Health App Data Privacy: Your Rights
- Future of Telemedicine: Trends
Bottom Line
Use only HIPAA-compliant telemedicine platforms. Avoid consumer messaging apps for medical visits. Read privacy policies. Use private spaces with headphones. Know your rights to access and amend your medical records. Report violations to HHS Office for Civil Rights at hhs.gov/ocr.
Disclaimer: This article is for informational and educational purposes only. It is not legal or medical advice, and Finance24Me does not provide telemedicine services. Always consult licensed providers and HIPAA-compliant platforms.
By Finance24Me Editorial · Updated May 9, 2026
- privacy
- security
- HIPAA