HIPAA-Compliant Telehealth Privacy Policy: What to Include
A 2,000+ word HIPAA telehealth privacy policy guide covering PHI handling, BAAs, security controls, patient rights, and enforcement examples.
Telehealth platforms handle protected health information, so your privacy policy must satisfy HIPAA, state privacy laws, and app store expectations while keeping patients informed. This guide provides a complete outline, example language, tables, and checklists to publish a compliant, patient-friendly policy.
Use your existing CTA banners and link to the Privacy Policy Generator, Terms of Service Generator, and Cookie Policy Generator wherever patients sign up, view visit summaries, or download apps.
What a HIPAA telehealth privacy policy must cover
Scope and definitions
Define PHI and the services the policy covers (web, mobile, portals, messaging). Clarify whether you act as a covered entity or business associate.
Data collected
List identifiers, contact details, insurance information, health history, symptoms, care plans, messages, images, recordings, and device data. Separate PHI from non-PHI analytics.
Uses and purposes
Explain treatment, payment, and healthcare operations; care coordination; appointment reminders; security and fraud prevention; de-identified analytics; and research with proper authorization.
Sharing and disclosures
List providers, care teams, business associates with BAAs (hosting, EHR, communications, billing), and disclosures required by law or public health authorities. State that you do not sell PHI for marketing without authorization.
Patient rights
Provide access, amendments, accounting of disclosures, request for restrictions, confidential communications, and complaint processes. Include contact info and HHS complaint instructions.
Security practices
Describe encryption at rest and in transit, access controls, audit logging, minimum necessary handling, and incident response timelines.
Data and purpose table
| Data category | Purpose | Shared with | Legal basis/requirement | Retention |
|---|---|---|---|---|
| PHI (records, symptoms, images) | Treatment and care coordination | Providers, care teams | HIPAA treatment | Per medical record policy |
| Billing/insurance | Payment and eligibility | Billing processors | HIPAA payment | As required by law |
| Appointment reminders | Scheduling and care continuity | SMS/email vendors (with BAAs) | HIPAA operations | Until no longer needed |
| Security logs | Fraud prevention and uptime | Hosting vendors (with BAAs) | Legitimate interests/operations | 30-180 days |
| De-identified analytics | Quality improvement | Analytics vendors (de-identified) | HIPAA allows de-identified use | Aggregated, longer retention |
Step-by-step: draft and publish your policy
1) Map PHI data flows
Document what PHI you collect, where it is stored, which regions it is in, and which vendors touch it. Include backup and disaster recovery locations.
2) Confirm BAAs
Sign BAAs with hosting, EHR, communication, logging, and analytics vendors that see PHI. Avoid tools without BAAs. Reference BAAs in your policy.
3) Write clear clauses
Use plain language for data collection, use, sharing, rights, retention, and security. Add internal CTAs to the Privacy Policy Generator and Terms of Service Generator.
4) Add consent and authorization language
Describe when you need patient authorization (for marketing or non-treatment purposes) and how to revoke it. State that you do not sell PHI without explicit authorization.
5) Explain tracking and cookies
If your web portal uses cookies or analytics, link to your Cookie Policy Generator and explain that PHI is not sent to non-eligible tools.
6) Publish and link everywhere
Place links in the footer, account creation, visit summaries, waiting rooms, and appointment reminders. Include the policy in app store listings to satisfy review teams.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate Now7) Train staff and measure
Train support and clinical teams on rights handling and incident response. Track request SLAs, incident drills, and audit logs.
Common mistakes to avoid
Using non-eligible tools
Standard GA or ad pixels can capture PHI if misconfigured. Only use HIPAA-eligible tools with BAAs, and block tracking on PHI screens.
Vague breach language
State clear notification timelines and cooperation steps. Delays can trigger fines and loss of trust.
Missing patient rights details
List rights and how to exercise them. Provide contact info and a clear process for identity verification.
No separation of PHI and marketing
Never use PHI for marketing without authorization. Keep marketing systems segregated and scrubbed of PHI.
Weak retention rules
Define retention per record type and purge timelines for logs and backups.
Enforcement examples to remember
- OCR settlements (various): Telehealth providers have faced penalties for insecure messaging and disclosures. Strong access controls and BAAs are crucial.
- Meta pixel lawsuits (2022–2023): Health systems faced class actions for sending PHI via tracking pixels (news coverage). Avoid transmitting PHI to ad platforms.
- FTC Health Breach Notification Rule actions: The FTC has penalized apps that misrepresented health data sharing. Transparency and accurate policies are essential.
Implementation checklist
- Map PHI and non-PHI data flows, storage regions, and vendors.
- Sign BAAs with every vendor that touches PHI.
- Publish a clear policy covering collection, use, sharing, rights, security, and retention.
- Add CTAs to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator.
- Keep PHI out of non-eligible analytics and ad tools; honor consent where needed.
- Test request handling and incident response quarterly; keep audit logs.
Clause examples to adapt
PHI use and disclosure
“We use PHI to provide treatment, billing, care coordination, and operations. We do not sell PHI or use it for marketing without written authorization. Disclosures to business associates occur under signed BAAs.”
Tracking safeguards
“We do not send PHI to analytics or advertising tools. Analytics are limited to non-PHI events and are disabled on PHI screens.”
Breach response
“We will notify you without undue delay, aiming for initial notice within 72 hours after confirming an incident involving PHI. We will provide scope, impact, and mitigation details.”
Rights handling
“You may request access, correction, restrictions, confidential communications, or an accounting of disclosures. Contact us at [email] and we will respond within 30 days.”
30-day rollout plan
- Week 1: Map PHI flows, vendors, and regions; identify gaps and non-eligible tools.
- Week 2: Draft or update privacy policy language, BAAs, and subprocessor list; remove or replace non-eligible SDKs.
- Week 3: Add policy links to portals, apps, visit summaries, and store listings; configure cookie controls on web properties.
- Week 4: Train staff on rights requests and incident response; run a tabletop drill; publish the updated policy and note the revision date.
Metrics and QA
- Rights request SLA compliance and completion time.
- Incident drill results and time to notify.
- Percentage of traffic with tracking disabled on PHI screens.
- BAA coverage across all vendors and tools.
- Policy link integrity across apps, portals, and store listings.
Testing checklist
- Confirm PHI is excluded from analytics events, error reporting, and logs.
- Verify encryption in transit and at rest for databases, backups, and file storage.
- Test deletion of visit notes, messages, and uploaded images, including backups where possible.
- Validate access controls and audit logs for admin access to PHI.
- Rehearse an incident tabletop covering detection, containment, and patient notification steps.
Documentation to maintain
- List of BAAs with effective dates and services covered.
- Data retention schedule by record type, including backups and logs.
- Policy version history and publication dates on web, app, and portals.
- Records of DPIAs or risk assessments for new features or integrations.
Case example
- Scenario: A telehealth provider used a standard analytics pixel on appointment pages, which captured visit URLs tied to PHI.
- Impact: Raised risk of unauthorized disclosure and potential enforcement.
- Fix: Removed non-eligible pixels from PHI screens, switched to a HIPAA-eligible analytics tool with a BAA, updated the privacy policy and cookie disclosures, and ran an internal audit to confirm compliance.
Audit workbook
- Inventory of PHI and non-PHI data elements and where they live
- List of BAAs and coverage for each vendor and environment
- Retention schedules for records, messages, images, and logs
- Evidence of training for staff on privacy and security
- Tests of deletion, access, and restriction requests with timestamps
- Incident drill records and lessons learned
Glossary and resources
- PHI: Protected Health Information under HIPAA; includes any identifiable health data.
- BAA: Business Associate Agreement required for vendors that handle PHI on your behalf.
- Minimum necessary: HIPAA principle to limit PHI access to what is needed for the task.
- NPP: Notice of Privacy Practices for covered entities; may accompany your privacy policy when HIPAA applies.
- Reference: HHS HIPAA for official guidance and FTC health guidance for transparency expectations.
Sample patient-facing notice
“We collect and use your health information to deliver telehealth visits, coordinate care, process payment, and improve our services. We share PHI with your providers and service vendors under Business Associate Agreements. We do not sell PHI or use it for marketing without written authorization. You may request access, corrections, restrictions, confidential communications, or an accounting of disclosures. Contact [email protected] with questions.”
Placement and delivery tips
- Link your policy and NPP (if applicable) in the footer, account creation, intake forms, and visit summaries.
- Provide a printable PDF for patients who want a copy; note the last updated date.
- Add short reminders in appointment confirmations that link back to the full policy.
- For mobile apps, include a policy link in settings and during onboarding; mirror the same content on web.
- Keep a revision log and display the latest version number in the footer.
30/60/90 follow-up plan
- 30 days: Verify BAAs for all vendors, remove non-eligible pixels from PHI areas, and publish the updated policy and NPP.
- 60 days: Run a tabletop incident drill, test deletion and access requests end-to-end, and review retention schedules with legal.
- 90 days: Reassess vendors and data flows for new features, refresh consent and authorization language, and republish with a new version date.
Conclusion
A HIPAA telehealth privacy policy must combine clarity for patients with strict operational controls. By mapping data flows, securing BAAs, separating PHI from marketing, and honoring patient rights, you reduce enforcement risk and build trust. Reuse your CTA banners and link to the Privacy Policy Generator, Cookie Policy Generator, and Terms of Service Generator so your telehealth experience remains consistent and compliant.
Key takeaways
- Keep PHI out of non-eligible analytics and ad tools and sign BAAs with every vendor handling PHI.
- Provide clear rights instructions and rapid incident response timelines in your policy.
- Maintain retention schedules, audit logs, and a revision history for transparency.
- Link policies in every patient touchpoint and test deletion, access, and restriction workflows regularly.