HIPAA Notice of Privacy Practices for Telehealth
Telehealth providers need a HIPAA Notice of Privacy Practices that discloses how PHI flows through virtual care platforms, EHRs, and remote patient monitoring. Generate one now.
Quick facts for telehealth providers
- Virtual-care providers are HIPAA covered entities regardless of physical location
- Video platforms (Zoom for Healthcare, Doxy.me, etc.) are business associates and need BAAs
- COVID-era enforcement discretion ended May 11, 2023 — non-compliant platforms no longer permitted
- Multi-state telehealth adds state-law complexity; the NPP must reference state complaints routing
Telehealth-specific NPP considerations
A telehealth practice is a HIPAA covered entity just like a brick-and-mortar clinic. What's different is the shape of the PHI flow: rather than charts in a filing cabinet, you have encrypted video streams, EHR entries in the cloud, appointment reminders via SMS or email, and possibly remote patient monitoring data from connected devices. Your NPP should clearly disclose this technology-mediated flow of PHI in the "uses and disclosures for operations" section.
Video platform requirements (post-COVID)
During the COVID public-health emergency, HHS OCR exercised enforcement discretion and permitted use of non-HIPAA-compliant platforms (Zoom standard, FaceTime, Skype, Google Meet consumer). That discretion ended May 11, 2023. Post-2023, you must use a HIPAA-compliant video platform with a signed BAA. Acceptable: Zoom for Healthcare, Doxy.me, Google Meet (paid Workspace with BAA), Microsoft Teams (paid with BAA), Teladoc, Amwell. Not acceptable: standard Zoom, FaceTime, consumer Google Meet, consumer Skype, WhatsApp.
Multi-state practice — which state's laws apply?
If you are licensed in multiple states and see patients across state lines via telehealth, state mental-health and medical-privacy laws may apply per the patient's location, not your home state. This affects both the NPP (state complaints references) and operational practices (mandatory reporting, etc.). Our generator captures a primary governing state; for multi-state operations, consult healthcare counsel on whether state-specific NPP variants are needed.
Remote patient monitoring (RPM)
If your telehealth practice uses RPM devices — glucose monitors, blood pressure cuffs, wearables — the device manufacturer and data-aggregator are likely business associates. Your NPP's "uses and disclosures" section should describe that PHI may be received from and shared with these vendors as part of treatment.
Distribution for telehealth-only practices
- Before first virtual visit: send the NPP via email or make available in the patient portal
- Obtain electronic acknowledgment: via signature or checkbox in the portal or e-consent flow
- Website: post on your practice website (all telehealth practices have one)
- No physical posting required if you have no physical clinical site
Generate your NPP in under 5 minutes
Answer a few questions and download a HIPAA-compliant Notice of Privacy Practices based on the HHS February 2026 revised model.
Start your NPP — $49Not sure if your practice needs an NPP? Find out in 30 seconds →