Do telehealth providers need a Notice of Privacy Practices?

Yes — any provider rendering care that electronically bills insurance is a HIPAA covered entity under 45 CFR § 160.103. Telehealth and virtual-care companies that contract with patients directly fall under HIPAA's NPP requirement. The NPP must be available before or at the first telehealth encounter and posted on the patient-facing site or app.

How is NPP delivery different in telehealth than in a brick-and-mortar practice?

Telehealth providers typically post the NPP as a clickable link in the patient app or portal during signup. Best practice: require patients to acknowledge the NPP electronically before their first visit, store the timestamp/version acknowledged, and re-prompt acknowledgment when the NPP materially changes — this digitizes the in-person sign-and-file flow.

What disclosures should a telehealth NPP cover beyond standard items?

Telehealth NPPs should address: PHI flow through video platforms and EHRs, asynchronous messaging tools, prescription routing through e-prescribing networks, patient-data analytics platforms (BAAs required), security of recorded sessions, and cross-state-licensure disclosures. Each is a treatment, payment, or operations use that should be transparent.

Does a telehealth practice have to follow state NPP rules in every state it serves?

Yes — when a telehealth practice treats patients in multiple states, the NPP must reflect the strictest applicable state law for each patient's location. California's CMIA, New York's mental-health law, and Washington's My Health My Data Act all impose tighter standards than federal HIPAA. Use jurisdiction-aware NPP language or maintain state-specific variants.

HIPAA Notice of Privacy Practices for Telehealth

By NPP Generator Editorial Team · Last reviewed Apr 28, 2026

Telehealth providers need a HIPAA Notice of Privacy Practices that discloses how PHI flows through virtual care platforms, EHRs, and remote patient monitoring. Generate one now.

Quick facts for telehealth providers

Virtual-care providers are HIPAA covered entities regardless of physical location
Video platforms (Zoom for Healthcare, Doxy.me, etc.) are business associates and need BAAs
COVID-era enforcement discretion ended May 11, 2023 — non-compliant platforms no longer permitted
Multi-state telehealth adds state-law complexity; the NPP must reference state complaints routing

Telehealth-specific NPP considerations

A telehealth practice is a HIPAA covered entity just like a brick-and-mortar clinic. What's different is the shape of the PHI flow: rather than charts in a filing cabinet, you have encrypted video streams, EHR entries in the cloud, appointment reminders via SMS or email, and possibly remote patient monitoring data from connected devices. Your NPP should clearly disclose this technology-mediated flow of PHI in the "uses and disclosures for operations" section.

Video platform requirements (post-COVID)

During the COVID public-health emergency, HHS OCR exercised enforcement discretion and permitted use of non-HIPAA-compliant platforms (Zoom standard, FaceTime, Skype, Google Meet consumer). That discretion ended May 11, 2023. Post-2023, you must use a HIPAA-compliant video platform with a signed BAA. Acceptable: Zoom for Healthcare, Doxy.me, Google Meet (paid Workspace with BAA), Microsoft Teams (paid with BAA), Teladoc, Amwell. Not acceptable: standard Zoom, FaceTime, consumer Google Meet, consumer Skype, WhatsApp.

Multi-state practice: which state's laws apply?

If you are licensed in multiple states and see patients across state lines via telehealth, state mental-health and medical-privacy laws may apply per the patient's location, not your home state. This affects both the NPP (state complaints references) and operational practices (mandatory reporting, etc.). Our generator captures a primary governing state; for multi-state operations, consult healthcare counsel on whether state-specific NPP variants are needed.

Remote patient monitoring (RPM)

If your telehealth practice uses RPM devices — glucose monitors, blood pressure cuffs, wearables — the device manufacturer and data-aggregator are likely business associates. Your NPP's "uses and disclosures" section should describe that PHI may be received from and shared with these vendors as part of treatment.

Distribution for telehealth-only practices

Before first virtual visit: send the NPP via email or make available in the patient portal
Obtain electronic acknowledgment: via signature or checkbox in the portal or e-consent flow
Website: post on your practice website (all telehealth practices have one)
No physical posting required if you have no physical clinical site

More NPP guides by specialty

Addiction Treatment Centers Chiropractors Dental Practices Fqhc Home Health Hospice Mental Health Nurse Practitioners Occupational Therapy Optometry Pharmacy Physical Therapy Small Medical Practices Speech Language Pathology Therapists Urgent Care

Generate a compliant NPP in 5 minutes

HHS Feb 2026 model · Part 2 SUD language · Section 1557 taglines · whether you're updating or starting fresh.

Update my existing NPP → Generate a new NPP →

No subscription · PDF + Word · Free watermarked preview · See sample →

Not sure if your practice needs an NPP? Find out in 30 seconds →

Related: Specialty NPP guides

Addiction treatment Chiropractors Dental FQHC Home health Hospice Mental health Nurse practitioners