25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is a HIPAA Compliant Video Chat?

Posted By on Jan 8, 2025

A HIPAA compliant video chat is an online, face-to-face conversation with a person – or persons – who it is permitted to disclose Protected Health Information to, and that is conducted via a platform that supports HIPAA compliance and in a manner that is HIPAA compliant. However, exceptions to this definition may exist for a variety of reasons.

Video chats in healthcare have many valuable uses. They can make healthcare more accessible for patients, support collaboration between healthcare providers, and reduce the costs of healthcare delivery. Video chats can also be recorded and referred back to in the future, used as training resources for medical students, or included in webinars that increase public health awareness.

However, when Protected Health Information (PHI) is disclosed in a video chat by a HIPAA covered entity, it is important the video chat is HIPAA compliant. This means that the recipient of PHI must be permitted to receive it, that the platform on which the video chat is conducted supports HIPAA compliance, and that the nature of the disclosure complies with the HIPAA Privacy Rule.

Who can Healthcare Providers Disclose PHI to?

Healthcare providers are permitted to disclose PHI to patients and their personal representatives, to other members of the workforce for treatment, payment, and healthcare operations, to other covered entities that have a direct relationship with the subject of the PHI, and to third party service providers when a HIPAA Business Associate Agreement is in place with the third party service provider.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Under certain circumstances, healthcare providers are also permitted to disclose PHI to family members and friends, law enforcement and public health authorities, regulatory and health oversight agencies, employers, schools, and to any other party pursuant to a valid HIPAA authorization. In addition, healthcare providers are required to disclose PHI to the Department of Health and Human Services (HHS) when the agency is undertaking a compliance investigation, review, or enforcement action.

What is a HIPAA Compliant Video Chat Platform?

When disclosing PHI via a video chat, it is not permitted to use any video chat platform (i.e., WhatsApp). Unless an exception exists, video chats must be conducted via a HIPAA compliant video chat platform. This means that the platform must have the capabilities to support HIPAA compliance, that the capabilities are configured to comply with the HIPAA Security Rule, and that members of the workforce receive HIPAA training on how to use the platform in compliance with the HIPAA Privacy Rule.

It is also necessary for healthcare providers to conduct due diligence on platform vendors to ensure the vendors comply with HIPAA. This should be done prior to subscribing to a service or entering into a Business Associate Agreement, as doubts exist over the alleged compliance of some vendors. Healthcare providers that fail to protect against any reasonably anticipated threats could be considered liable if a vendor on who they failed to conduct due diligence on is responsible for a HIPAA violation.

Compliance with the HIPAA Privacy Rule during Video Chats

A correctly configured HIPAA compliant video chat platform does not guarantee HIPAA compliance. Compliance is dependent on how the platform is used. For this reason, workforce training needs to include topics such as the minimum necessary standard, ensuring disclosures of PHI are consistent with the organization’s Notice of Privacy Practices, and ensuring users verify the identity of those they are disclosing PHI to. It is also important to account for agreed restrictions on disclosures of PHI (§164.522(a))

Other considerations with regards to HIPAA compliant video chats include who might overhear the conversation, and whose voice(s) might be recorded during the video chat. It is a best practice to conduct HIPAA compliant video chats with a patient from a separate environment and seek the patient’s consent to continue if anybody else is present at either end of the conversation. However, it is illegal in many states to inadvertently record the voice of someone who has not previously given their informed consent.

Note: If a video chat recording is going to be used as part of a webinar or other broadcast to increase public health awareness, it is necessary to obtain a valid HIPAA authorization from the subject(s) of PHI disclosed in the recording.

Exceptions to the HIPAA Video Chat Requirements

It was mentioned in the introduction that exceptions exist to the definition of a HIPAA compliant video chat. These include, but are not limited to, disclosures pursuant to a valid HIPAA authorization, requests for confidential communications via a non-compliant video chat platform, and waivers of enforcement action during public health emergencies. Disclosures pursuant to a valid HIPAA authorization are self-explanatory, but some healthcare providers may not be familiar with other exceptions.

Under §164.522(b) of the Privacy Rule, patients have the right to request communications of PHI from a healthcare provider by alternative means or at alternative locations. If the request is “reasonable”, it must be accommodated. This means that if a patient requests a video consultation via WhatsApp (maybe because that is the only video platform they know how to use), and the healthcare provider uses WhatsApp for other purposes, it is permissible for the healthcare provider to accommodate the request.

In these circumstances, it is recommended the patient is warned of the risks to the confidentiality, integrity, and availability of PHI and requested to put the request in writing if the patient still wishes to proceed. It is suggested that the written request also includes a statement acknowledging the risks of communicating PHI over a non-compliant video chat platform.

With regards to waivers of enforcement action, these are temporary exceptions to the HIPAA video chat requirements issued by HHS during a public health emergency. For example, during the COVID-19 public health emergency, HHS permitted the use of all non-public facing video chat platforms for telehealth. Enforcement waivers do not necessarily exempt non-compliant video chats, and is necessary to review each HHS ”Response Press Release” to determine which areas of HIPAA enforcement are being waived.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist