As telehealth grows increasingly common, nearly every aspect of traditional healthcare has online chat and video-call components. This runs from virtual wellness visits and post-surgery consultations to a wide range of remote patient monitor (RPM) and mental health applications. While this considerable expansion of telemedicine services has made healthcare more accessible and convenient, it has raised one significant issue: privacy. So much so that the Department of Health and Human Services (HHS) has weighed in with some words of caution and advice.

One big issue that HHS raises is over compliance with the Health Insurance Portability and Accountability Act of 1996, a federal law more commonly known as HIPAA. The law’s HIPAA Privacy Rule is a pretty big deal, establishing standards for individual privacy rights and how one’s health information can be used and shared by those deemed “covered entities.” And that’s the problem; not all the digital resources used in telehealth services are considered covered entities that need to comply with HIPAA rules. These covered entities are limited to health plans, healthcare clearinghouses, and certain healthcare providers. Most applications for video chats have no legal responsibility to protect your health information should you choose to use their platform to communicate with your healthcare provider.

So how can you protect your privacy? HHS advises people to use services that offer HIPAA-compliant video communication. These include Amazon Chime, Cisco Webex, Doxy.me, Google G Suite Hangouts Meet, GoToMeeting, Skype for Business / Microsoft Teams, Spruce Health Care Messenger, Updox, VSee, and Zoom for Healthcare. According to HHS, each of these services says they’ll make HIPAA business associate agreements (BAAs) to comply with the law and safeguard patient privacy. Though HHS is careful to note they don’t guarantee these services are HIPAA compliant, nor is this an exhaustive list of services that are.

But what if your healthcare provider doesn’t offer HIPAA-compliant communications? Should you connect with them on popular apps or not? In this case, HHS advises caution, suggesting that one should understand they are accepting a certain amount of privacy risk, but still recommending FaceTime, Facebook Messenger, Google Hangouts, Zoom, and Skype. It’s worth noting that each of these apps offers some degree of privacy protection with end-to-end encryption and a variety of privacy settings. What you should never do, says HHS, is use public-facing platforms such as Facebook Live, Twitch, and TikTok for telehealth services.