healthcareHIPAAtherapistsscreen sharingtelehealthprivacy

Screen Sharing Privacy for Therapists: HIPAA-Compliant Screen Sharing in Telehealth

Therapists and healthcare providers must protect patient data during telehealth sessions. Learn how to blur PHI during screen sharing to support HIPAA compliance.

Published 2026-02-23-Updated 2026-03-03-8 min read

Short answer

Therapists and healthcare providers must protect patient data during telehealth sessions. Learn how to blur PHI during screen sharing to support HIPAA compliance.

Direct answer

therapists and healthcare providers must protect patient data during telehealth sessions. learn how to blur phi during screen sharing to support hipaa compliance and follow the step-by-step approach in this guide.

TL;DR: Therapists and mental health providers can support HIPAA compliance during screen sharing by using ContextBlur to blur patient names, dates of birth, medical record numbers, session notes, and other PHI -- ensuring that case consultations, supervision sessions, and treatment planning calls do not become inadvertent disclosures.

Telehealth Changed Everything -- Including the Risk

Telehealth was already growing before 2020, but the pandemic accelerated adoption by a decade almost overnight. While in-person visits have partially returned, telehealth is now a permanent fixture of mental health care -- and it created a new category of privacy risk that most training programs never addressed. Therapists are now routinely sharing screens during:

Clinical supervision sessions where supervisees present case material
Treatment team meetings where multiple providers coordinate care
Case consultations where therapists seek peer input on clinical challenges
Administrative reviews involving scheduling, billing, and insurance verification
Training and education where clinical examples are used for instruction

Each of these scenarios involves displaying patient data on a shared screen -- and each one is governed by HIPAA's strict protections for protected health information (PHI).

Add to Chrome — Free

HIPAA's Privacy Rule protects individually identifiable health information. The Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic PHI (ePHI). Both rules apply directly to screen sharing.

What Counts as PHI?

Under HIPAA, PHI includes any information that can identify a patient in combination with health-related data. The 18 HIPAA identifiers include:

Names, dates (birth, admission, discharge), geographic data below state level
Phone numbers, fax numbers, email addresses
Social Security numbers, medical record numbers, health plan beneficiary numbers
Account numbers, certificate/license numbers, vehicle and device identifiers
Web URLs, IP addresses, biometric identifiers, full-face photographs
Any other unique identifying number or code

When you share your screen during a supervision session and your EHR displays a patient's name next to their diagnosis, you have just transmitted PHI to everyone on that call. If anyone on the call is not authorized to receive that information -- or if the call is recorded and stored insecurely -- you may have a HIPAA violation.

The "Reasonable Steps" Standard

HIPAA does not demand that breaches never happen. It requires that covered entities take "reasonable steps" to prevent them. The question regulators ask after an incident is not "Did you prevent all possible disclosure?" but rather "What measures did you have in place to minimize the risk?"

Having no screen-sharing privacy measures in place -- no blurring, no policy, no training -- makes it very difficult to argue that you took reasonable steps. Conversely, implementing a tool like ContextBlur and training your team to use it demonstrates exactly the kind of proactive safeguard that regulators expect.

The Cost of Getting It Wrong

HIPAA violations are not abstract risks. The penalties are structured in tiers:

Tier 1 (unknowing): $100 -- $50,000 per violation
Tier 2 (reasonable cause): $1,000 -- $50,000 per violation
Tier 3 (willful neglect, corrected): $10,000 -- $50,000 per violation
Tier 4 (willful neglect, not corrected): $50,000 per violation

The annual maximum per violation category is $1.5 million. And beyond financial penalties, a HIPAA breach triggers mandatory notification requirements, potential OCR investigations, and reputational damage that can affect a practice for years.

For a broader view of how HIPAA intersects with screen sharing technology, read our dedicated guide on HIPAA screen sharing compliance.

Electronic Health Records (EHR)

EHR platforms like SimplePractice, TherapyNotes, Jane App, and Valant are the primary tools therapists use daily. During screen sharing, these systems display:

Patient names and demographics on the main dashboard
Appointment schedules showing who is being seen and when
Session notes including clinical impressions, diagnoses, and treatment plans
Billing information including insurance details and copay amounts
Medication records and prescribing history
Contact information for patients and their emergency contacts

The density of PHI on a typical EHR screen is extraordinary. A single dashboard view can contain identifiable information for dozens of patients simultaneously.

Telehealth Platforms

Platforms like Doxy.me and Zoom for Healthcare are HIPAA-compliant for direct patient sessions. But the compliance risk shifts during non-clinical calls -- supervision, consultation, or team meetings -- where the audience may not be covered by the same BAA or may not have a clinical need to see specific patient data.

Insurance and Billing Systems

Insurance verification portals and billing platforms display patient names, dates of birth, insurance ID numbers, claim histories with procedure codes, and Explanation of Benefits documents.

Payment records and outstanding balances

Assessment and Testing Platforms

Assessment tools also display patient names alongside raw test scores, diagnostic impressions, and historical data -- all of which qualify as PHI.

The "What Therapists Should Blur" Checklist

Before any screen-sharing session that involves clinical or administrative systems, verify that the following elements are obscured:

Use this checklist in tandem with a general screen sharing checklist for comprehensive preparation.

Add to Chrome — Free

Clinical Supervision: The Highest-Risk Scenario

Clinical supervision is perhaps the most common scenario where therapists share screens with PHI visible. A supervisee presents a case to their supervisor, often pulling up the EHR to review session notes, treatment plans, and assessment results.

The privacy challenge is layered: the supervisor may not be part of the same practice or BAA, group supervision involves multiple viewers seeing each other's case material, sessions are often recorded for training purposes, and the clinical focus means no one is watching for stray PHI in the sidebar. ContextBlur addresses these challenges by letting the supervisee blur everything except the specific patient data being discussed -- obscuring identifiers while leaving clinical content visible.

How ContextBlur Supports HIPAA Compliance

ContextBlur is a browser extension that lets you selectively blur any element on any web page. For therapists and mental health providers, it supports HIPAA compliance in several specific ways:

Minimum Necessary Standard

HIPAA's "minimum necessary" standard requires limiting PHI disclosure to what is needed for the purpose. A consultant needs clinical content -- not the patient's full name, date of birth, or insurance ID. ContextBlur lets you apply this standard precisely by blurring identifiers while leaving clinical data visible.

Technical Safeguard

The HIPAA Security Rule requires technical safeguards to protect ePHI. Having ContextBlur installed and configured is documentable evidence of such a safeguard.

Breach Prevention

By blurring PHI before sharing your screen, you eliminate the most common vector for inadvertent disclosure during video calls.

For a deeper understanding of how blurring works as a screen sharing privacy measure, read our foundational guide.

Before the Call

Identify which EHR screens, documents, or systems you will need to share.
Open each one and configure ContextBlur to blur all PHI that is not directly relevant to the discussion.
If discussing a specific patient, blur all identifying information and consider using initials or a case number verbally instead of the full name.
Close all browser tabs and applications that are not needed for the call.
Disable desktop notifications to prevent patient names from appearing in popup alerts.

During the Call

Share only the specific browser tab or application window -- never your entire screen.
Before scrolling or navigating, pause to verify that new content will not reveal unblurred PHI.
If you need to access an unplanned screen, stop sharing first, navigate and configure blurs, then resume sharing.
Verbally confirm with participants that they understand the confidential nature of the material and their obligations.

After the Call

If the call was recorded, review the recording for any inadvertent PHI exposure.
If you identify an exposure, follow your practice's breach response protocol immediately.
Document the screen-sharing session as part of your supervision or consultation record, noting that privacy measures were in place.

These practices complement general security best practices for any professional who shares screens regularly.

Special Considerations for Group Practices

If you operate or work in a group practice, screen-sharing privacy requires coordination beyond individual behavior:

Standardized protocols. Every clinician should follow the same screen-sharing privacy protocol. Develop a written policy and review it during team meetings.
BAA coverage. Ensure that any screen-sharing platform is covered by a Business Associate Agreement. ContextBlur operates locally in the browser and does not transmit data, so it does not require a separate BAA.
Training documentation. Document that all staff have been trained on screen-sharing privacy -- valuable evidence in audits.

These considerations apply broadly to remote work environments in healthcare, where the physical separation between clinicians makes coordinated privacy practices both more important and more challenging.

Beyond the Screen: A Privacy-First Telehealth Practice

Screen-sharing privacy is one piece of a comprehensive privacy approach for telehealth. Therapists should also consider:

Physical environment. Ensure your screen is not visible to others in your workspace.
Audio privacy. Use headphones to prevent patient information from being overheard.
Secure connections. Use encrypted, HIPAA-compliant platforms for all clinical communications.
Device security. Enable full-disk encryption, strong passwords, and automatic screen locks on all clinical devices.

Take Action Today

HIPAA compliance during screen sharing is not optional -- and the tools to achieve it are straightforward. Here is how to start:

Install ContextBlur and configure blur zones on your EHR dashboard, patient schedule, and billing screens. Setup takes less than ten minutes.
Run through the checklist above before your next supervision session or case consultation.
Share this article with your practice. HIPAA compliance is only as strong as the least-prepared team member.
Update your practice's telehealth policy to include screen-sharing privacy as a documented safeguard.

Your patients trust you with their most personal information. Screen sharing does not have to put that trust at risk.

Add to Chrome — Free