Amwell can be used in a HIPAA compliant manner when a HIPAA Covered Entity or Business Associate signs a HIPAA Business Associate agreement with Amwell for the applicable services, configures the platform to support required safeguards, and operates telemedicine workflows in a way that prevents impermissible uses or disclosures of protected health information under the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule.
HIPAA compliance for telemedicine depends on how electronic protected health information is created, received, maintained, or transmitted during virtual care encounters. A telemedicine platform can handle protected health information through appointment scheduling, identity verification, clinical notes, chat, document exchange, visit recordings if enabled, encounter metadata, and support interactions. The regulated entity remains responsible for conducting a risk analysis, implementing risk management measures, applying access controls, training workforce members, and maintaining policies that govern remote visit conduct and patient communications.
Amwell’s public privacy materials recognize that protected health information is governed by a HIPAA specific notice and controls separate from general website privacy statements. Amwell states, “To the extent that there is a conflict between this Privacy Policy and the HIPAA Notice with respect to PHI, the HIPAA Notice will prevail.” That position aligns with the operational requirement to route protected health information handling through processes designed for HIPAA regulated use rather than through general consumer web interactions.
A HIPAA Business Associate agreement is required when the vendor performs functions involving protected health information on behalf of a regulated entity. Amwell indicates willingness to enter into a HIPAA Business Associate agreement before protected health information is shared for services that involve protected health information. A regulated entity should confirm the agreement scope, including which Amwell products, features, integrations, and subcontractors are covered, and should restrict protected health information from any service component that is outside the agreement scope.
Secure telemedicine operations also require controls at the customer level. Administrative safeguards include procedures for patient identity verification, support escalation, contingency operations, and privacy practices for remote work locations. Technical safeguards include unique user identification, role-based access, authentication controls, session management, encryption in transit where available, logging where available, and controls over recordings and file sharing. Compliance status depends on the signed agreement, the configured environment, and ongoing governance of how protected health information is handled during virtual care.