guides 8 min read

How to Evaluate the Technology & Privacy of a Virtual Intensive Outpatient Program (IOP)

By Virtual IOP Editorial Team
How to Evaluate the Technology & Privacy of a Virtual Intensive Outpatient Program (IOP)

How to Evaluate the Technology & Privacy of a Virtual Intensive Outpatient Program (IOP)

A Virtual Intensive Outpatient Program (IOP) combines structured clinical care with the convenience of online access. For many people, telehealth has become the primary way they receive mental health or substance-use treatment. Recent analyses show that telehealth visits for behavioral health remain dramatically higher than before the pandemic and account for a large share of outpatient visits to behavioral-health specialists.

That convenience comes with a critical question: How do you know the technology behind a virtual IOP is truly safe, private, and compliant?

This guide walks you through how to evaluate the technology, privacy protections, and data practices of any virtual IOP so you can participate in treatment with confidence.

Why Technology & Privacy Matter in Virtual IOPs

Virtual IOPs deal with highly sensitive information:

  • Mental health diagnoses
  • Substance use history and treatment
  • Family dynamics, trauma, legal issues, and more

In addition to standard HIPAA protections, substance-use treatment records often fall under 42 CFR Part 2, a federal confidentiality rule designed to give people extra protection against the misuse of their substance use disorder (SUD) records.

Because sessions happen online, your privacy depends not just on the clinicians, but also on:

  • The telehealth and messaging platforms they use
  • How data is stored, encrypted, and shared
  • Whether group sessions are handled securely
  • How third-party tools (analytics, apps, portals) are configured

Let’s break down what to look for and the questions to ask any virtual IOP before you enroll.

1. Understand the Basics: What Makes a Telehealth Platform “HIPAA-Compliant”?

In the United States, most mental health and substance-use providers are subject to HIPAA, which includes the Privacy, Security, and Breach Notification Rules. The U.S. Department of Health and Human Services (HHS) has confirmed that providers can use remote communication technologies for telehealth, including audio-only in some cases, as long as they follow HIPAA requirements.

When a program says their platform is “HIPAA-compliant,” you can ask for specifics:

  • Business Associate Agreement (BAA):

    • Does the telehealth vendor sign a BAA with the provider?
    • This is required when the vendor handles protected health information (PHI).

  • Encryption in transit and at rest:

    • Are video, audio, and messaging sessions encrypted end-to-end or at least encrypted in transit?
    • Are recordings (if any) and clinical notes stored in encrypted form on secure servers?

  • Access controls & authentication:

    • Does the platform use strong logins (unique accounts, strong passwords, or multifactor authentication)?
    • Are staff accounts limited to “minimum necessary” access?

  • Audit logs and monitoring:

    • Can the platform track who accessed which records and when?
    • Are logs reviewed for suspicious activity?

If a program cannot clearly describe how their telehealth platform meets HIPAA standards, that’s a reason to pause and ask more questions.

Questions to Ask

  • “Which telehealth platform do you use, and do you have a signed BAA with them?”
  • “Is my data encrypted during sessions and while stored on your systems?”
  • “Who on your team can see my information, and how is access controlled?”

2. Ask Exactly Which Tools They Use (Video, Chat, Portals & Apps)

Many virtual IOPs use a combination of tools:

  • A secure video platform for live sessions
  • A patient portal or app for messaging, scheduling, and homework
  • E-signature tools for forms and consent
  • Separate systems for billing and insurance

While consumer apps like regular video chat or messaging tools may feel familiar, they are not always configured or licensed in a way that meets HIPAA standards. HHS guidance emphasizes that covered entities must choose technologies and configurations that meet HIPAA’s privacy and security requirements.

You don’t need to be a tech expert, but you do have the right to know:

  • Are they using health-care specific or “enterprise” versions of tools designed for clinical use?
  • Are you expected to download an app? If so, who makes it, and how is your data protected?
  • Does any part of your experience run through unsecured email, SMS, or basic consumer apps?

Questions to Ask

  • “Is there a secure portal or app I’ll use? How is it different from regular email or text?”
  • “Do you ever use regular SMS or unencrypted email for appointment links or clinical information?”
  • “If I lose my phone or laptop, what should I do to protect my account and data?”

3. Protecting Privacy During Group Sessions

Virtual IOPs often rely heavily on group therapy, which raises additional privacy questions:

  • Who can see or hear your sessions?
  • How are group links shared and protected?
  • Are sessions recorded?

HHS patient privacy guidance for telehealth encourages people to:

  • Conduct sessions in a private, quiet space
  • Avoid using public Wi-Fi when possible
  • Turn off or move devices that might listen/record (smart speakers, home cameras)

A good virtual IOP should proactively coach you on how to protect your privacy at home.

Questions to Ask

  • “How do you protect privacy in group sessions (waiting rooms, passwords, locked rooms)?”
  • “Are group or individual sessions ever recorded? If so, why, and how long are recordings kept?”
  • “What guidance do you give participants about creating a private space at home?”

4. Special Rules for Substance Use Treatment Data (42 CFR Part 2)

If the program provides substance use disorder treatment, your records may be protected not only by HIPAA, but also by 42 CFR Part 2—a federal regulation that places strict limits on how SUD records can be used and disclosed.

Key points:

  • SUD treatment records generally cannot be used to investigate or prosecute you without your consent or a qualifying court order.
  • Programs must obtain specific, written consent to share Part 2–protected information in many situations.
  • Electronic exchange of SUD records (through telehealth platforms, portals, and EHRs) must still respect these Part 2 rules.

If you’re seeking help for substance use, it’s entirely appropriate to ask how a program handles these additional protections.

Questions to Ask

  • “Does your program fall under 42 CFR Part 2, and if so, how do you comply?”
  • “How do you handle my consent for sharing SUD-related information with other providers or my family?”
  • “If I revoke my consent, what happens to future disclosures?”

5. Data Beyond Sessions: Portals, Tracking, and Marketing Tools

Today, many health websites and apps use analytics, cookies, and tracking technologies. Regulators have raised concerns about telehealth companies sharing sensitive data with advertisers or analytics platforms without proper safeguards or transparency.

For a virtual IOP, this raises important questions:

  • Are they using tracking tools on intake forms or patient portals?
  • Is any information that could be linked to your health (for example, specific pages visited or form fields completed) being shared with third parties for marketing or advertising?
  • Do their privacy notice and terms of use explain clearly what data is collected and why?

Programs that treat privacy as a core value will be transparent about these issues and will limit data sharing to what’s truly necessary for care and operations.

Questions to Ask

  • “Do you use tracking or analytics tools on your intake or patient portal pages?”
  • “Is any of my identifiable health information shared with third-party marketing or advertising tools?”
  • “Where can I read your privacy policy, and who can I contact with questions?”

6. Accreditation, Certifications, and What They Signal

Technical security is only one part of the picture. Organizational safeguards and external review also matter.

In 2024, The Joint Commission launched a dedicated Telehealth Accreditation Program for hospitals, ambulatory providers, and behavioral health organizations that provide care exclusively via telehealth.

While accreditation is not required for all high-quality virtual IOPs, it can signal that a program has:

  • Formal policies and procedures for telehealth
  • Governance and risk-management structures
  • Processes for quality improvement and safety

Other certifications—such as HITRUST or SOC 2 for technology vendors—can also indicate that systems have undergone independent security review.

Questions to Ask

  • “Is your program or telehealth platform accredited or certified by any external organizations?”
  • “How often do you review and update your telehealth policies and security practices?”
  • “Do you perform regular security risk assessments or penetration testing?”

7. A Practical Checklist: Tech & Privacy Questions for Any Virtual IOP

Use this quick checklist when you’re comparing programs. You don’t need perfect answers to every item, but programs should respond clearly and confidently.

Platform & Security

  • What telehealth platform, portal, and apps do you use?
  • Do you have BAAs in place with all vendors who handle PHI?
  • Is my data encrypted in transit and at rest?

Access & Controls

  • Who on your team can access my records?
  • Do you use unique logins and multifactor authentication for staff?
  • Can I use multifactor authentication for my patient account?

Group Sessions & Environment

  • How are links to group sessions shared and protected?
  • Are sessions recorded? If so, why and for how long?
  • What tips do you provide to help me create a private space at home?

Substance Use & Legal Protection

  • Does 42 CFR Part 2 apply to your program, and how do you comply?
  • How do you handle my consent for sharing SUD-related information?

Data Use & Tracking

  • Do you use any tracking technologies that may collect information about my visit or behavior on your site or portal?
  • Is any of that information shared with third parties for analytics or marketing?
  • Where is your privacy policy, and when was it last updated?

Governance & Oversight

  • Are you accredited for telehealth, or do you follow any formal telehealth standards or frameworks?
  • Who oversees privacy and security in your organization?

Ready to Compare Programs?

Technology and privacy shouldn’t be an afterthought when choosing a virtual IOP—they’re central to your safety, dignity, and long-term trust in your care team.

Our directory highlights verified virtual IOPs and makes it easier to compare programs by specialty, population, and location. As you browse, use the questions in this guide to evaluate each program’s technology and privacy practices and to start informed conversations with admissions teams.

Browse our Virtual IOP directory

FAQ

Q: Are regular video chat apps safe enough for virtual IOP sessions?

Not necessarily. Under HIPAA, providers must use technologies and configurations that protect PHI with appropriate privacy and security controls. HHS guidance makes clear that telehealth technologies should be selected and configured to comply with HIPAA, especially now that temporary pandemic flexibilities have expired.

Q: Can my virtual IOP record our sessions?

Some programs may record sessions for supervision, training, or quality review, but many choose not to record to reduce risk. HHS telehealth privacy guidance advises that telehealth visits generally should not be recorded, and that only necessary clinical information should be documented in your health record.
If recording is used, the program should obtain your informed consent, explain how recordings are stored and protected, and tell you who can access them.

Q: What can I personally do to protect my privacy in virtual IOP?

You can:

  • Use a private, quiet room with the door closed
  • Avoid public Wi-Fi when possible
  • Use headphones so others can’t overhear
  • Turn off or move smart speakers and home cameras during sessions
  • Log out of your portal/app when you’re done and enable device security (passcode, FaceID, etc.)

If you have concerns, share them with the program before you start—a trustworthy virtual IOP will welcome these questions and have clear answers ready.

Tags: Virtual IOP Telehealth Security HIPAA Mental Health Substance Use