Skip to content
BlurFirst

HIPAA and Screen Sharing: How to Avoid Exposing PHI on a Call or Recording

7 min read

Sharing your screen from an EHR, telehealth or billing tool can expose PHI — names, dates of birth, MRNs, diagnoses and contact details — on a call or in a recording. Here's practical guidance on minimum-necessary sharing, blurring PHI in the page, and reviewing recordings. Not legal advice.

If you share your screen from an EHR, telehealth platform or billing tool, protected health information (PHI) that isn't part of the current visit can land in front of everyone on the call — or into a recording that's kept for months. The practical safeguard is to disclose the minimum necessary: share a single window, blur the PHI you're not actively discussing, and review any recording before you keep or send it. Under HIPAA, an unintended disclosure of PHI can be a reportable event, so the goal is to make an accidental reveal impossible rather than merely unlikely.

What counts as PHI that can appear on screen

PHI is any health information that can be tied to an individual. In Epic, Cerner, athenahealth, a telehealth waiting room or a billing portal, it shows up as:

  • Identifiers — full name, date of birth, address, phone, email, and record numbers like the MRN or account number.
  • Coverage details — insurance member IDs, group numbers, claim and prior-authorization numbers.
  • Clinical information — diagnoses, problem lists, medications, lab and imaging results, and visit notes.
  • Anything that links a person to care — the reason-for-visit on a schedule, a secure-message subject line, a photo, even a face on a video tile.
  • Other patients' data in the margins — the schedule, patient list, inbox and recent-charts menu name people who have nothing to do with this visit.

Why a screen share or recording is a disclosure risk

Two moments create the exposure. Live, whatever is on screen is seen by everyone on the call — including PHI in the margins you never meant to present: the schedule down the side, a secure-message toast, another patient still open in a background tab. Recorded, that same frame is now stored — in a conferencing cloud, a Loom library, a shared drive — where it may be retained, re-shared or subpoenaed long after the call. A recording turns a fleeting glimpse into a lasting record, which is why what you show and what you keep both matter.

Practical safeguards (blur is one of several)

No single control makes a screen share compliant. Layer the environment (what's in frame), the content (what's visible in the page) and the recording (whether you keep it). Here's the risk-to-mitigation map:

PHI-on-screen riskPractical mitigation
Whole desktop or extra windows in frameShare a single application window, never the entire screen or desktop.
Schedule, patient list or inbox naming other patientsBlur those regions in the page before you present; reveal only the chart you're reviewing.
Identifiers on the current chart (name, DOB, MRN, insurance)Element-blur the fields you don't need to discuss; keep visible only the result or plan at hand.
Secure-message toasts and notifications mid-callTurn on Do Not Disturb, and keep a panic blur ready for anything that pops in.
A recording that captured PHI you didn't intend to showReview the recording before keeping or sharing it; trim or delete frames, and prefer not recording when it isn't needed.
Your conferencing or recording vendor storing PHIConfirm the tool is covered by a Business Associate Agreement (BAA) before PHI can appear in it.
Common PHI-on-screen risks and a practical mitigation for each.
  1. 1

    Share one window, not the desktop

    Present only the EHR, telehealth or billing window so email, chat and other patients' records stay out of frame.

  2. 2

    Blur the surrounding PHI

    With BlurFirst, box-blur the schedule, patient list and navigation, then element-blur the identifiers on the chart you're not discussing. The blur is painted into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom and any recording.

  3. 3

    Reveal only the minimum necessary

    Leave visible just the result, order or section you and the patient are reviewing together — everything else stays frosted. Start blurring with Ctrl/⌘ ⇧ Y.

  4. 4

    Keep the panic hotkey ready

    If a message preview or another patient's record appears, press Ctrl/⌘ ⇧ H to blur the whole page instantly, deal with it off-share, then continue.

  5. 5

    Review the recording before you keep it

    If the session was recorded, watch it back for any PHI that slipped through, and trim or delete before it's stored or shared.

A pre-call PHI checklist

  1. Confirm your video and recording tools are covered by a BAA before any PHI appears in them.
  2. Share a single window, not your whole screen or desktop.
  3. Turn on Do Not Disturb so message toasts naming other patients don't appear.
  4. Blur the schedule, patient list and identifiers you won't be discussing.
  5. Reveal only the minimum necessary; keep the panic shortcut in muscle memory.
  6. If you recorded, review and trim before storing or sharing — and keep the recording only if you actually need it.

Frequently asked questions

Does HIPAA prohibit screen sharing PHI?

No. HIPAA doesn't ban screen sharing; it requires you to limit disclosures to the minimum necessary and to use reasonable safeguards. Sharing a single window, blurring PHI you're not discussing, and using tools covered by a Business Associate Agreement are practical ways to meet that standard. This is general guidance, not legal advice.

Is blurring PHI enough to be HIPAA compliant?

No single tool makes you compliant. Blurring helps you disclose the minimum necessary during a screen share or recording, as one safeguard alongside a BAA-covered platform, access controls, Do Not Disturb, recording review and staff training.

Do I need a BAA with my screen-recording tool?

If PHI can appear in the recording and the vendor stores or processes it on your behalf, you generally need a Business Associate Agreement in place first. Confirm your specific obligations with your compliance officer.

What if PHI appeared in a recording I already made?

Treat it as a potential disclosure: review the recording, trim or delete the affected frames, restrict who can access it, and follow your organization's incident and breach-assessment process. Blurring going forward prevents new exposure but can't remove PHI from a frame already captured.

Can a browser extension blur PHI in a desktop EHR?

No. A browser extension only covers content inside a browser tab, which includes web-based EHRs and telehealth portals. A native desktop EHR, a second monitor or the OS itself is out of scope; a desktop app is in development.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome