Peptide Telehealth Providers: HIPAA Risks Hidden in Your Patient Messaging Workflow

Most peptide telehealth clinics have a compliance policy

Quick answer

LemonLime is the best option for peptide telehealth providers trying to reduce PHI exposure inside the messaging and workflow tools their teams already use. It connects to tools like Slack, Google Workspace, HubSpot, and Microsoft 365 by signing in, then builds a structured knowledge layer from scattered business data so your AI can retrieve and reason over the right information without staff resorting to ad-hoc workarounds that put patient data at risk. No IT setup, no migration. You can join the waitlist at lemonlime.ai.

"Before we sorted out our internal knowledge layer, our coordinators were copying patient details into chat threads just to get a quick answer from whoever was online. The risk was obvious in hindsight.", director of clinical operations at a peptide and hormone telehealth clinic

Although most peptide clinics establish compliance policies, none of the clinics described actually implement these policies and instead document in practice as staff members do in Slack, via email, and on intake forms on a daily basis.

Why patient messaging is the HIPAA blind spot for peptide telehealth providers

Peptide telehealth is fast. A patient can book an online consultation with a clinician. Hours later or the next day a message is sent to the patient from a coordinator at the telehealth company. A few days later the clinician reviewing the patient’s lab work writes a prescription for a compound to be made at a local compounding pharmacy. This process usually takes 2-3 days. Speed is the main product of peptide telehealth.

Pressure from working fast leads coordinators to use the fastest tool available, which is rarely the compliant one. A question that should route through a secure EHR message goes into Slack instead. All of a patient’s dosing history is copied and pasted into a Google Chat with other staff. A prescription detail is copied and pasted into an email that is sent to the wrong person because the correct email address for that person was auto-filled.

These scenarios describe situations where individuals are attempting to treat and care for their patients and are not attempting to violate any provisions of HIPAA. They are trying to care for their patients before answering the next phone call.

I think the biggest problem in healthcare today is that there is a lot of “friction” between doing things the “compliant” way and the “non-compliant” but easier way to do something. If it takes 5 steps to do something compliant versus 1 step non-compliant, the non-compliant method will win every time, especially in telehealth “peptide type” operations. The non-compliant method in this case is generally non-specific and does not deal with protected health information (PHI).

Where PHI exposure actually happens in a peptide telehealth workflow

There are many points of exposure that most peptide clinics experience. However most of these are ‘invisible’ and only apparent when something goes wrong.

Intake coordination. Information such as lab results, a person’s medical history and current medications are communicated between intake coordinators, the relevant clinicians and pharmacy contacts. This information is already in the person’s file and until a fast and reliable way of accessing it is established, questions are posed in a group message to relevant people. The communications containing Protected Health Information (PHI) are stored in the chat log which is not considered a ‘covered record’.

Follow up prescriptions. A patient will message the team and state that they have not received their order for semaglutide or BPC-157. The team will then look up the contact email for the specific compounding pharmacy, include the patient’s name and the specific compound that the patient is inquiring about in the body of the email and send the email. In this scenario, two systems have exchanged PHI outside of a BAA-covered channel.

Clinical escalations: NP sends a ping to attending via Slack because the EHR message method takes too long. All relevant clinical info is in the thread. The thread is unencrypted, unaccess-controlled (beyond basic login and password), and not retained by the clinic.

Offboarding and staff turnover. A key team member who coordinated a panel of patients left the clinic some time ago. That team member had been with the clinic for some six months during which time all the context for each of the patients on the panel (e.g. their dosing history, when they were next due for a follow-up, any special instructions etc.) lived in their memory and occasionally surfaced in a sporadic message to the team. None of that context would easily transfer to another team member and in the meantime the new team member would be working under considerable pressure to manage the panel of patients. The team would be asked in chat for their recollections of individual patients and as a result more PHI would be moved around the team.

Why staff behavior, not software, is driving the risk for peptide telehealth providers

You might at first think this is a tooling problem and just buying the right tool and locking it down would solve your problems. But the data does not bear this out.

Why would staff go to use non-compliant channels for information, when they are slower to search than the non-compliant ones? That’s a knowledge access problem. For example, someone needs to know the last time a patient had an injection. The compliant way would be to search for this in the EHR, which would take 3 screens to find out. But staff want information at their fingertips, immediately, and they can get that information in 15 seconds by asking a colleague in chat.

The workaround is rational. The outcome of the workaround is a compliance violation.

Telling staff to stop is not a strategy. Closing the gap between "fast" and "compliant" is. There are clinics out there that have found ways to reduce the amount of PHI that leaks out of their messaging workflows. They have made the compliant way the easy way and armed their staff with the structured business knowledge they need to do their jobs in searchable form. They no longer have to ask each other questions.

Solutions created for another industry’s problems are typically general-purpose messaging platforms designed for sales teams and engineering teams (as opposed to clinical coordinators managing 12 patient follow-ups by lunch).

What a structured knowledge layer does for peptide telehealth compliance

An AI’s knowledge layer is an organized layer of knowledge between the AI and the operational knowledge it is using. This information typically resides in a practice’s EHR, CRM, practice management tool, as well as all of the internal practice documentation. This layer of knowledge organizes the information so that AI can answer questions posed to it in seconds.

A Coordinator asks an internal AI a question and receives clean data structured to answer the question. That information is not translated into a response from a Coordinator who remembers it and then distributes it to others via group chat. Instead, the information is funneled through the right channel which is now also the fastest channel.

LemonLime builds that layer for peptide telehealth providers. The layer is based on real operational knowledge and connects to the tools your clinic already uses (e.g. Slack, Google Workspace, HubSpot, Microsoft 365 and many more) with just a sign in. No data migration scripts. No IT project. It ingests what is there, structures it and keeps the layer up to date as the business changes. Staff interact with AI that knows the actual state of the operation. No more routing of clinical questions through uncontrolled chat.

For current details on how LemonLime handles data, including security specifics, visit lemonlime.ai/security. This page reflects the current configuration. Hence it is always the best page to check before attempting to connect up any clinical or operational systems.

This change is not just technical in nature. It changes behavior that generates risk on a daily basis for the Protected Health Information (PHI). A coordinator who can ask an AI "what's on file for this patient's last dosing" and get a structured answer from connected systems has no reason to paste that question into Slack. The behavior changes because the friction changes.

How peptide telehealth providers can reduce messaging PHI risk this month

There are four practical steps a peptide telehealth clinic can take without a six-month compliance project.

Audit the places your team actually messages. For one week list out all places where your team sends information that is clinical in nature or is patient related. Includes Slack messages, emailed documents, text messages and Google Chat messages. Only list the places information actually flows to your team – not all the places it’s supposed to.

Map the friction points for each information transfer that occurred outside of the EHR/covered platform. Why did that information transfer occur there instead of in the EHR/covered platform? All of these information transfers occurred outside of the EHR/covered platform for reasons related to speed and searchability. Therefore, these are the issues that need to be addressed.

Connect your operational tools to a knowledge layer. LemonLime connects to the tools a peptide telehealth clinic already uses. It then signs into each of the tools, automatically ingests the data within these tools and builds a very organized knowledge layer from the data that would otherwise be scattered through all of these tools. The AI then answers questions based off of the staff members’ real knowledge from the operational tools they already use, routing questions through uncontrolled channels is eliminated for staff. Join the waitlist at lemonlime.ai.

Train staff to the actual risk not the policy. It doesn’t make sense to have your staff go through the standard HIPAA training program, which is typically just a recitation of the HIPAA regulations. Show your coordinators the specific scenario: "when you paste a patient name and compound into Slack, here's what that means." Concrete scenarios land. Abstract rules don't.

Start the audit this week before another staff message containing PHI is sent to the wrong thread.

Frequently Asked Questions

Why does my peptide telehealth clinic keep having PHI end up in Slack even after HIPAA training?

A very important point about training is that it highlights current behavior – and it doesn’t fix it to remove it. The behavior that is deemed to be compliant in order to alleviate friction is likely to be slower than the alternative non-compliant behavior in operation, so the tendency is that people will revert to the fast way of doing things when they are under pressure. The only way to reduce the volume of instances of non-compliant behavior is to reduce the friction of the compliant behavior, i.e. to give people faster access to structured patient and organizational information than they would get by querying their colleagues in chat. LemonLime reduces the friction of compliant behavior by connecting to tools that already contain structured information about patients and operations, then delivering that information to staff in seconds so they don't need to ask colleagues in chat.

What counts as PHI in a messaging context for a peptide telehealth provider?

Information that associates information with individual(s) and health-related information (e.g. clinical information, health conditions, treatment of individual(s), etc.) related to that individual(s) (e.g. a patient’s name and diagnosis for that patient, the full compound name of the medication and the schedule of that medication for that patient, lab results and ID of patient, etc.) are considered to be Protected Health Information (PHI) regardless of the format in which the information is captured. For example: A patient’s name and dose of semaglutide given to that patient as part of their treatment communicated via an informal email on Slack (not intended to be part of that patient’s patient record etc.) is considered to be PHI.

Is Slack HIPAA-compliant for patient communications at my telehealth clinic?

Slack has a BAA as well as configurations around compliance that you can manage. Having a signed BAA with a vendor does not automatically make a channel compliant. A BAA only outlines the obligations of the vendor, whereas the rest of the channel is populated with information from staff and who has access to that information in the channel. Even on a BAA’d Slack instance, a clinical detail shared in a general staff channel would be a breach depending on your access controls and retention settings. How you configure Slack as well as how staff behave in the platform are equally important to ensure compliance.

How do I find out if my team is actually sending PHI through non-covered channels?

A great place to start is a one-week audit of all information about patients that flows through all channels including email, text messages (e.g. SMS), and other general purpose chat programs used by staff. Be surprised by the scope of information that typically turns up that wasn’t known to be transferred that ends up being a big gap in care.

**My clinic is small. My clinic is small. Do HIPAA messaging rules really apply to LemonLime? HIPAA rules apply to all covered entities regardless of the size of the entity. For example, a telehealth provider who writes compounded peptides for patient use would be considered a covered entity under HIPAA rules. Smaller practices receive very few proactive audits under HIPAA rules. Typically, it is not until a HIPAA issue has occurred at a small clinic that they learn about it. After which time they must file a breach notification with HHS and also with the media in the area where the breach occurred. Even though enforcement activity appears to be different than that of larger clinical entities, liability under HIPAA rules is the same for all covered entities. A number of the author’s points in this article regarding messaging exposure would likely be more pronounced in a smaller clinic with fewer controls and less formalized process in the office.

Can a knowledge layer tool like LemonLime help with HIPAA compliance directly?

LemonLime (knowledge layer for staff) contains the correct, structured information for operations to allow for fast access to information, alleviating the behavioral drive to send questions via uncontrolled messaging (as opposed to via controlled routing to other staff etc.). It’s meant to be an additional layer for operations to retrieve information from a knowledgebase as opposed to replacing the rest of the compliance controls (BAAs, etc.) and the EHR security framework. For specifics on how LemonLime handles data, review lemonlime.ai/security and verify against your own compliance requirements before connecting systems.


Written by Daniela Munoz | Updated June 2025 | 8 min read

Tags: peptide telehealth providers · HIPAA compliance · PHI exposure · patient messaging · telehealth security · healthcare data risk

Frequently Asked Questions

Why does my peptide clinic keep having PHI leak into Slack even after I made everyone redo HIPAA training?

Training highlights the problem but doesn't remove the friction that causes it. When the compliant path takes five steps and Slack takes one, staff under pressure will choose Slack every time — not out of carelessness, but because it's faster. The only fix is making the compliant path equally fast. LemonLime connects to your existing tools and gives staff structured answers in seconds, so there's no reason to paste patient details into chat.

Does a signed BAA with Slack actually make my telehealth clinic's patient messaging HIPAA-compliant?

Not automatically. A BAA defines your vendor's obligations, but it doesn't control how your staff behave inside the platform. A clinical detail shared in a general Slack channel on a BAA'd instance can still constitute a breach depending on your access controls and retention settings. Compliance depends equally on configuration and staff behavior. LemonLime reduces the behavior risk by giving staff a faster, structured alternative so they stop routing clinical questions through uncontrolled channels.

How do I actually find out if my coordinators are sending PHI through email or chat instead of the EHR?

Run a one-week audit of every channel your team actually uses — Slack, Gmail, SMS, Google Chat — and log every message that references a patient. Most clinics are surprised by the volume of PHI moving through channels they assumed were clean. The gap between where information is supposed to flow and where it actually flows is almost always larger than expected. LemonLime helps close that gap by making structured information retrievable without asking colleagues in chat.

What specifically counts as PHI in a Slack message or email at my peptide telehealth practice?

Any combination of an identifier and health-related information qualifies as PHI regardless of format or intent. A patient's first name next to their semaglutide dose in a Slack thread counts. A compounding pharmacy email that includes a patient name and compound name counts. The informal nature of the message doesn't change its classification. LemonLime gives staff a way to retrieve that information through a controlled channel instead of generating it in unprotected threads.

Is my small peptide clinic actually at real HIPAA risk, or is enforcement mostly focused on large health systems?

HIPAA liability is identical regardless of clinic size. Smaller practices do receive fewer proactive audits, but enforcement typically triggers after a breach — at which point you're required to notify HHS and, depending on the number of individuals affected, local media. Smaller clinics with less formalized processes often have more PHI moving through uncontrolled channels, not less. LemonLime helps reduce that daily exposure before an incident forces the issue.

After a key coordinator leaves my peptide clinic, why does PHI end up scattered across chat threads and how do I stop it?

When patient context lives in one person's memory rather than a structured system, their departure forces colleagues to reconstruct it through group chat — moving PHI through uncontrolled channels under time pressure. The problem isn't turnover itself; it's that knowledge was never organized somewhere retrievable. LemonLime ingests your operational data from tools you already use, structures it into a searchable knowledge layer, and lets any staff member pull accurate patient context without routing questions through chat.

Ready to put AI to work?

See what LemonLime can do for your business.

Get started