Digital Health 101: OCR Issues Resources to Educate Patients on Telehealth, PHI

BACKGROUND

On October 18, 2023, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued two resource documents to help explain the privacy and security risks to patients’ protected health information (PHI) when using telehealth services, along with ways to reduce these risks. In a press release announcing the guidance, OCR Director Melanie Fontes Rainer stated that “[t]elehealth is a wonderful tool that can increase patients’ access to [healthcare] and improve [healthcare] outcomes. [Healthcare] providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices, so patients are confident that their health information remains private.”

These new resources exemplify the trend of increased scrutiny in the digital health environment, aimed at ensuring that patient data is protected, secured and confidential (including with respect to pixel technology disclosures, artificial intelligence usage guidelines, state-level data privacy laws and medical board guidelines).

IN DEPTH

Resource #1: Outlining the Risks of Telehealth

With the release of this educational resource, developed on a recommendation from the Government Accountability Office (GAO) in a September 2022 report, OCR intends to help healthcare providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications for telehealth.

OCR notes that the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules (HIPAA Rules) do not require covered healthcare providers to educate patients about privacy and security risks. However, the OCR’s educational resource is intended to assist providers who would like to 1) explain the privacy and security risks to patients’ PHI when using telehealth services and 2) share ways to reduce these risks. This information may also be helpful to a patient’s family or personal representative. HHS encourages and reminds providers to be mindful of inclusionary mechanisms when communicating with individuals with disabilities (e.g., providing auxiliary resources, using language assistance services or providing written translations of materials).

The educational resource provides suggestions for discussing the following:

• What telehealth is, and which technologies will be used during the telehealth encounter
• The importance of PHI privacy and security
• Risks and mitigation strategies when PHI is shared, stored or transferred using remote communication technologies
• Which communication technology vendors are used in delivering the services and how to view their privacy and security policies
• The right to file a privacy complaint with OCR under HIPAA

Resource #2: PHI Security Tips for Patients

OCR’s patient tips resource provides recommendations that patients can implement to protect their privacy, security and confidentiality when interacting via telehealth technologies, including the following:

• Conducting the telehealth appointment in a private location (e.g., a private room or a parked car), wearing headphones and avoiding using a speakerphone
• Turning off nearby electronic devices that may overhear or record information
• Avoiding using a computer, mobile device or network that is tied to a workplace or a public setting
• Installing all available security updates on a computer or mobile device used to access telehealth
• Using strong, unique passwords; not using the same password across accounts; and changing passwords on a regular basis
• Locking home screens when personal devices are not in use
• Deleting health information on personal devices
• Enabling two-step or multifactor authentication (when available)
• Using encryption tools (when available) to protect and secure information by making it unreadable by anyone without the required key or password
• Avoiding public Wi-Fi networks and USB ports at public charging stations to lessen the threat of cyber-crime and security vulnerabilities that can occur when using publicly accessible resources
• Asking providers questions about the telehealth appointment and technology, as well as any accommodations that may be needed (e.g., captioning or a screen reader)
• Contacting your healthcare provider if you are suspicious about a link sent from their address

The patient tips resource also includes links to additional information about protecting patient information.

ANALYSIS

While not all telehealth companies meet the definition of a covered entity under HIPAA, many may act as a business associate or otherwise be expected contractually to maintain standards equivalent to those promulgated in the HIPAA Rules. Even though reading and acting on the OCR guidance is not mandatory, regardless of HIPAA status, telehealth providers should be 1) aware of the best practices and educational information described above, 2) prepared to answer questions from patients regarding these topics and 3) mindful of the considerations and risks associated with their platforms. Accordingly, the OCR resources may be helpful reading for privacy officers and others responsible for communicating to patients the risks of telehealth services—either directly or indirectly—through websites or patient forms.

Telehealth companies should also be aware of state laws and licensing board guidance that require providers to make certain disclosures regarding privacy and security prior to a telehealth encounter and/or the technology-related elements that must be included in an informed consent to telehealth visits (e.g., the potential for technical failures or the inherent risks of a virtual visit). In many ways, OCR’s resources dovetail with state-level informed consent requirements. As such, now may be a good time for telehealth companies to revisit their current policies and consent forms to assess whether any gaps should be addressed.

In addition to maintaining and posting a privacy policy and (as applicable) a HIPAA notice of privacy practices, telehealth companies should consider creating FAQs or other patient-facing materials that help explain the privacy, security and confidentiality aspects that are unique to a telehealth encounter, particularly when sending or storing health information on computers or mobile devices.