On October 18, 2023, the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued two resource documents to help explain the privacy and security risks to patients’ protected health information (PHI) when using telehealth services, along with ways to reduce these risks. In a press release announcing the guidance, OCR Director Melanie Fontes Rainer stated that “[t]elehealth is a wonderful tool that can increase patients’ access to [healthcare] and improve [healthcare] outcomes. [Healthcare] providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices, so patients are confident that their health information remains private.”
These new resources exemplify the trend of increased scrutiny in the digital health environment, aimed at ensuring that patient data is protected, secured and confidential (including with respect to pixel technology disclosures, artificial intelligence usage guidelines, state-level data privacy laws and medical board guidelines).
Resource #1: Outlining the Risks of Telehealth
With the release of this educational resource, developed on a recommendation from the Government Accountability Office (GAO) in a September 2022 report, OCR intends to help healthcare providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications for telehealth.
OCR notes that the Health Insurance Portability and Accountability Act Privacy, Security and Breach Notification Rules (HIPAA Rules) do not require covered healthcare providers to educate patients about privacy and security risks. However, the OCR’s educational resource is intended to assist providers who would like to 1) explain the privacy and security risks to patients’ PHI when using telehealth services and 2) share ways to reduce these risks. This information may also be helpful to a patient’s family or personal representative. HHS encourages and reminds providers to be mindful of inclusionary mechanisms when communicating with individuals with disabilities (e.g., providing auxiliary resources, using language assistance services or providing written translations of materials).
The educational resource provides suggestions for discussing the following:
- What telehealth is, and which technologies will be used during the telehealth encounter
- The importance of PHI privacy and security
- Risks and mitigation strategies when PHI is shared, stored or transferred using remote communication technologies
- Which communication technology vendors are used in delivering the services and how to view their privacy and security policies
- The right to file a privacy complaint with OCR under HIPAA
Resource #2: PHI Security Tips for Patients
OCR’s patient tips resource provides recommendations that patients can implement to protect their privacy, security and confidentiality when interacting via telehealth technologies, including the following:
- Conducting the telehealth appointment in a private location (e.g., a private room or a parked car), wearing headphones and avoiding using a speakerphone
- Turning off nearby electronic devices that may overhear or record information
- Avoiding using a [...]