GAO Calls on OCR to Educate Patients on Telehealth Security, Privacy Risks

September 29, 2022 - The US Government Accountability Office (GAO) conducted a review of Medicare telehealth services delivered during the pandemic, recommending that the Office for Civil Rights (OCR) provide additional guidance to providers on how to communicate telehealth security and privacy risks to patients.

The COVID-19 pandemic incentivized HHS to temporarily waive certain Medicare restrictions on telehealth use. In addition, in March 2020, OCR announced that it would not impose penalties on providers in regard to noncompliance with certain security and privacy requirements under HIPAA.

OCR’s announcement allowed HIPAA-covered providers to engage in telehealth services without a business associate agreement in place with telehealth platform vendors. In addition, it allowed providers "to engage in good-faith use of any non-public-facing communication product to conduct telehealth visits."

“Specifically, OCR officials said that they opted to exercise enforcement discretion for telehealth so that providers could continue treating their patients during the public health emergency and patients could access care safely. OCR officials acknowledged the additional privacy and security risks of allowing platforms that may not comply with HIPAA to be used for telehealth,” the report noted.

“OCR officials told us that they intended for the Telehealth Notification to serve as a bridge from the public health emergency to a point after the public health emergency when all providers could transition to telehealth platforms that meet all of the HIPAA Rules requirements.”

OCR said it encouraged covered providers to inform patients of potential security and privacy risks. However, OCR did not provide the covered entities with specific language to use to explain the risks and told GAO it would not be possible to track the extent to which providers notify patients of security and privacy risks in a reliable manner.

Some patients did pick up on security and privacy risks, and 43 telehealth security-related complaints were submitted to OCR from March 2020 to December 2021.

Six complaints alleged that providers were not using telehealth platforms that met HIPAA requirements. More than 35 other complaints cited privacy violations, such as an unknown individual appearing in the provider’s camera view during a telehealth visit, or patients seeing or overhearing the PHI of another patient.

“If OCR provided additional information to providers, it could help ensure that patients understand potential privacy and security risks associated with telehealth technology,” the report reasoned.

“With clear information, patients could better weigh the risks to their personal information and understand steps they can take to safeguard their PHI.”

Specifically, GAO recommended that OCR provide additional outreach, education, and assistance to providers to help them explain telehealth security risks in plain language. HHS concurred with the recommendation and noted that OCR recently issued two guidance documents relating to the use of audio-only telehealth.

HHS acknowledged that the previously released documents did not address video telehealth applications.

“HHS notes that it plans to develop additional guidance for providers regarding telehealth and will include information to help providers explain privacy and security risks to individuals in plain language,” HHS’ response concluded.

“Given policymakers’ interest in extending telehealth waivers, we maintain the importance of providing guidance to providers to help them educate patients on privacy and security risks when using video platforms for telehealth services.”

In addition to security and privacy recommendations for OCR, GAO focused a significant portion of its report on CMS and recommended that CMS strengthen its telehealth oversight in order to properly assess the quality of telehealth services.