OCR Publishes Resources On Telehealth Privacy, Security Risks

October 19, 2023 - The HHS Office for Civil Rights (OCR) unveiled two resource documents to help providers communicate telehealth privacy and security risks to patients.

The documents, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth” and “Telehealth Privacy and Security Tips for Patients” each aim to convey risks to patients in plain language and help them reduce risk using fundamental cyber hygiene practices.

As previously reported, a telehealth boom occurred during the COVID-19 pandemic and appears to be here to stay. Telehealth utilization can improve care access and allow patients to get in touch with their providers with increased ease and efficiency.

However, patients may still be reluctant to participate in telehealth services due to security and privacy risks. More than half of surveyed telehealth providers reported experiencing cases where patients refused to engage in telehealth services because they did not trust the technology to protect their data security and privacy, Kaspersky found.

What’s more, recent enforcement actions by the Federal Trade Commission (FTC) have exemplified the potential security and privacy risks of third-party telehealth apps.

To ease these concerns and highlight the benefits of telehealth, OCR’s latest documents stress the importance of supporting the continued use of telehealth while still communicating risks effectively. The HIPAA Privacy, Security, and Breach Notification Rules do not require healthcare providers to inform or educate patients about these risks, but the documents give providers the ability to do so if they wish.

“Before the telehealth session, you can explain what telehealth is and the remote communication technologies that you will use in the telehealth session as part of providing telehealth to your patients,” OCR advised in the guidance document geared toward providers.

Additionally, OCR suggested that providers explain the possible risks to a patient’s protected health information (PHI) when using remote communication technologies for telehealth and outline why health information privacy and security are important.

“Inform patients about the privacy and security protections of the remote communication technologies that you offer, which can help prevent breaches of the patient’s PHI such as their medical records, information discussed during an appointment, and any documents or images shared during a telehealth appointment,” the document states.

“Without the appropriate privacy and security protections, such as those required by the HIPAA Rules, the risk that unauthorized persons could obtain this information and cause substantial harm to the patient significantly increases.”

 In addition, providers can promote transparency by telling the patient whether the telehealth app or website uses online tracking technologies and how to file a complaint with OCR.

The second document consists of a list of privacy and security tips that patients can use to mitigate risk, such as having a telehealth appointment in a private location and regularly installing security updates on devices.

OCR also encouraged patients to use strong passwords, delete health information when it is no longer needed on the device, and avoid using public Wi-Fi networks.

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” OCR Director Melanie Fontes Rainer said in the announcement. 

“Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”