OCR Issues Guidance on Educating Patients About Telehealth Risks

The HHS’ Office for Civil Rights has issued guidance for healthcare providers to help them educate patients about the privacy and security risks associated with telehealth services, and tips for patients on protecting their privacy when availing of telehealth services.

During the COVID-19 pandemic, the HHS temporarily waived restrictions on telehealth and the Office for Civil Rights (OCR) issued a Notice of Enforcement Discretion stating that it would not impose sanctions and penalties for certain violations of the HIPAA Rules related to the good faith provision of telehealth services for the duration of the COVID-19 Public Health Emergency (PHE). As a result of these waivers, the number of visits conducted virtually increased massively. In May 2023, President Biden announced that the PHE had come to an end, and after providing notice, OCR’s period of enforcement discretion also came to an end. Healthcare providers must now ensure that their telehealth services are fully compliant with the HIPAA Rules.

The Government Accountability Office was asked to review the telehealth services provided under the HHS waivers and recommended the Centers for Medicare and Medicaid Services (CMS) strengthen oversight of telehealth, use codes to allow telehealth visits to be tracked, and GAO recommended OCR provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks of video telehealth platforms to patients.

The Health Insurance Portability and Accountability Act (HIPAA) does not require healthcare providers to inform patients about the privacy and security risks associated with telehealth services; however, OCR concurred with the recommendation and has produced two guidance documents:

The first resource offers suggestions for discussing the telehealth services that are offered, the risks to protected health information (PHI) when using remote communication technologies, the privacy and security practices of the vendors of telehealth solutions, and the applicability of civil rights laws.

The second document is for patients and offers advice on how telehealth services can be used while reducing privacy and security risks, such as conducting visits in private locations, using encryption (if available), avoiding using public Wi-Fi networks, and the importance of turning on multi-factor authentication.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer.  “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/