The HHS’ Office for Civil Rights has issued guidance for healthcare providers to help them educate patients about the privacy and security risks associated with telehealth services, and tips for patients on protecting their privacy when availing of telehealth services.
During the COVID-19 pandemic, the HHS temporarily waived restrictions on telehealth and the Office for Civil Rights (OCR) issued a Notice of Enforcement Discretion stating that it would not impose sanctions and penalties for certain violations of the HIPAA Rules related to the good faith provision of telehealth services for the duration of the COVID-19 Public Health Emergency (PHE). As a result of these waivers, the number of visits conducted virtually increased massively. In May 2023, President Biden announced that the PHE had come to an end, and after providing notice, OCR’s period of enforcement discretion also came to an end. Healthcare providers must now ensure that their telehealth services are fully compliant with the HIPAA Rules.
The Government Accountability Office was asked to review the telehealth services provided under the HHS waivers and recommended the Centers for Medicare and Medicaid Services (CMS) strengthen oversight of telehealth, use codes to allow telehealth visits to be tracked, and GAO recommended OCR provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks of video telehealth platforms to patients.
The Health Insurance Portability and Accountability Act (HIPAA) does not require healthcare providers to inform patients about the privacy and security risks associated with telehealth services; however, OCR concurred with the recommendation and has produced two guidance documents:
- Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth
- Telehealth Privacy and Security Tips for Patients
The first resource offers suggestions for discussing the telehealth services that are offered, the risks to protected health information (PHI) when using remote communication technologies, the privacy and security practices of the vendors of telehealth solutions, and the applicability of civil rights laws.
The second document is for patients and offers advice on how telehealth services can be used while reducing privacy and security risks, such as conducting visits in private locations, using encryption (if available), avoiding using public Wi-Fi networks, and the importance of turning on multi-factor authentication.
“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer. “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”