OCR Issues Telehealth Guidance for Providers and Patients
The HHS’ Office for Civil Rights has issued new guidance for healthcare providers to help them educate patients about privacy and security risks when using remote communications technologies for telehealth visits and recommendations for patients on how they can protect and secure their health information.
During the pandemic, healthcare providers massively expanded their telehealth services to ensure that patients could access the medical services they needed while reducing the risk of contracting COVID-19. OCR issued a Notice of Enforcement Discretion covering the good faith provision of telehealth services to make it easier for healthcare providers to provide telehealth services during the pandemic by using non-public-facing communications platforms that are not fully HIPAA compliant, such as platforms where vendors would not enter into business associate agreements. Now that the COVID-19 public health emergency has been declared over, OCR’s telehealth Notice of Enforcement Discretion has expired; however, OCR continues to support telehealth services, which have proven popular with both providers and patients.
Telehealth Privacy and Security Risks
Healthcare providers must ensure that the communications platforms they use for providing telehealth services support HIPAA compliance. Even when ‘HIPAA-compliant’ platforms are used for telehealth there are still privacy and security risks that must be addressed and reduced to a low and acceptable level. In the summer of 2022, ahead of the telehealth flexibilities coming to an end, OCR issued guidance for healthcare providers on HIPAA and audio-only telehealth services.
While HIPAA does not require healthcare providers to educate patients about the privacy and security risks associated with telehealth, a Government Accountability Office (GAO) review of the Medicare telehealth services provided during the COVID-19 – Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks – recommended OCR issue guidance to help healthcare providers explain the privacy and security risks associated with telehealth services to patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
During the review, GAO identified numerous complaints that had been made about the use of non-compliant technology during the pandemic, more than 3 dozen complaints had been filed about the presence of third parties during appointments, and there were instances where providers shared PHI without obtaining patient consent. GAO concluded that there was a need for additional education and outreach to help providers explain the privacy and security risks to patients associated with telehealth to make sure that those risks are fully understood. OCR concurred with the recommendation and agreed to publish new guidance.
New OCR Telehealth Privacy and Security Resources
Two guidance resources were published by OCR on October 18, 2023. The first guidance document is for healthcare providers to help them educate patients about the privacy and security risks associated with remote communication technologies, and the second guidance document is for patients and offers tips on privacy and security when taking advantage of telehealth services.
The provider guidance – Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – offers suggestions for healthcare providers to help them discuss the telehealth options offered, the potential risks to protected health information associated with remote communications technologies, the privacy and security practices of vendors telehealth communication tools, and the applicability of civil rights laws.
The patient guidance – Telehealth Privacy and Security Tips for Patients – offers recommendations for patients on how they can protect and secure their protected health information, such as the importance of conducting telehealth visits in private settings, activating multi-factor authentication, using encryption, and avoiding using public Wi-Fi networks.
“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” said OCR Director Melanie Fontes Rainer. “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”
