Two Resources Issued with Implications For Telehealth

Two Resources Issued with Implications For Telehealth

US Department of Health and Human Services (HHS) Office for Civil Rights (OCR)

Announcement: HHS Office for Civil Rights Issues Resources for Health Care Providers and Patients to Help Educate Patients about Telehealth and the Privacy and Security of Protected Health Information

On October 18, 2023 the Office for Civil Rights (OCR) of the US Department of Health and Human Services (HHS) issued a press release announcing guidance to help patients understand their privacy and security risks when using telehealth services and ways to reduce risk through two resource documents. Both of these resources aim to share this information in plain language.

They also reflect the growing focus on protecting, securing, and maintaining the confidentiality of patient data in the digital health landscape. This includes oversight of pixel technology disclosures, state-level data privacy laws, AI usage and medical board guidelines.

Resource 1: Telehealth Privacy and Security Tips for Patients

The OCR highlights the increased use of telehealth services stemming from the COVID-19 pandemic and supports the continued use. It has provided resources to ensure that entities providing these resources are compliant with HIPAA laws and regulations when providing telehealth services.

This resource was created as a result of a study conducted in September 2022 by the Government Accountability Office (GAO) as a resource to help providers explain to patients the risks associated when using remote communication technologies, such as video conferencing websites, apps and other platforms for telehealth purposes.

The resource notes that while “The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) do not require covered health care providers to educate patients about these risks”; it is intended to provide this resource to help providers explain the following to patients when using telehealth services: 1) the privacy and security risks to their protected health information (PHI) and 2) ways to reduce these risks.

OCR also reminds providers that care should be taken to ensure that concessions should be made when providing communication to individuals with disabilities, such as providing auxiliary aids and services, language assistance services and other means, as outlined by civil rights laws.

This educational resource provides guidance to help providers explain this information to patients in five key areas:

  • Explaining what telehealth is and the remote communication technologies that will be used in telehealth sessions.
    For example: outlining different types of communication used to provide care such as a phone call, texting platform or messaging app, video conferencing, etc.
  • Why health information privacy and security are important, and helping them to understand how breaches to sensitive information can have a negative impact.
    For example: Outlining potential harm caused by breaches include medical or financial identity theft, etc.
  • What the possible risks are to a patient’s PHI, and ways to mitigate the risks when using telehealth communications.
    For example: Outlining areas of risk such as viruses, malware, unauthorized access, avoiding phishing attempts and other scams; etc depending on technologies used to provide telehealth services.
  • Providing information on which technology vendors are used in delivering telehealth services and how to view their privacy and security policies. For example: providing clear and transparent information on vendor names and where to view the vendors’ websites and privacy practices.
  • The right to file a privacy complaint under HIPAA and how to do so with OCR.

The resource provides helpful examples of ways that providers can share this information, in plain language, with patients to ensure fundamental understanding of the risks associated with telehealth services.

Resource 2: Telehealth Privacy and Security Tips for Patients

This second resource is geared towards patients and offers suggestions that patients can use to safeguard their privacy, security, and confidentiality when using telehealth technologies, such as:

  • Taking a telehealth appointment in a private location (such as a private room), avoiding speakerphones and ensuring the computer screen is not visible to others
  • Turning off devices that could potentially record or hear sensitive information (such as smart speakers, apps or cameras)
  • Use a personal computer or device and avoid using a device tied to a workplace or public setting
  • Ensure all security updates are installed on the computer or mobile device
  • Use strong and unique passwords; do not reuse passwords and change them frequently
  • Utilize the lock screen function on a computer or mobile device
  • Delete any health information on the computer or mobile device when it’s no longer needed
  • Utilize two-step or multi-factor authentication if it’s available
  • Use encryption tools, when available, to ensure information is unreadable to others
  • Avoid the use of public wi-fi networks or USB charging ports
  • Ask the provider any questions about the telehealth platform, functionality or technology used to provide services
  • Contacting a provider with any concerns about suspicious activity or links

These tips are in general, good safeguards and steps one can take when operating in any kind of digital environment that might intersect with personal information. OCR also provides a list of other resources and links to help consumers understand how to protect and mitigate risk for personal information.

Unlock’s Take:

These two documents are good resources for both telehealth providers and patients to both share and understand the risks associated with using telehealth services.

For patients, this means having a good, fundamental understanding of what risks are associated with using telehealth services, and how to personally mitigate one’s own risks by ensuring some basic parameters to operate in.

For providers, it provides a straightforward outline in communicating educational information about telehealth services and guidelines to do so. While not all telehealth companies may meet the definition of a covered entity under HIPAA, many may act as a business associate on behalf of a covered entity, or otherwise be expected to maintain equivalent standards.

While reading and acting on the OCR guidance is not mandatory, telehealth companies and providers should take care to understand how this information could help promote more effective and safe communication between the provider and patient, which is important for quality care.

Telehealth providers should also understand any state laws, regulations or licensing board stipulations that require providers to provide disclosures relating to privacy or security prior to a telehealth visit. This may be a timely opportunity for providers to revisit policies to ensure any gaps should be addressed.

As technology platforms and services continue to expand, so too will the increased regulation of patient data privacy as governments and regulators become increasingly aware of the potential risks to patient privacy and security posed by the collection and use of patient data by technology companies.

We may continue to see increased regulation of patient data privacy develop in the future as:

  • Governments may pass new laws that require technology companies to obtain explicit consent from patients before collecting and using their data
  • Regulators may develop new standards for the security and privacy of patient data.
  • Technology companies may be required to disclose more information about how they collect and use patient data
  • Individuals may be given more control over their own patient data, including the right to access, correct, and delete their data

The specific nature of future regulations will depend on a number of factors, including the technologies used, the types of patient data being collected, and the public’s concerns about privacy and security. However, it is clear that the increased regulation of patient data privacy is a trend that is likely to continue in the years to come.

Want to learn more? Connect with the Unlock team to take the next step:


The thoughts and opinions expressed in this blog post are for informational purposes only and should not be taken as legal advice. The author of this blog post is not a lawyer and does not provide legal services. If you have any legal questions, you should consult with a licensed attorney in your jurisdiction.