HHS OCR unveils telehealth privacy and security resources

The U.S. Department of Health and Human Services' Office for Civil Rights (HHS OCR) has released two guidance documents to bolster the privacy and security of telehealth services. 

What's new for providers

A new resource for providers, "Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth," has been rolled out. 

The document offers insights on:

• Explaining telehealth and the technologies employed.
• Discussing the types of telehealth services like audio-only calls, video conferencing, and remote patient monitoring.
• Conveying risks to PHI when using remote communication technologies.
• Discussing privacy and security practices of remote communication technology vendors.
• Addressing the applicability of civil rights laws​​.

What's new for patients

For patients, the "Telehealth Privacy and Security Tips for Patients" provides practical tips for patients to secure their PHI during telehealth sessions:

• Conducting telehealth appointments in private locations.
• Turning off nearby electronic devices that may overhear or record information.
• Utilizing personal computers or mobile devices, and avoiding public or workplace networks.
• Installing all available security updates on devices.
• Employing strong, unique passwords and changing them regularly.
• Enabling lock screen functions to protect stored health information on devices.
• Deleting unneeded health information from devices.
• Activating two-step or multi-factor authentication when available.
• Using encryption tools when possible.
• Avoiding public WiFi networks and USB ports at public charging stations​.

What they're saying

OCR Director Melanie Fontes Rainer praises telehealth for enhancing healthcare accessibility and outcomes. "Telehealth is a wonderful tool that can increase patients' access to health care and improve health care outcomes," she said. "Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private."

Impact on telehealth adoption

The guidance documents offer clear and actionable steps for healthcare providers and patients to ensure the privacy and security of telehealth sessions. By addressing these concerns, the guidance may help to remove barriers of mistrust or lack of understanding that could hinder the adoption of telehealth services. This, in turn, can contribute to a more widespread use of telehealth, making healthcare more accessible.

HIPAA compliance

The guidances outline how audio-only telehealth services can be compliant with HIPAA Privacy, Security, and Breach Notification Rules, particularly when using mobile technologies that leverage electronic media like WiFi. 

Online tracking technologies risk

The Federal Trade Commission and HHS OCR have warned about the privacy and security risks of online tracking technologies integrated into telehealth platforms. Addressing these risks prevents the impermissible disclosure of consumers' sensitive information, ensuring the privacy and security of telehealth services. 

Go deeper: How to use tracking pixels and be HIPAA compliant

What's next

The guidances will likely contribute to setting or refining industry standards regarding privacy and security in telehealth. Establishing a baseline for what patients and providers should expect in terms of data protection could promote consistency across the telehealth industry, making it easier for providers to adhere to best practices and for patients to know what level of privacy and security to expect.

Related: HIPAA Compliant Email: The Definitive Guide