Telehealth Providers: HHS Issues HIPAA Best Practices
Recognizing the evolving landscape of care delivery and growth of telehealth, the U.S. Department of Health and Human Services (HHS) published a resource guide aimed at assisting telehealth providers in explaining the privacy and security risks to patients that engage in telehealth. The guide explains the risks in telehealth visits and ways to reduce these risks. Importantly, the guidance makes clear health care providers are not required by Health Insurance Portability and Accountability Act of 1996 (HIPAA) to provide this education. However, the goal is that the resource guide will help providers that would like to discuss potential risks with the patient.
HHS recognizes that ensuring the privacy and security of protected health information can help promote more effective communication between the provider and patient, which is important for quality care. Accordingly, HHS recommends that providers explain the following to patients before a telehealth session:
- The remote communication technologies that the provider will use in the telehealth session. This should include explaining what telehealth is and providing examples of different types of telehealth services, such as having a health care appointment by telephone or through a video conferencing application.
- The importance of health information privacy and security. Providers should inform patients about the privacy and security protections of the remote communication technologies the provider offers.
- The possible risks to the patient’s information and how to mitigate the risks. Providers should explain that using remote communication technologies for telehealth can come with risks to the privacy and security of information. Some examples of risks that may be relevant to patients may include viruses and other malware, unauthorized access, and accidental disclosures of information. Mitigation measures include anti-malware solutions, patching software, and using headphones to avoid others overhearing the telehealth session.
To help patients protect their health information and avoid potential phishing emails or other scams, providers should ensure that the patient knows when and how they will be contacted by the provider, provider’s office, or the remote communication technology vendor. Information should also be provided about the privacy and security practices of any technology vendor(s) that are being used for the telehealth service.
HHS also released a resource guide targeted at patients, which provides recommendations that patients can independently implement to protect and secure their health information. HHS provides many specific recommendations for patients, including the following:
- Conduct telehealth appointments from private locations.
- Turn off any electronic devices that may overhear or record information, such as smart speakers or security cameras.
- Avoid public computers or mobile devices, if possible, including avoiding public wi-fi connections.
- Install all security updates available on the electronic devices to be used for telehealth appointments.
- Use strong, unique passwords.
- Delete health information from computers or mobile devices when it is no longer needed.
- Turn on multi-factor authentication and use encryption tools when available.
The message from HHS is clear, privacy and security play an integral part in the healthcare experience. HHS is signaling to the telehealth provider community that privacy and security education should be considered part of the patient intake and onboarding experience. While these best practices are not required to be implemented by providers, the type of information that HHS suggests telehealth providers share with patients can often be addressed in the telehealth informed consent or other intake documentation provided to the patient. Telehealth providers should review their intake process and determine whether these best practices can be incorporated as part of the patient experience.
For more information on this new guidance or legal considerations related to digital health or data privacy, contact Foley’s Telemedicine & Digital Health or Cybersecurity & Data Privacy teams.