‘An Unknown Individual Walked In’: Protecting Against Telehealth Risks Includes Non-IT Threats

Theresa Defino
Health Care Compliance Association (HCCA)
Contact
LinkedIn
Facebook
X
Send
Embed

Health Care Compliance Association (HCCA)

Report on Patient Privacy 24, no. 2 (February, 2024)

The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.

In fact, in 2022, the Government Accountability Office (GAO) issued Medicare Telehealth Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.[1] While three of GAO’s four recommendations were directed at the Centers for Medicare & Medicaid Services, it had one for OCR, which prompted the agency’s two-part guidance for providers on helping patients protected health information (PHI) stay safe during a telehealth visit.

GAO offered eye-opening information from OCR about some complaints received during the pandemic about telehealth—data agency officials don’t appear to have shared publicly outside of the report. The nature of some of the complaints harkens back to age-old privacy issues, such as conversations not really being private, which have little to do with the technology of telehealth. These can serve as reminders to providers that a focus on foundational issues still will serve them well, particularly as certain telehealth flexibilities adopted during the pandemic become permanent, ensuring that not only is telehealth here to stay, it is growing.

An article in a recent RPP offered experts’ suggestions for providers and other covered entities (CEs) to ensure their telehealth programs are HIPAA-compliant, particularly now that OCR’s noncompliance waivers have expired.[2] Revising, if necessary, contracts with vendors and other business associates to employ only products that meet privacy and security requirements is among the tasks that—if not already completed—are overdue.

According to GAO, “from March 2020 through December 2021, OCR received 43 complaints regarding privacy and security concerns with telehealth visits.”

Among them:

  • Seventeen people said that “third parties were present during a telehealth visit,” with some complaining that they saw “an unknown individual walk behind the provider.”

  • Thirteen people “alleged the provider shared patients’ PHI without permission during their telehealth visit.”

  • Seven others “alleged patients overheard or saw the PHI of another patient.”

Small Providers May Lack Funds for Secure Solutions

Just six complaints dealt directly with a telehealth platform itself, OCR told GAO. “Specifically, five patients and one employee of a covered provider alleged that providers were using telehealth platforms that did not meet the HIPAA requirements.” (This, of course, might have been okay during the enforcement discretion period).

GAO wasn’t able to assess how widespread the use of noncompliant telehealth platforms was at the time it completed its report. Twenty of 26 “provider groups with whom we spoke said providers’ use of telehealth platforms that may not meet HIPAA Rule requirements varied,” the report states. Five “said investing in HIPAA-compliant telehealth platforms may be difficult for small practices.” This could spell trouble because such groups make up the majority of medical providers in the United States.

GAO also reported that “when telehealth platforms are used for a health care visit, the communication between the provider and patient is subject to the HIPAA Privacy Rule. If the communication also involves the electronic transmission of PHI over the telehealth platform, it is subject to the HIPAA Security Rule.”

OCR communicated to GAO that “the primary privacy risks are that the oral conversation will be overheard, or the telehealth platform vendor will inappropriately use or disclose information—such as a transcript or image (e.g., a digital x-ray that includes PHI, such as the patient’s name)—relating to the communication; and security risks for the protection of electronic PHI are that the telehealth platform will not have adequate security features to protect the electronic PHI, or a covered provider or patient will not activate those features if they are available.”

GAO: More OCR Outreach Needed

The oversight agency recommended that “OCR should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services.”

To implement this recommendation, OCR issued what it called “resource documents to help explain to patients the privacy and security risks [of PHI] when using telehealth services and ways to reduce these risks.”

“Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” OCR Director Melanie Fontes Rainer said in announcing the guidance documents.[3] “Health care providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private.”

At the time these were published, the telehealth enforcement waivers had already expired, and as noted, CEs are supposed to be using technology that has the protections called for under the Privacy and Security rules. Moreover, the guidance is written from the perspective of patients who’ve never used telehealth or telemedicine before; by now, most have experience.

Still, the documents are relevant as it would be unrealistic to assume telehealth compliance is perfect and CEs can use them as a refresher on good cyber practices both for themselves and their patients.

Discussions Could Create Good Will With Patients

OCR itself added another possible benefit of talking about security: better relationships with patients.

HIPAA doesn’t require “providers to educate patients about these risks,” OCR states. “Ensuring the privacy and security of PHI can help promote more effective communication between the provider and patient, which is important for quality care.”[4]

Although both guidance documents have the same goal, one is focused on strategies for providers to use when “educating patients about privacy and security risks” when remote technologies are used in telehealth visits. In addition to reminding patients that they can file a complaint with OCR, the agency suggests that CEs explain what telehealth is, its risks and what safeguards are in place.

The agency suggests CEs give patients “the names of the vendors of any remote communication technologies that you use and information about where to view the vendors’ websites and privacy practices,” as well as tell them about the “privacy and security safeguards the remote communication technology vendor has agreed to use.” Moreover, patients should be told “whether the telehealth app or website uses online tracking technologies,” according to the new guidance.

Moreover, CEs “could consider the following:

  • “Ensure that the patient knows when and how they will be contacted by you or the remote communication technology vendor. By providing this information, you can help the patient avoid potential phishing emails or other scams. For example, you may give the patient the email address or phone number from where information will be sent to them on a specific date. You may also provide a patient with a phone number they may call if they want to verify a link or other information they receive in an email or text message.

  • “Encourage the patient to ask any questions they may have. Some patients may have questions about remote communication technology, including how to use it or what privacy and security controls the technology has available. If you’re not able to answer a question, let them know who can.”

Providers Should Explain Risk Mitigation

In OCR’s view, part of educating patients is to be open about the risks of “video conferencing apps and other remote communication technologies.” Further, providers should explain “how these risks can be mitigated.”

OCR offered the following “examples of risks that may be relevant to your patients:”

  • “Viruses and other malware. Even with privacy and security protections, there is a risk of viruses or other malware infecting a website or app used for telehealth. Patients should be aware of the availability of anti-malware solutions to guard against viruses or other malicious software. There are many anti-malware solutions available for purchase, and some may be included on a patient’s device at no additional cost.

  • “Unauthorized access. Cyber-criminals might exploit unpatched software to gain access to a patient’s device and health information. Patients can lower this risk by applying updates to software installed on their devices as soon as they become available. Frequent updates improve security by fixing vulnerabilities cyber-criminals are known to exploit.

  • “Accidental disclosures. If the patient is not in a private location during the telehealth appointment, then other persons may hear or see sensitive health information about the patient. Patients can decrease the risk of accidental disclosures when others are present by positioning their device so others cannot see their device’s screen and, if available, using a headset or headphones. Or, if a live chat function is available on the telehealth website or mobile app, a patient can use this to communicate instead of using their device’s speakers and microphone.”

‘Avoid Using Speakerphones’

The second document is simply titled “Telehealth Privacy and Security Tips for Patients.”[5] Speaking directly to them, OCR notes that “Using video apps and other technologies for telehealth can create risks to the privacy and security of your health information. This can include when you are accessing telehealth services on a website, through an app, or even through a patient portal.”

The agency offered the following tips for patients, which providers could share with them:

  • “Have your telehealth appointment in a private location. Find a place away from others (like a private room with a door or your parked car) where you can control who hears or sees your conversation. If you can’t find a private place for your appointment, consider wearing headphones, positioning your computer or mobile device so others can’t see your screen, and avoiding using the speakerphone.

  • “Turn off any nearby electronic devices that may overhear or record information. Turn off devices like home security cameras and smart speakers or apps on your phone that respond to your voice so they don’t overhear or record your telehealth appointment.

  • “Use a personal computer or mobile device, if possible. Avoid using a computer, mobile device, or network tied to your workplace or a public setting for your telehealth session. Some workplaces and public settings can see what you do when using workplace devices or unsecured public networks.

  • “Install all available security updates on your computer or mobile device. For most mobile devices, go to the Settings icon or tab on your device and turn on the option for automatic updates, or install updates yourself as soon as they’re available.

  • “Use strong, unique passwords. Use different passwords for each app, website, computer, or mobile device you use for your telehealth appointment to keep others from accessing all of your information if someone discovers your password. If possible, change your passwords regularly.

  • “Turn on the lock screen function. Go to Settings and set a short amount of time before your computer or mobile device locks the screen because of inactivity. This prevents someone from getting any of your health information that may be stored on the device unless they have the password.

  • “Delete health information on your computer or mobile device when you don’t need it anymore. Removing health information (including photos or videos) from your computer or mobile device helps lower the risk that someone could see your health information if they get your password and can access your computer or mobile device.

  • “Turn on two-step or multi-factor authentication (if it’s available and you can use it). Many apps require you to enter a username and password. Some apps also have an option for multi-factor authentication, which makes it harder for someone else to use the app because they need access to your phone or email. For example, the app may send a code to your phone number or email address that you need to log in to the app. If you need help with multi-factor authentication or can’t use it, contact your health care provider to learn what your options are.

  • “Use encryption tools when available. When possible, you should turn on encryption on your phone or mobile device and any apps you use to communicate with your health care provider or health plan (like video chat or messaging apps). Encryption is an electronic tool that protects and secures your information by making it unreadable by anyone without the right key or password.

  • “Avoid using public Wi-Fi networks and any USB ports at public charging stations. Public networks (like the ones in coffee shops or airports) may not have security to protect the health information you may want to send using their network. Also, cyber-criminals can steal sensitive information by creating fake public Wi-Fi networks that people unknowingly sign onto, or they may use public USB charging ports to install viruses or other malware on your computer or mobile device.

  • “Let your provider know if you have any questions about the telehealth appointment or the telehealth technology. You can ask for help, such as instructions on using the technology or accommodations you need for the telehealth appointment, like a screen reader or closed captioning.

  • “If you’re suspicious of a link or have any doubts about a link, contact your health care provider right away. For some telehealth appointments, your provider may send you an email or a link directly to your phone or to your email account. You can always contact your provider to ask if the link they have sent is valid.”

 

1 United States Government Accountability Office, Medicare Telehealth, Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks, September 2022, Report to Congressional Addresses, https://bit.ly/410FCCU.

2 Theresa Defino, “All OCR Enforcement Waivers Expired; Are Your Telehealth Services HIPAA Compliant?” Report on Patient Privacy 23, no. 11 (November 2023), https://bit.ly/3N7o9Do.

3 U.S. Department of Health and Human Services, “HHS Office for Civil Rights Issues Resources for Health Care Providers and Patients to Help Educate Patients about Telehealth and the Privacy and Security of Protected Health Information,” news release, October 18, 2023, https://bit.ly/3uCNbnt.

4 U.S. Department of Health and Human Services, “Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” content last reviewed October 17, 2023, https://bit.ly/3R4bD8F.

5 U.S. Department of Health and Human Services, “Telehealth Privacy and Security Tips for Patients,” content last reviewed October 17, 2023, https://bit.ly/3Qm6U35.

Written by:

Health Care Compliance Association (HCCA)
Health Care Compliance Association (HCCA)
Contact
more
less

Health Care Compliance Association (HCCA) on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide