On October 18, 2023, the Department of Health and Human Services (DHHS) through the Office for Civil Rights (OCR) issued an update¹ containing two resource documents to help educate patients regarding privacy and security risks associated with their Protected Health Information (PHI) and telehealth and ways patients can reduce and mitigate these risks. 

The first guidance, as recommended by the Government Accountability Office, is titled “Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth.”² This resource seeks to assist healthcare providers in educating patients and bring awareness to the privacy and security risks associated with remote communication technologies for telehealth. The resource document reminds telehealth providers that “civil rights laws generally require providers to take appropriate steps to ensure that communications with an individual with a disability are as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary."³ This requirement applies to all communications, including those that may be electronic in nature. The key takeaways from the article discuss:  

• Informing the patient prior to the telehealth session of what telehealth is and how remote communication technologies will be used as a part of providing telehealth services to patients; this includes providing examples of the types of telehealth services and the various modalities that may be used. 
• Explaining the importance of health information privacy and security, as required by the Health Insurance Portability and Accountability Act (HIPAA) to prevent breaches of patient PHI. 
• Explaining the risks associated with remote technologies in protecting the PHI of patients and ways to mitigate such risks. This includes potential compromising of permissible access due to viruses and other malware, unauthorized access, and accidental disclosures. Healthcare providers should ensure that patients know when and how they will be contacted by the provider or associated technology vendor, to prevent phishing emails or other scams. Providers should always encourage patients to ask questions when in doubt and create a clear and transparent understanding of all telehealth vendor privacy and security practices.  

Whenever a perceived issue arises, individuals should feel free to complete a privacy complaint on behalf of themselves or others through the OCR Complaint Portal: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf  

The second guidance issued by OCR is titled “Telehealth Privacy and Security Tips for Patients.”⁴ This guidance provides suggestions for patients on how to better protect their PHI while using telehealth apps and other technologies. The key takeaways from the article discuss: 

• Make efforts to protect the physical privacy of the telehealth visit, this includes performing the meeting in a secluded room, wearing headphones instead of speakerphone when in a public location, and/or concealing one’s screen to mitigate access to the visit. This also includes turning off any nearby electronic devices that may overhear or record information.
• Whenever possible, use a personal computer or mobile device, thereby avoiding any data exchanges through a public network. This includes avoiding public Wi-Fi networks and public charging stations. Always confirm that your computer or mobile device is up to date on all security updates and remove any health information on one’s computer or mobile device when no longer needed.  
• Always use a strong, unique password, and lock screen functions to prevent unauthorized access. When available, turn on two-step or multi-factor authentication and use encryption tools. 
• Let the provider know if you have any questions about the telehealth appointment or the telehealth technology, and/or of any suspicious activity or links associated with your appointment.  

Finally, for more guidance on protecting the privacy and security of PHI, consider reviewing the following links:  

• ^{https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/cell-phone-hipaa/index.html;}  
• ^{https://telehealth.hhs.gov/patients/telehealth-privacy-for-patients; and}  
• ^{https://www.cisa.gov/news-events/news/4-things-you-can-do-keep-yourself-cyber-safe.} 

While telehealth is not a new concept, the current availability of telehealth services is largely due to the pandemic-triggered necessity for care that contributed significantly to the national adoption of such services within the United States. Telehealth provides solutions to various concerns regarding the operation and management of care including, addressing clinical shortages, increasing access to underserved areas, reducing overall travel time, cost, and hardship considerations and hopefully reducing delays in treatment thereby increasing accessibility for all. However, these benefits come at a risk as identified in the two guidance documents discussed in this bulletin.