On October 18, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is tasked with enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), issued two new guidance documents pertaining to privacy and security risks associated with the use of telehealth services. One guidance document, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” is aimed at health care providers (the “Provider Guidance”), while the other guidance document, called “Telehealth Privacy and Security Tips for Patients,” is intended to be a resource for patients. This blog post focuses on the Provider Guidance. As with any agency guidance, the recommendations contained in the Provider Guidance are not requirements but can be interpreted as best practices for providers offering telehealth services. At a high level, the Provider Guidance includes suggestions for discussing the following topics with patients:

• Telehealth options offered;
• Risks to PHI when using remote communications technologies;
• Privacy and security practices of remote communication technology vendors; and
• Applicability of civil rights laws.

Many of the recommendations discussed in the Provider Guidance reflect industry standards that are not necessarily new (i.e., explaining how telehealth works and the risks associated with the electronic transmission of protected health information).[1] One such suggestion is that providers identify to patients any remote communication technology vendors used in rendering the telehealth services and provide information about the privacy and security practices of each vendor. This would include, for example, video conferencing technology vendors. Another notable suggestion is that providers explain how patients can mitigate security risks on their end—including recommending the use of anti-malware solutions and explaining how cybercriminals can exploit vulnerabilities in patient devices.

Providers are already pressed for time and likely do not have the capacity to explain all of this information during a telehealth appointment. For providers or provider groups seeking to implement these recommendations, the best way to do so would likely be by providing the information to the patient in a written document prior to the telehealth session. As HHS has previously issued guidance recommending that informed consent for telehealth services be obtained from patients for each telehealth visit (rather than obtaining informed consent prior to a patient’s first telehealth visit), incorporating the newly recommended information into paperwork, such as a telehealth informed consent form or other patient intake paperwork, that can be electronically sent to the patient prior to each session would be easiest.

Still, however, if a provider or provider group seeks to adopt these recommendations on their own, gathering the relevant information and responding to the inevitable patient questions will take time away from providing or supporting patient care. Providers would need to identify the relevant vendors, locate the vendors’ online privacy policies for the patients’ reference, and review the contracts with those vendors to identify any privacy and security-related representations made or agreed to by the vendors. Often, when contracting with vendors, especially reputable vendors such as those previously referenced by OCR as vendors purporting to offer HIPAA-compliant products, providers understandably rely upon the vendor’s representations regarding vendor security practices without actually having much insight into those practices. In these cases, conversations with vendors may be needed in order to adequately explain vendor security practices to patients. Vendors may also consider anticipating the needs of providers seeking to adopt the recommendations in the Provider Guidance by developing resources and materials summarizing the vendor’s practices. Still, in addition to mastering their clinical field, IT, and cybersecurity, the Provider Guidance seemingly also expects providers to develop some expertise in contract law. Bear in mind: each time a new vendor is engaged, the paperwork would require updating to reflect the new vendor’s contractual representations and relevant policies.

It is important to note that there is arguably no violation of HIPAA even if a provider fails to communicate telehealth privacy and security risks to patients, and the Provider Guidance, if followed, would undoubtedly impose additional burdens on an already-overburdened health care workforce. Providers wishing to adopt some or all of the recommendations should revisit their consent forms and include some of the language and information outlined in the Provider Guidance, as well as the other resources OCR references in the guidance.

[1] While it is an established best practice to inform patients about the general risks associated with electronically transmitting PHI between provider and patient, based upon the Provider Guidance, providers may consider also including express warnings about the transmission of PHI by and to remote communication technology vendors.

[View source.]