Last week, the Office for Civil Rights (“OCR”) issued two pieces of guidance on the privacy and security of protected health information (“PHI”) when using telehealth services. One of the documents is intended to help health care providers explain to patients, in plain language, the privacy and security risks of using remote communication technologies for telehealth (the “Provider Telehealth Guidance”). The other provides tips to patients on how to safeguard their PHI when using video apps and other technologies for telehealth (the “Patient Telehealth Guidance”).

The COVID-19 public health emergency (“PHE”) and OCR’s relaxed HIPAA enforcement and restrictions for telehealth communications during the PHE helped catalyze the widespread use of telehealth by health care providers, leading to more potential risk to PHI when using telehealth services. The two pieces of guidance evidence OCR’s continued attention to the HIPAA implications of using telehealth services.

The Provider Telehealth Guidance clarifies that the Health Insurance Portability and Accountability Act (collectively, with its implementing regulations, “HIPAA”) does not require health care providers to educate patients about telehealth risks. Nonetheless, as the Provider Telehealth Guidance notes, ensuring the privacy and security of PHI can facilitate more effective communication, thereby improving the quality of care. As such, the Provider Telehealth Guidance is intended to guide health care providers who want to voluntarily explain to patients the privacy and security risks of telehealth, as well as ways to reduce these risks.

The Provider Telehealth Guidance offers the following advice:

  • Prior to the telehealth session, explain what telehealth is and the remote communication technologies used, which may include telephone, video conferencing apps, messaging technologies, and remote patient monitoring technologies.
  • Explain why health information privacy and security are important, including prevention of identity theft (medical or financial), embarrassment, bias, and discrimination.
  • Explain the potential risks to PHI when using remote communication technologies and how to mitigate the risks.
  • Provide information about any relevant vendors’ privacy and security practices.
  • Inform patients that they can file a privacy complaint.

The Patient Telehealth Guidance is intended to provide tips directly to patients on how to protect and secure their PHI, including:

  • Make sure you’re in a private location for your telehealth appointment.
  • Turn off nearby devices that may overhear or record information.
  • Use a personal computer or mobile device.
  • Install available security updates.
  • Use strong, unique passwords.
  • Turn on your lock screen function.
  • Delete health information on your devices when it’s no longer needed.
  • Turn on multi-factor authentication where available.
  • Turn on encryption.
  • Avoid using public wireless networks and USB ports.

As the Provider Telehealth Guidance notes, educating patients on the privacy and security risks of telehealth services is not required under HIPAA. Nonetheless, doing so could theoretically mitigate the risk of a patient complaint in the event that something happens to the patient’s PHI during or because of a telehealth appointment. Since complaints are one of the two primary pathways to an OCR investigation and potential enforcement action, providing this education to patients may mitigate enforcement risk.