More Action Needed on Telehealth Privacy, Security RisksGAO Report Recommends Additional Guidance for Healthcare Providers, Patients
Leeway for healthcare providers when delivering telehealth granted in the wake of the novel coronavirus pandemic is provoking concerns that patients may not understand the resultant privacy risks.
Federal enforcers of HIPAA received 43 complaints from March 2020 through December 2021 regarding privacy and security concerns with telehealth visits, says the Government Accountability Office.
The grievances ranged from objections about the use of certain telehealth platforms that did not meet HIPAA requirements, potentially putting the security and privacy of patients' protected health information at risk, to privacy complaints about unknown third parties being present during patients' telehealth encounters with healthcare providers.
At the March 2020 onset of the COVID-19 pandemic, federal regulators said they would use discretion enforcing certain HIPAA violations related to the "good faith" delivery of telehealth (see: COVID-19: HHS Issues Limited HIPAA Waivers).
With that light-touch enforcement policy still in play, patients need to be better informed of telehealth's privacy and security risks, says the GAO.
Telehealth medical providers have used the enforcement waiver to deliver services through communication platforms not vetted for HIPAA compliance, including Apple FaceTime, Facebook Messenger video chat, Zoom and Skype. Providers don't have to execute a business associate agreement with the platform companies before using them for healthcare.
Although OCR is not imposing HIPAA penalties for noncompliance that falls within the scope of its telehealth waivers, OCR may still investigate a complaint where a covered healthcare provider used a public-facing telehealth platform such as Facebook Live, Twitch or TikTok, which are not permitted under the enforcement discretion notice.
Regulators encourage providers to notify patients that third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
But HHS does not track the extent to which providers are notifying patients of the risks. OCR officials told GAO that it would not be possible to track the extent to which providers notify patients of the risks in a reliable way.
GAO writes that HHS concurred with the report's recommendation for OCR to provide additional guidance to providers to help them explain the privacy and security risks to patients when using video telehealth platforms to provide telehealth services.
Besides more guidance, some experts say OCR should take additional steps to address telehealth privacy and security issues.
"I think that HHS should reconsider when a video-conferencing provider is considered a business associate under HIPAA," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
"HHS could clarify when a video-conferencing platform qualifies as a conduit, possibly expanding the scope of the exception to encompass the use of video conferencing when it creates limited privacy and security risk to the patient," he says.
Greene agrees with a suggestion by GAO to have providers inform patients when they take a picture on their device for purposes of telehealth. "That picture may remain and be accessible to others programs and users," says Greene, a former senior adviser at OCR.
Healthcare entities can take additional steps to improve the security and privacy of telehealth utilizations, including reminding their workforce to use "many of the same safeguards" at home that they would use in the office, he says. "Conversations involving medical information should be in a private setting away from household members."
Kyle Zebley, senior vice president of public policy and executive director of the American Telemedicine Association - a nonprofit industry organization, says the group would be supportive of HHS OCR providing additional assistance to healthcare entities to help them explain the privacy and security risks to patients "in plain language" when using video telehealth platforms to provide telehealth services.
"More public and provider education on the utilization of telehealth would be a positive development," he says.