HHS Issues HIPAA Best Practices for Telehealth
The Department of Health and Human Services (HHS) published a resource guide to assist telehealth providers in explaining the privacy and security risks to patients, but the guidance makes clear HIPAA does not require this education. However, the goal is for the resource guide to help providers who would like to discuss potential risks with the patient. The resource is intended as a guide to best practices. HHS suggests telehealth providers explain these issues:
- Explain the remote communication technologies that will be used, including examples of different types of telehealth services.
- Discuss the importance of health information privacy and security. Inform patients about the privacy and security protections built into the remote communication technologies used by the provider.
- Describe the possible risks to the patient’s information and how to minimize the risks. Explain that using telehealth can put the security of some information at risk. Cover relevant risks, such as viruses and other malware, and unauthorized disclosure of information. Also, discuss mitigation measures such as anti-malware solutions and the use of headphones during telehealth sessions.
Providers also should inform patients about how the provider will contact them, which can help them avoid potential phishing emails or other scams. (The HHS best practices are available online at: https://bit.ly/48TOI7a.)
Telehealth best practices are common sense guidelines that should not conflict with current HIPAA compliance efforts, says Douglas A. Grimm, JD, partner with ArentFox Schiff in Washington, DC.
“Some of this is straightforward, which is a good thing because it emphasizes privacy and security measures that are important,” Grimm says. “When a patient enters into a conversation with a physician, either their guard may be way up or maybe their guard goes down a little bit, just depending upon perhaps their stress level or the pre-existing relationship with the provider. But ensuring that the provider reiterates the information laid out in the OCR [Office for Civil Rights] guidance kind of level sets.”
Providers should follow the guidance, but it shows that OCR has an eye on HIPAA compliance as telehealth technologies continue to grow in sophistication and popularity, Grimm says. “There are going to be more lapses,” he says. “Unfortunately, that’s just inevitable with the growing volume and implementation of telehealth.”
OCR’s recommendation to educate the patient on the actual technology and the vendor behind the technology is a good move, Grimm says. Providers should explain who owns the technology and who the patient can contact if they have questions regarding the technology.
“I like to see that emphasis out front. In previous guidance, I don’t think that point has been emphasized as clearly as it was in this recent guidance,” Grimm says. “The other thing I also looked on approvingly was letting the patient know the schedule of communication. I appreciate the guidance OCR says you should make sure the patient understands how they would be contacted by that vendor and in what time frame. If I got an email from whatever the engine is that powers my Gmail account, my initial instinct would be to simply disregard it.”
In some ways, the guidelines mirror the protections that many covered entities have put in place already, says Amy M. Joseph, JD, partner with Hooper Lundy & Bookman in Boston. Some states already require that providers engage in these types of disclosures as part of an informed consent for telehealth, she says.
“It’s a very helpful user-friendly resource. I think for those who aren’t implementing these types of measures, it’s a good idea to read as a best practice for consideration,” Joseph says. “I also think it’s important to know OCR is clear that this is not a specific requirement. There’s no mandate.”
The guidelines are about consumer protection, so it is important to consider your patient population and how much education they might need, Joseph says. “Some patient populations use telehealth all the time and are very comfortable navigating the internet and mobile app,” she says. “Others may benefit from more information to make sure they’re clear on the risks that they’re taking and what it means to use telehealth.”
Joseph advocates for transparency and more information for consumers to understand when they use different platforms and different modalities. She notes that the guidelines include references to remote patient monitoring and educating patients to help protect against phishing attacks or other types of scams. Although not strictly related to HIPAA, Joseph notes that there is some scrutiny from HHS in the remote patient monitoring space regarding phishing or unsolicited contact of beneficiaries.
“I think there’s a problem. There’s a small group of bad actors who will engage in fraud schemes whenever there’s a new modality. We saw it in telehealth, and we’re seeing it in remote patient monitoring, but that’s a very small segment that is separate from the day-to-day telehealth and remote patient monitoring that we’re seeing every day,” Joseph says. “Patients are benefiting from improved access to care and more efficient care, but there are some segments out there with fraud schemes. It’s good to keep an eye out for remote patient monitoring.”
Although not required, it is good practice for providers to explain what telehealth is and the remote communication technology used before the telehealth session, says Paul F. Schmeltzer, JD, senior attorney with Clark Hill in Los Angeles.
Patients do not always understand that the terms telemedicine and telehealth are sometimes used interchangeably and that a provider may use a diverse array of remote communication technologies (e.g., a telephone, computer, tablet, or smartphone) to conduct a telehealth session, Schmeltzer says. Patients need to understand that telehealth appointments, whether by phone for an audio-only call or through a videoconferencing app, require the same privacy protections afforded to patients under HIPAA for other types of in-person encounters, he says.
“Patients should also understand that telehealth can encompass patients sending healthcare questions and receiving responses from you using messaging technologies or email, or using remote patient monitoring technologies, such as a device to collect vital signs or a video monitoring system to help you keep track of the patient’s health, vital signs, and safety from a remote location,” Schmeltzer says.
Practices also should explain to patients the possible risks to the patient’s PHI and ways that patients can mitigate those risks.
“These risks include unauthorized access due to unpatched software, accidental disclosures when the patient conducts their telehealth encounter in a public location or somewhere prone to eavesdropping, and possible computer viruses or malware on the patient’s computer that could infect the software used for the telehealth encounter,” Schmeltzer says.
The Department of Health and Human Services published a resource guide to assist telehealth providers in explaining the privacy and security risks to patients, but the guidance makes clear HIPAA does not require this education. However, the goal is for the resource guide to help providers who would like to discuss potential risks with the patient.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.