On October 18, 2023, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”), which is tasked with enforcing the Health Insurance Portability and Accountability Act (“HIPAA”), issued two new guidance documents pertaining to privacy and security risks associated with the use of telehealth services. One guidance document, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” is aimed at health care providers (the “Provider Guidance”), while the other guidance document, called “Telehealth Privacy and Security Tips for Patients,” is intended to be a resource for patients. This blog post focuses on the Provider Guidance. As with any agency guidance, the recommendations contained in the Provider Guidance are not requirements but can be interpreted as best practices for providers offering telehealth services. At a high level, the Provider Guidance includes suggestions for discussing the following topics with patients:

  • Telehealth options offered;
  • Risks to PHI when using remote communications technologies;
  • Privacy and security practices of remote communication technology vendors; and
  • Applicability of civil rights laws.

Many of the recommendations discussed in the Provider Guidance reflect industry standards that are not necessarily new (i.e., explaining how telehealth works and the risks associated with the electronic transmission of protected health information).[1] One such suggestion is that providers identify to patients any remote communication technology vendors used in rendering the telehealth services and provide information about the privacy and security practices of each vendor. This would include, for example, video conferencing technology vendors. Another notable suggestion is that providers explain how patients can mitigate security risks on their end—including recommending the use of anti-malware solutions and explaining how cybercriminals can exploit vulnerabilities in patient devices.

Providers are already pressed for time and likely do not have the capacity to explain all of this information during a telehealth appointment. For providers or provider groups seeking to implement these recommendations, the best way to do so would likely be by providing the information to the patient in a written document prior to the telehealth session. As HHS has previously issued guidance recommending that informed consent for telehealth services be obtained from patients for each telehealth visit (rather than obtaining informed consent prior to a patient’s first telehealth visit), incorporating the newly recommended information into paperwork, such as a telehealth informed consent form or other patient intake paperwork, that can be electronically sent to the patient prior to each session would be easiest.

Still, however, if a provider or provider group seeks to adopt these recommendations on their own, gathering the relevant information and responding to the inevitable patient questions will take time away from providing or supporting patient care. Providers would need to identify the relevant vendors, locate the vendors’ online privacy policies for the patients’ reference, and review the contracts with those vendors to identify any privacy and security-related representations made or agreed to by the vendors. Often, when contracting with vendors, especially reputable vendors such as those previously referenced by OCR as vendors purporting to offer HIPAA-compliant products, providers understandably rely upon the vendor’s representations regarding vendor security practices without actually having much insight into those practices. In these cases, conversations with vendors may be needed in order to adequately explain vendor security practices to patients. Vendors may also consider anticipating the needs of providers seeking to adopt the recommendations in the Provider Guidance by developing resources and materials summarizing the vendor’s practices. Still, in addition to mastering their clinical field, IT, and cybersecurity, the Provider Guidance seemingly also expects providers to develop some expertise in contract law. Bear in mind: each time a new vendor is engaged, the paperwork would require updating to reflect the new vendor’s contractual representations and relevant policies.

It is important to note that there is arguably no violation of HIPAA even if a provider fails to communicate telehealth privacy and security risks to patients, and the Provider Guidance, if followed, would undoubtedly impose additional burdens on an already-overburdened health care workforce. Providers wishing to adopt some or all of the recommendations should revisit their consent forms and include some of the language and information outlined in the Provider Guidance, as well as the other resources OCR references in the guidance.

For additional information about the issues discussed above, or if you have any other telehealth concerns, please contact the Epstein Becker Green attorney who regularly handles your legal matters or one of the authors of this blog post.


[1] While it is an established best practice to inform patients about the general risks associated with electronically transmitting PHI between provider and patient, based upon the Provider Guidance, providers may consider also including express warnings about the transmission of PHI by and to remote communication technology vendors.

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Authors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.