How Can Providers Educate Patients on the Risks of Telehealth?

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.

The Department of Health and Human Services has issued guidance to healthcare providers on educating patients about privacy and security risks to PHI when using remote communication technologies for telehealth. This article covers the information in the guidance.

Healthcare providers increasingly use telehealth to provide care to patients remotely. The HHS Office for Civil Rights (OCR) supports the continued use of telehealth telehealth. Since health information privacy and security risks are present when using remote communcation technologies such as video conferencing websites and apps for telehealth, providers may choose to prepare patients for telehealth with a focus on privacy and security. 

Providers may prepare patients for telehealth by discussing these issues:

Using video conferencing apps and other remote communication technologies for telehealth can come with risks to the privacy and security of patient information. These risks can be mitigated.   Some examples of risks that may be relevant to a practice's patients, depending on the circumstances and which technologies the practice uses, use, may include the following:

1. Viruses and other malware. Even with privacy and security protections, there is a risk of viruses or other malware infecting a website or app used for telehealth. Patients should be aware of the availability of anti-malware solutions to guard against viruses or other malicious software. There are many anti-malware solutions available for purchase and some that may be included on a patient’s device at no additional cost.  
2. Unauthorized access. Cybercriminals might exploit unpatched software to gain access to a patient’s device and health information. Patients can lower this risk by applying updates to software installed on their devices as soon as they become available. Frequent updates improve security by fixing vulnerabilities cybercriminals are known to exploit.
3. Accidental disclosures. If the patient is not in a private location during the telehealth appointment, then other persons may hear or see sensitive health information about the patient. Patients can decrease the risk of accidental disclosures when others are present by positioning their device so others cannot see their device’s screen and, if available, using a headset or headphones. Or, if a live chat function is available on the telehealth website or mobile app, a patient can use this to communicate instead of using their device’s speakers and microphone.

To help patients protect their health information, providers may consider the following:

1. Ensure that the patient knows when and how they will be contacted by you or the remote communication technology vendor. By providing this information, you can help the patient avoid potential phishing emails or other scams. For example, a practice may give the patient the email address or phone number from where information will be sent to them on a specific date. Providers may also provide a patient with a phone number they may call if they want to verify a link or other information they receive in an email or text message. 
2. Encourage the patient to ask any questions they may have. Some patients may have questions about the remote communication technology, including how to use it or what privacy and security controls the technology has available. If a provider is not able to answer a question, the provider should let the patient know who can.
3. HRSA’ Telehealth Privacy Tips for Patients - PDF.

If a practice uses a remote communication technology vendor(s) for telehealth, the practice may provide information about the privacy and security practices of the vendor(s):

1. Provide the names of the vendors of any remote communication technologies that the practice uses and information about where to view the vendors’ websites and privacy practices.
2. Tell the patient about the privacy and security safeguards the remote communication technology vendor has agreed to use.
3. Tell the patient whether the telehealth app or website uses online tracking technologies.