‘An Unknown Individual Walked In’: Protecting Against Telehealth Risks Includes Non-IT Threats

By Theresa Defino

The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.

In fact, in 2022, the Government Accountability Office (GAO) issued Medicare Telehealth Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.[1] While three of GAO’s four recommendations were directed at the Centers for Medicare & Medicaid Services, it had one for OCR, which prompted the agency’s two-part guidance for providers on helping patients protected health information (PHI) stay safe during a telehealth visit.

GAO offered eye-opening information from OCR about some complaints received during the pandemic about telehealth—data agency officials don’t appear to have shared publicly outside of the report. The nature of some of the complaints harkens back to age-old privacy issues, such as conversations not really being private, which have little to do with the technology of telehealth. These can serve as reminders to providers that a focus on foundational issues still will serve them well, particularly as certain telehealth flexibilities adopted during the pandemic become permanent, ensuring that not only is telehealth here to stay, it is growing.

An article in a recent RPP offered experts’ suggestions for providers and other covered entities (CEs) to ensure their telehealth programs are HIPAA-compliant, particularly now that OCR’s noncompliance waivers have expired.[2] Revising, if necessary, contracts with vendors and other business associates to employ only products that meet privacy and security requirements is among the tasks that—if not already completed—are overdue.

According to GAO, “from March 2020 through December 2021, OCR received 43 complaints regarding privacy and security concerns with telehealth visits.”

Among them:

  • Seventeen people said that “third parties were present during a telehealth visit,” with some complaining that they saw “an unknown individual walk behind the provider.”

  • Thirteen people “alleged the provider shared patients’ PHI without permission during their telehealth visit.”

  • Seven others “alleged patients overheard or saw the PHI of another patient.”

Small Providers May Lack Funds for Secure Solutions

Just six complaints dealt directly with a telehealth platform itself, OCR told GAO. “Specifically, five patients and one employee of a covered provider alleged that providers were using telehealth platforms that did not meet the HIPAA requirements.” (This, of course, might have been okay during the enforcement discretion period).

GAO wasn’t able to assess how widespread the use of noncompliant telehealth platforms was at the time it completed its report. Twenty of 26 “provider groups with whom we spoke said providers’ use of telehealth platforms that may not meet HIPAA Rule requirements varied,” the report states. Five “said investing in HIPAA-compliant telehealth platforms may be difficult for small practices.” This could spell trouble because such groups make up the majority of medical providers in the United States.

GAO also reported that “when telehealth platforms are used for a health care visit, the communication between the provider and patient is subject to the HIPAA Privacy Rule. If the communication also involves the electronic transmission of PHI over the telehealth platform, it is subject to the HIPAA Security Rule.”

OCR communicated to GAO that “the primary privacy risks are that the oral conversation will be overheard, or the telehealth platform vendor will inappropriately use or disclose information—such as a transcript or image (e.g., a digital x-ray that includes PHI, such as the patient’s name)—relating to the communication; and security risks for the protection of electronic PHI are that the telehealth platform will not have adequate security features to protect the electronic PHI, or a covered provider or patient will not activate those features if they are available.”

This document is only available to subscribers. Please log in or purchase access
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings