OCR Points Steerage to Suppliers and Sufferers on Telehealth Privateness and Safety

Final week, the Workplace for Civil Rights (“OCR”) issued two items of steering on the privateness and safety of protected well being info (“PHI”) when utilizing telehealth companies. One of many paperwork is meant to assist well being care suppliers clarify to sufferers, in plain language, the privateness and safety dangers of utilizing distant communication applied sciences for telehealth (the “Supplier Telehealth Steerage”). The opposite offers tricks to sufferers on find out how to safeguard their PHI when utilizing video apps and different applied sciences for telehealth (the “Affected person Telehealth Steerage”).

The COVID-19 public well being emergency (“PHE”) and OCR’s relaxed HIPAA enforcement and restrictions for telehealth communications throughout the PHE helped catalyze the widespread use of telehealth by well being care suppliers, resulting in extra potential threat to PHI when utilizing telehealth companies. The 2 items of steering proof OCR’s continued consideration to the HIPAA implications of utilizing telehealth companies.

The Supplier Telehealth Steerage clarifies that the Well being Insurance coverage Portability and Accountability Act (collectively, with its implementing rules, “HIPAA”) doesn’t require well being care suppliers to coach sufferers about telehealth dangers. Nonetheless, because the Supplier Telehealth Steerage notes, guaranteeing the privateness and safety of PHI can facilitate more practical communication, thereby bettering the standard of care. As such, the Supplier Telehealth Steerage is meant to information well being care suppliers who wish to voluntarily clarify to sufferers the privateness and safety dangers of telehealth, in addition to methods to cut back these dangers.

The Supplier Telehealth Steerage gives the next recommendation:

• Previous to the telehealth session, clarify what telehealth is and the distant communication applied sciences used, which can embrace phone, video conferencing apps, messaging applied sciences, and distant affected person monitoring applied sciences.
• Clarify why well being info privateness and safety are necessary, together with prevention of id theft (medical or monetary), embarrassment, bias, and discrimination.
• Clarify the potential dangers to PHI when utilizing distant communication applied sciences and find out how to mitigate the dangers.
• Present details about any related distributors’ privateness and safety practices.
• Inform sufferers that they will file a privateness grievance.

The Affected person Telehealth Steerage is meant to offer suggestions on to sufferers on find out how to shield and safe their PHI, together with:

• Ensure you’re in a non-public location on your telehealth appointment.
• Flip off close by units which will overhear or report info.
• Use a private laptop or cell system.
• Set up accessible safety updates.
• Use robust, distinctive passwords.
• Flip in your lock display perform.
• Delete well being info in your units when it’s not wanted.
• Activate multi-factor authentication the place accessible.
• Activate encryption.
• Keep away from utilizing public wi-fi networks and USB ports.

Because the Supplier Telehealth Steerage notes, educating sufferers on the privateness and safety dangers of telehealth companies will not be required underneath HIPAA. Nonetheless, doing so might theoretically mitigate the chance of a affected person grievance within the occasion that one thing occurs to the affected person’s PHI throughout or due to a telehealth appointment. Since complaints are one of many two main pathways to an OCR investigation and potential enforcement motion, offering this schooling to sufferers could mitigate enforcement threat.