The U.S. Department of Health and Human Services Office of Civil Rights has released two new patient privacy resources that healthcare organizations can use to educate patients about reducing their risks of a breach of their protected health information when using telemedicine technologies.

WHY IT MATTERS

The tips and resources offered on the HIPAA website under Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth – as recommended by the Government Accountability Office – spell out how patients can maintain their privacy when they are having a virtual appointment at home and in public as they access telehealth through a website, app or patient portal.

"Ensuring the privacy and security of PHI can help promote more effective communication between the provider and patient, which is important for quality care," OCR said.

The resource discusses how healthcare providers can explain what telehealth is, which remote communication technologies they will use in their scheduled telehealth session, the names of any remote communication technology vendors and how to find their websites and what the inherent privacy risks are.

"Turn off devices like home security cameras, and smart speakers or apps on your phone that respond to your voice, so they don’t overhear or record your telehealth appointment," OCR advises patients.

Turning off any nearby electronic devices that may overhear or record information is just one of the tips the agency charged with investigating patient data breaches offers for telehealth patients.

Other high-level tips, with further explanations and resources, include:

• Have your telehealth appointment in a private location. 
• Use a personal computer or mobile device – not a computer, mobile device or network that is tied to your workplace or a public setting. 
• Install all available security updates on your computer or mobile device. 
• Use strong, unique passwords and change your passwords regularly.
• Delete health information on your computer or mobile device when you don’t need it anymore. 
• Remove health information (including photos or videos) from your computer or mobile device.
• Turn on two-step or multifactor authentication if available.
• Use encryption tools when available. 
• Avoid using public WiFi networks, such as ones at coffee shops or airports, and any USB ports at public charging stations.

Contained in OCR's companion handout – Telehealth Privacy and Security Tips for Patients – the tips can be shared directly with patients.

THE LARGER TREND

Telehealth increases cyber risk across applications and endpoint security and challenges healthcare organizations in their efforts to comply with HIPAA.

With the feverish trend for cybercriminals to exfiltrate data, scores of healthcare leaders are thinking about how health systems can better protect patient privacy, and all the opportunities to do it.

Dr. Eric Liederman, director of medical informatics for the Permanente Medical Group, says that healthcare organizations must "impress upon our patients and our workforce that we're protecting them."

Adding patient education about basic cyber hygiene as it relates to telehealth can be part of an organization's endpoint security program.

ON THE RECORD

"Healthcare providers can support telehealth by helping patients understand privacy and security risks and effective cybersecurity practices so patients are confident that their health information remains private," OCR Director Melanie Fontes Rainer said in a statement.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.