OCR Publishes New Telehealth Guidance and Video Showing How to Enhance Cybersecurity

The HHS’ Office for Civil Rights has released new guidance for medical care companies to enable them to teach patients about privacy and security issues when utilizing remote communication systems for telehealth consultations and advice for patients on protecting and securing their health data.

At the time of the pandemic, healthcare companies massively extended their telehealth services to provide patients with medical services while minimizing the chance of getting COVID-19. OCR released a Notice of Enforcement Discretion to cover healthcare providers offering telehealth services in good faith during the pandemic by employing non-public-facing communication systems that aren’t totally HIPAA compliant, for example, platforms where providers wouldn’t sign business associate agreements. Currently, the end of the COVID-19 public health emergency has been proclaimed. Hence, OCR’s telehealth Notice of Enforcement Discretion has also expired. Nevertheless, OCR still allows telehealth services, which have become popular among healthcare providers and patients.

Privacy and Security Risks with Telehealth Services

Healthcare companies need to make sure that the communication systems they employ for delivering telehealth services are HIPAA compliant. Even though ‘HIPAA-compliant’ systems are employed for telehealth, there are privacy and security problems that need to be dealt with and minimized to a low and appropriate level. In the summer of 2022, before telehealth flexibilities ended, OCR released guidance for healthcare companies about HIPAA and audio-only telehealth services.

Although HIPAA doesn’t require healthcare companies to teach patients about the privacy and security problems linked to telehealth, a Government Accountability Office (GAO) analyzed the Medicare telehealth services provided throughout the COVID-19 pandemic. In its report “Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks,” GAO suggested that OCR publish guidance to help healthcare companies talk with patients about the privacy and security issues linked to telehealth services.

In the review, GAO learned about many complaints that were made concerning the use of non-compliant systems at the time of the pandemic, over 3 dozen complained about the presence of third parties in the course of the consultation, and there were cases where companies disclosed PHI without acquiring patient permission. GAO figured additional training is necessary to help companies make clear to patients the privacy and security risks connected with telehealth to ensure that those issues are completely understood. OCR agreed with the suggestion and decided to release new guidance.

OCR Publishes New Telehealth Privacy and Security Resources

OCR published two guidance resources on October 18, 2023. The first resource is created to help healthcare providers instruct patients regarding the privacy and security issues linked to remote communication systems, and the second resource is for patients and gives advice on privacy and security if availing telehealth services.

The provider resource called Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth, provides recommendations for healthcare companies to enable them to speak about the telehealth solutions provided, the potential threats to protected health information (PHI) related to remote communications systems, the privacy and security tactics of vendors telehealth communication resources, and the use of civil rights regulations.

The patient resource called Telehealth Privacy and Security Tips for Patients, provides tips for patients on how to protect their PHI, including the benefits of doing telehealth consultations in private settings, enabling multi-factor authentication, utilizing encryption, and not using public Wi-Fi connections.

Telehealth is a great tool that could give patients access to medical care and enhance health care results. Healthcare companies can improve telehealth services by telling patients about privacy and security issues and the effective cybersecurity tactics that patients can adopt to keep their health data private.

OCR Video Shows How to Enhance Cybersecurity Protection By HIPAA Security Rule Compliance

The HHS’ Office for Civil Rights has published a video during this National Cybersecurity Awareness Month that talks about how HIPAA Security Rule compliance can aid HIPAA-covered entities in protecting against cyberattacks. In the video, Senior Advisor for Cybersecurity for the Health Information Privacy, Data, and Cybersecurity Division of the HHS’ Office for Civil Rights, Nick Heesters, covers cyberattack trends in the real world that OCR identified from the breach reports.

Healthcare data breaches increased since the enactment of the HIPAA Breach Notification Rule. In 2010, OCR got 199 reports of healthcare data breaches involving 500 and up breached records. Over 700 data breach reports were submitted in 2021 and 2022. It seems 2023 will become the third year that will have over 700 data breach reports.

From January to September 30, 2023, 77% of the big data breaches are due to hacking and other IT incidents. In comparison to 2009, only 49% of the breaches are due to hacking and IT incidents. There are also over 79 million breached healthcare records until September 30 this year. Hacking-related data breaches increased by 239% since 2018 and ransomware incidents increased by 278% over the same period.

OCR investigates all data breaches involving 500 and up healthcare records to find out the HIPAA compliance problems that triggered or led to breaches. According to Heesters, a few of the prevalent HIPAA compliance problems and security flaws that were taken advantage of by malicious actors to acquire access to internal systems, centering on the most typical attack vectors like phishing, unpatched vulnerabilities, and compromised accounts.

Heesters points out how particular terms of the HIPAA Security Rule can support HIPAA-covered entities in protecting against cyberattacks, identifying ongoing attacks, and mitigating the most typical types of cyberattack, for instance, security awareness and training, access control, authentication, and risk management/risk analysis.

The video is available on the YouTube Channel of OCR in the English and Spanish languages.