Despite the advantages of telehealth, this treatment modality poses some legitimate privacy concerns, says Stephen A. Timoni, JD, an attorney with Lindabury, McCormick, Estabrook & Cooper in Westfield, NJ.
Telehealth involves the nontraditional electronic transmission of sensitive information among providers and patients through a wide variety of ever-changing technologies.
Thus, the potential for patient privacy breaches exists. Notwithstanding the precautions taken by hospitals to protect patient privacy, data breaches can occur, validating patient concerns.1
Providers should start by conducting a comprehensive telehealth survey and study. Timoni suggests such a process include the following steps:
- Identify the telehealth technology and equipment currently in use.
- Identify the situations where telehealth is used.
- Identify the parties who are communicating and exchanging health information.
- Identify and evaluate the key areas of potential exposure for patient privacy breach.
- Develop effective telehealth privacy and security policies and procedures.
- Regularly audit compliance with the established policies and procedures.
Best Practice Recommendations
To ensure telehealth privacy, Timoni offers these nine best practices:
- Use telehealth platforms and systems that comply with federal and state privacy laws. In advance of COVID-19, healthcare providers were required to use HIPAA-compliant technology for telehealth consultations. Although enforcement of this requirement has been temporarily relaxed, best practice dictates exercising efforts to comply with all federal and state privacy rules.
- Authenticate the identity of all telehealth system users to ensure only authorized individuals can access health information.
- Develop and implement a patient education and informed consent program. Patients must be made aware of and understand the risks associated with telehealth. Informed consent should include information about the telehealth system, the steps patients should take to improve the safety of their electronic interactions, an agreement that telehealth is an appropriate form of treatment, and the understanding that the patient can stop treatment at any time.
- All telehealth visits should be well-documented and included in the patient’s medical record. This documentation should include the patient’s informed consent acknowledgement.
- Implement technical controls to guard against privacy security risks. These may include data encryption, secure connections, password-protected screensavers, and using software and platforms that have been vetted and approved for use. Note that consumer videoconferencing platforms such as FaceTime and Zoom may not offer proper controls and safety features.
- Document compliance by third-party organizations that provide components of the telehealth system (e.g., equipment and software). Require vendors to provide documentation and use comprehensive contracts covering all key terms and conditions, including regulatory compliance.
- Training programs should be established and required for all clinical practitioners who will use telehealth systems. This training should include development of effective open and clear communication skills, such as including careful listening and ensuring the patient understands the diagnosis and treatment options discussed.
- Comply with state licensure laws. All telehealth encounters should comply with rules concerning the location of the practitioner and patient, the nature of the services provided, and the provider of the service.
- Identify and manage malpractice and privacy breach litigation risks. This includes a review of applicable liability insurance coverage.
Avoid These Mistakes
Timoni highlights these five mistakes that providers should avoid:
- Not adequately coordinating the operation of the telehealth platform between the medical staff, administration, and IT department.
- Failure to provide effective telehealth training to hospital staff.
- Not regularly testing the telehealth system for regulatory compliance, potential technical issues, and communication failures.
- Failure to provide continuing and updated education and disclosure to patients.
- Failure to continue to plan in advance for telehealth demand and deployment of improved technology.
Privacy and security protection in the digital world are achieved by development and implementation of operating policies that adhere to the widely accepted Fair Information Practice Principles (FIPPS), says Jeffrey A. Zipper, MD, chief executive officer of iRecovery USA in Boca Raton, FL, which uses telehealth to provide mental health and addiction care. FIPPS were developed in the early years of internet growth. They form the basis for current laws regarding data security and privacy. Zipper offers this illustration of how his organization applies the principles to telehealth:
- The Collection Limitation Principle. Keeps personal data collection in check and with the patient’s lawful consent.
- The Data Quality Principle. If personal data are released, these should be relevant to the proposed purpose of the request, for intended recipients, on a need-to-know basis.
- The Purpose Specification Principle. Before releasing data, secure the specified reason for the request.
- The Use Limitation Principle. Personal data should not be released for purposes other than those specified, except when patients consent or by the authority of law.
- The Security Safeguards Principle. Protect personal data with reasonable security safeguards against protected personal information loss, disclosure, or unauthorized access.
- The Openness Principle. When it comes to managing personal data, organizations should operate under a general policy of transparency about any problems.
- The Individual Participation Principle. A patient should be able to see and amend any personal data collected within a reasonable time frame and at reasonable cost. Access denials may be contested.
- The Accountability Principle. A data controller should ensure compliance.
In addition, Zipper says a healthcare videoconferencing system and network should provide “end-to-end” encryption. The telehealth application should be built into the EHR environment. Use encrypted email and texts for communication with patients outside the EHR environment.
When it comes to patient privacy and access, integrating the video application into the existing healthcare system workflows is paramount, says Tzachi Levy, senior vice president of product and engineering at Vidyo, a telehealth technology provider in Hackensack, NJ. “During the frantic early stages of COVID-19, some healthcare organizations rushed to adopt standalone, simplistic video chat solutions outside of their medical workflows. These solutions were not integrated with the EMR system, leading to security risks, compliance issues, and disjointed user experiences for both provider and patient,” he says.
An ideal telehealth implementation would start by understanding the existing clinical workflows and medical staff use cases. “Knowledge of clinical workflows and flexible platform application programming interfaces make the difference to enable a virtual experience seamlessly,” Levy says.
- Babylon Health. A notice to our patients regarding the recent data incident at Babylon. June 11, 2020.
- Tzachi Levy, Senior Vice President, Product and Engineering, Vidyo, Hackensack, NJ. Phone: (866) 998-4396.
- Stephen A. Timoni, JD, Lindabury, McCormick, Estabrook & Cooper, Westfield, NJ. Phone: (908) 233-6800. Email: email@example.com.
- Jeffrey A. Zipper, MD, Chief Executive Officer, iRecovery USA, Boca Raton, FL. Phone: (561) 464-5500.