Risk Perspectives in Telehealth: Privacy & Security

Laura M. Cascella, MA

The rapid expansion of technology in healthcare has significant implications for privacy and security of patients' protected health information (PHI). Confidential or sensitive data that are stored or sent electronically create a host of security issues that healthcare organizations must consider. For example, mobile devices can be easily lost or stolen, unintentional data breaches can occur, and cyberattacks can cripple information technology systems.

When healthcare delivered through telecommunications (telehealth) is thrown into the mix, the issues of privacy and security become even more complex. The transmission of data to and from various locations using a variety of technologies increases risk exposure and the possibility that data will be disclosed in inappropriate ways.

Privacy and security of PHI and electronic PHI (ePHI) are addressed in federal law as part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. Healthcare providers and staff, as well as others in the healthcare industry who work with PHI, often are well aware of their obligations to adhere to HIPAA and HITECH regulations. The provision of care through telehealth in no way changes or diminishes these obligations.

Although HIPAA and HITECH do not specifically address telehealth, they set forth standards related to ePHI that require covered entities (CEs) and business associates (BAs) to:

• Ensure the confidentiality, integrity, and security of ePHI, including information created, received, transmitted, and/or maintained
• Protect against threats and hazards to the security and integrity of ePHI, and protect against nonpermissible disclosure of such information
• Implement policies and procedures to prevent, detect, contain, and correct security violations, including risk analysis and risk management activities
• Ensure workforce compliance with these regulations¹

The ways in which CEs and BAs should meet these standards are not clearly defined in HIPAA or HITECH regulations. The Center for Connected Health Policy explains that "Use of specific telehealth equipment or technology cannot ensure that an entity is ‘HIPAA-compliant' because HIPAA addresses more than features or technical specifications. Nevertheless, certain features may help a covered entity meet its compliance obligations."² Examples of these features include data encryption, user authentication, password security, patient verification technologies, protected wireless networks, data tracking and auditing, and more. Good security practices, such as routinely updating software and installing recommended security patches, also can help CEs and BAs fulfill regulatory obligations.

When working with vendors who supply telehealth services or equipment, healthcare organizations should determine whether the vendors are considered BAs per HIPAA standards. The U.S. Department of Health & Human Services (HHS) notes that a BA is "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."³ BAs might have a role in creating, receiving, maintaining, or transmitting ePHI.⁴

If a vendor qualifies as a BA, the healthcare organization and vendor should have a business associate agreement (BAA) in place. The agreement should set forth certain conditions, such as outlining appropriate use and disclosure of ePHI by the vendor, requiring the vendor to implement safeguards to protect information, and stipulating that the vendor notify the CE of any data use or disclosure not permitted in the BAA. For more information about BAs and a sample agreement, visit HHS's Business Associate Contracts webpage.

Beyond HIPAA and HITECH, some states have privacy and security laws related to PHI/ePHI, and healthcare personnel must adhere to those as well. Yet, state and federal laws do not always align. "Where state law or regulation is contrary to HIPAA, the federal law or regulation will generally prevail. However, there are some exceptions, such as cases where state law provides greater privacy protection than what is required federally."⁵

Healthcare organizations also should consider their policies related to security of mobile devices, use of social media, appropriate technologies and applications (apps), and electronic communication with patients. A risk analysis that takes into account the services offered, the method of delivery, and the types of technology involved can help organizations identify areas of exposure and take action to address them. For additional guidance on risk analysis and management requirements, see HHS's Summary of the HIPAA Security Rule. Healthcare organizations also can take advantage of the Office of the National Coordinator for Health Information Technology's Security Risk Assessment Tool.

Finally, all healthcare providers and staff involved in telehealth activities — including support staff, technical staff, vendors, etc. — should be aware of their obligation to protect patient confidentiality and adhere to privacy and security laws. Periodic training on information privacy and security, as well as use of confidentiality agreements, can help reinforce compliance with organizational protocols.

---

¹ HIPAA Privacy and Security Rule, 45 C.F.R. § 164.306 and § 164.308.

² The Center for Connected Health Policy. (n.d.). HIPAA and telehealth. Retrieved from https://www.cchpca.org/sites/default/files/2018-09/HIPAA%20and%20Telehealth.pdf

³ U.S. Department of Health and Human Services. (2013, July 26). HIPAA for professionals: Business associates. Retrieved from www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html

⁴ HIPAA Privacy and Security Rule, 45 C.F.R § 160.103.

⁴ Center for Connected Health Policy, HIPAA and telehealth.

---

Prevention & Education Center home