‘An Unknown Individual Walked In’: Protecting Against Telehealth Risks Includes Non-IT Threats

The HHS Office for Civil Rights (OCR) and other government agencies aren’t just worried that providers understand—and mitigate—the privacy and security risks of telehealth.

In fact, in 2022, the Government Accountability Office (GAO) issued Medicare Telehealth Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks.[1] While three of GAO’s four recommendations were directed at the Centers for Medicare & Medicaid Services, it had one for OCR, which prompted the agency’s two-part guidance for providers on helping patients protected health information (PHI) stay safe during a telehealth visit.

GAO offered eye-opening information from OCR about some complaints received during the pandemic about telehealth—data agency officials don’t appear to have shared publicly outside of the report. The nature of some of the complaints harkens back to age-old privacy issues, such as conversations not really being private, which have little to do with the technology of telehealth. These can serve as reminders to providers that a focus on foundational issues still will serve them well, particularly as certain telehealth flexibilities adopted during the pandemic become permanent, ensuring that not only is telehealth here to stay, it is growing.

An article in a recent RPP offered experts’ suggestions for providers and other covered entities (CEs) to ensure their telehealth programs are HIPAA-compliant, particularly now that OCR’s noncompliance waivers have expired.[2] Revising, if necessary, contracts with vendors and other business associates to employ only products that meet privacy and security requirements is among the tasks that—if not already completed—are overdue.

According to GAO, “from March 2020 through December 2021, OCR received 43 complaints regarding privacy and security concerns with telehealth visits.”

Among them:

  • Seventeen people said that “third parties were present during a telehealth visit,” with some complaining that they saw “an unknown individual walk behind the provider.”

  • Thirteen people “alleged the provider shared patients’ PHI without permission during their telehealth visit.”

  • Seven others “alleged patients overheard or saw the PHI of another patient.”

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field