Last week, the Office for Civil Rights (“OCR") released two new resources designed to assist patients in understanding the privacy and security risks to their health information associated with using telehealth, and steps that can be taken to reduce those risks.
The first document provided by OCR is intended to serve as a resource for providers on how to educate their patients about these telehealth risks. For example, the document describes how providers should explain what telehealth is to patients, the risks of malware, unauthorized access and accidental disclosures, and how to effectively communicate with patients about the providers specific uses of telehealth. While the document emphasizes that such education is not required, OCR does state that it views education by a provider as a way to enhance the quality of care.
The second document provided by OCR is a list of “tips" for patients to consider when using telehealth. Providers might consider directing patients to the list on OCR's website or using this list as a handout for patients to accomplish the education described in the first document.
OCR's resources are timely given the end to the COVID-19 Public Health Emergency earlier this year and the end of its policy of enforcement discretion around the provision of telehealth. As of August 9, 2023, covered entities were expected to be in full compliance with HIPAA regarding their provision of telehealth, including for example, using secure platforms and having business associates in place with vendors of telehealth platforms.