Application security

Mental health patients using telehealth share security, HIPAA concerns

A spine surgeon at Brigham and Women’s Hospital in Boston demonstrates a telehealth follow-up appointment with a recent surgery patient. (Photo by Jessica Rinaldi/The Boston Globe via Getty Images)

Patients who accessed mental health services in the last year are concerned about the security of those sessions and the safety of their sensitive personal information, according to a recent survey by healthcare technology vendor DrFirst.

At the start of the COVID-19 pandemic, the Department of Health and Human Services relaxed enforcement of telehealth use on platforms not typically allowed under The Health Insurance Portability and Accountability Act. The measure fueled use of telehealth, and in some instances, is expected to continue long after the pandemic ends.

The new survey follows a recent HHS Office of the Inspector General audit that showed the majority of state Medicaid providers leveraging telehealth, particularly for behavioral health, struggled with multiple privacy and security challenges.

According to the release, the majority of the 1,000 surveyed U.S. patients who accessed mental health services through telehealth platforms last year expressed similar concerns with the security of the platform. One-quarter of respondents did not use telehealth amid the pandemic.

Ninety-two percent shared concerns about telehealth security, with 35% of patients saying their telehealth appointment did not meet HIPAA security requirements. Nearly half (43%) said they were worried their personal information could be compromised and 14% were concerned they’re be connected to someone who was not a healthcare professional 

Another 35% were concerned their session would be hacked. It should be noted, the beginning of the pandemic saw a drastic uptick in the use of Zoom — and related “Zoom-bombing” attacks that enabled nefarious actors to access private meetings due to overlooked privacy issues.

One-third of the respondents who reported not using telehealth said it was due to not having an appropriate device or connectivity, while 14% attributed it to concerns about the session being hacked. Another 45% said it was their personal preference.

“Even though the government relaxed enforcement for security rules early in the pandemic, healthcare providers should take every possible step to protect patients’ sensitive information,” said Colin Banas, M.D., chief medical officer for DrFirst, in a statement.

“Providers who are still using technology that doesn’t meet HIPAA requirements owe it to their patients to switch to a secure platform as a long-term solution,” he added.

Despite the risks, the majority of patients said they would continue to use telehealth for mental health in the future. As such, it’s important providers review their telehealth implementations to ensure the platforms are HIPAA-compliant and to keep communications secure.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.