Endpoint/Device Security, Endpoint/Device Security, Distributed Workforce, Privacy, Endpoint/Device Security, Endpoint/Device Security

States’ behavioral telehealth stymied by privacy, security challenges

Lt. Michael White, a nurse at Naval Hospital Jacksonville’s intensive care unit, uses telehealth to discuss patient statuses and recommendations with Tiffany Ingram, a nurse at Naval Medical Center San Diego, on June 5, 2019. (Jacob Sippel/Navy)

The majority of Medicaid providers leveraging telehealth for behavioral health services reported multiple challenges to the use and effectiveness of the program, including struggles to obtain user consent, protect patient privacy, and keep patient data secure, according to a Department of Health and Human Services’ Office of the Inspector General audit report.

In total, 27 out of 37 states reported challenges with protecting privacy and security of personal information when using telehealth.

OIG conducted a survey of state Medicaid directors from 37 states that leverage telehealth for behavioral health through managed care organizations, along with structured interviews with relevant stakeholders, aiming to determine the specific challenges of telehealth use in the states.

The report shows that most states face a number of challenges with telehealth use. The most common hurdles were found to be a lack of provider and enrollee training (32 out of 37 states), limited internet connectivity (31 states), and the cost to implement and maintain the telehealth infrastructure (26 states), among other challenges.

“States are increasingly relying on telehealth to provide behavioral health services to Medicaid enrollees. Before the COVID-19 pandemic, telehealth was an important tool for States to increase access to behavioral health services for enrollees in rural or underserved areas with provider shortages," according to the report.

Telehealth use expanded during the pandemic to meet the needs of patients and reduce community spread of COVID-19, with the Centers for Disease Control and Prevention reporting a 73% increase in telehealth use for adults during the pandemic.

Understanding key telehealth hurdles can help pinpoint broader challenges to broader implementations across the overall health care sector, particularly as OIG expects telehealth will be a vital part of addressing behavioral health needs of Medicaid enrollees.

In terms of privacy and security risks, the 27 state Medicaid directors reported the key issue is the use of software and devices that include controls on the collection, use and disclosure of personal information, and the technology and transmission methods are making it difficult for providers to protect enrollee health information.

For one, some telehealth transmission methods like the store-and-forward tech or text-only messages are only able to be transmitted through unencrypted devices, or as unencrypted messages, according to the report. As a result, the data could potentially be accessed by unauthorized third parties.

As behavioral health services often contain highly sensitive information like substance use, these issues pose a serious risk to patient confidentiality.

Another key issue brought to light in the report are providers’ difficulties in obtaining informed patient consent prior to delivery care via telehealth, which is a critical part of ensuring “enrollees know about the services they may receive so that they are able to make an informed decision about whether they would like to authorize the provider to deliver these services.”

Depending on the state, the consent policies may contain the security measures taken to ensure patient privacy, what to expect from the telehealth session, or what telehealth entails.

Several industry stakeholders and one state noted that a lot of states require providers to obtain patient consent before telehealth can be used, while other states require consent before the delivery of medical care.

However, these policies vary by state and some may not always communicate these requirements to providers, including whether consent may be written or verbal. In the report, the Telehealth Resource Center explained that “One of the biggest challenges is no one is telling providers how to get consent… so providers then just make up their own policies.”

The patchwork of requirements and related hurdles to obtaining consent can create barriers to patients in need of behavioral health services via telehealth. The report authors noted that the continued expansion of telehealth use across the country will be impeded by these challenges and could cause issues with providers maintaining compliance with the various rules.

To combat privacy and security risks posed by telehealth use, OIG recommended the Centers for Medicare and Medicaid Services to coordinate with the HHS Office for Civil Rights on enforcement efforts to make sure providers are aware of the privacy and security requirements for telehealth use outlined in The Health Insurance Portability and Accountability Act.

The collaboration could also include joint host training for states around telehealth privacy and security challenges to protected health information, which could also enable effective response for states with questions around HIPAA standards for telehealth tech.

OIG also recommended OIG work directly with states to share best practices for obtaining informed consent from patients prior to telehealth use, including streamlining the process to reduce hurdles to care. CMS concurred with the recommendations to better support states with addressing the challenges outlined in the report.

“Information about the challenges states face with using telehealth is crucial, especially as states turn to telehealth to provide behavioral health services during the COVID-19 pandemic,” the report authors wrote. 

“It’s also helpful for states as they consider which services to deliver via telehealth on a more permanent basis once the pandemic has subsided, as well as which populations could most benefit from telehealth services in the future,” they added.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.