Privacy and security risks raised by Medicaid patients using telehealth platforms prompted a GAO audit after 43 patients complained. (Navy)

The Department of Health and Human Services Office for Civil Rights is missing a tracking mechanism to understand the extent providers are informing Medicaid patients of privacy and security risks brought on by telehealth platforms, which led to 43 patient complaints to OCR during the COVID-19 pandemic.

OCR announced enforcement discretion of telehealth use to support the pandemic response in March 2020. The “good faith provision” meant providers could use any non-public-facing communication tool for telehealth visits and OCR wouldn’t impose penalties for potential non-compliance with the Health Insurance Portability and Accountability Act’s privacy and security requirements during the emergency.

Providers were provided guidance on possible risks of using telehealth platforms not typically covered by HIPAA, as well as recommendations for what to look for when leveraging non-traditional telehealth platforms and to notify patients of privacy and security risks brought on by use of the platform.

While telehealth use skyrocketed during the pandemic and is long-proven to be a vital tool for remote patient care, the use of these platforms does pose risks to patients, such as the inappropriate disclosure of their health data. What’s more, the enforcement discretion may not protect patient privacy.

A Government Accountability Office audit of the Medicaid telehealth program during the national COVID-19 emergency found that patients might be unaware of the privacy risks brought on by the regulatory shift amid COVID-19. 

The audit also found HHS does not track the extent that providers are notifying patients of the privacy and security risks brought on by the use of telehealth. However, OCR explained that it’s simply not possible to do so in a reliable manner.

As a result of those communication and oversight gaps, OCR received 43 complaints tied to privacy and security concerns with telehealth visits between March 2020 through December 2021. Of those complaints, six were brought against one provider due to the purported use of telehealth platforms that might not meet HIPAA requirements. 

“Specifically, five patients and one employee of a covered provider alleged that providers were using telehealth platforms that did not meet the HIPAA requirements,” according to the report. The platforms were potentially putting the privacy and security of PHI at risk.

The other 37 complaints were directly tied to potential privacy violations, 17 of which alleged that third parties were present during a telehealth visit, “such as seeing an unknown individual walk behind the provider.” Another 13 complaints claimed a provider sharing patient PHI without permission during a telehealth visit.

The final seven complaints stemmed from patients overhearing or seeing the PHI of another patient.

Patients may not understand privacy and security risks of telehealth

GAO audited the program to determine the impact of the enforcement discretion by interviewing officials, reviewing relevant materials and privacy and security risks, and the OCR efforts to oversee patients’ protected health information risks against the Standards for Internal Control in the Federal Government and the Health Information Technology for Economic and Clinical Health Act (HITECH).

HITECH “mandates HHS increase providers’ and patients’ understanding of potential uses of their PHI and the effects of such uses, including the use of PHI in telehealth technology.” The audit also noted that the waiver for business associate agreement requirements may have also increased telehealth risks.

While OCR did provide guidance to covered entities upon announcing the telehealth waiver, GAO found “it did not advise providers of specific language to use or give direction to help them explain these risks to their patients.”

This information would ensure patients are aware of the potential impacts to their PHI brought on by privacy and security risks posed by telehealth. These risks involve the electronic transmission of PHI over the telehealth platform, or possibly overhearing oral conversations if the visit does not occur privately. There’s also a concern the telehealth vendor will inappropriately use or disclose information.

GAO also found varying responses in interviews with provider groups around the use of telehealth platforms that may not meet HIPAA Rule requirements. Five of 26 groups “said investing in HIPAA-compliant telehealth platforms may be difficult for small practices.” According to a 2020 American Medical Association survey, small practices make up a little more than half of physician practices.

Further, OCR didn’t provide insights on the specific language to use or give direction to providers on helping explain risks to patients, or to  “ensure patients understand potential uses of their PHI and the effects of [telehealth] use.

For example, “in cases where a provider’s use of a telehealth platform falls within the telehealth notification, only the vendor’s privacy policy applies,” according to the report. “The vendor’s policy may not be HIPAA compliant and may be lengthy, complex, and difficult for some patients to understand.”

To address the communication gaps, GAO recommended OCR take action to strengthen oversight of Medicare telehealth and support providers with education, outreach, or other assistance “to help them explain the privacy and security risks to patients in plain language.” Patients also need to understand the steps they can take to safeguard their privacy on their devices.

If OCR were to give additional education to patients, “it could help ensure that patients understand potential privacy and security risks associated with telehealth technology.” OCR should also strengthen its oversight of the program and better educate providers on the importance of discussing the risks with patients to reduce possible HIPAA violations.

HHS concurred with the recommendation for better patient education, while noting OCR recently issued two guides tied to audio-only telehealth use to ensure HIPAA compliance and mobile health privacy and security considerations. However, “in most cases, HIPAA Rules don’t protect the privacy or security of individuals’ health information when they access or store the information on personal cell phones or tablets.”

In the wake of the Supreme Court Dobb’s decision, providers are increasingly being asked to have conversations around privacy and security of their health information to prevent negative outcomes. There’s hope that the multiple congressional proposals targeting these regulatory gray areas for health information with soon reduce some of these risks.