The United States Department of Health and Human Services (“HHS”) – Office of Civil Rights (“OCR”) recently issued two new resources designed to help providers explain to patients the privacy and security risks to their protected health information (“PHI”) during telehealth encounters. Available through the HHS website, the guidance offers a primer on relevant PHI privacy and security laws as well as best practices for telehealth encounters.

The first resource, entitled “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth” is aimed at healthcare providers and offers an overview of the privacy and security rules under the Health Insurance Portability and Accountability Act (“HIPAA”). Additionally, the resource provides suggestions for discussing with patients: (i) the telehealth options available; (ii) the potential risks to PHI when using telehealth modalities; (iii) the privacy and security practices of telehealth technology vendors; and (iv) the applicability of certain civil rights laws.

The second resource, “Telehealth Privacy and Security Tips for Patients,” is directed towards patients and provides recommendations for protecting and securing their PHI during telehealth encounters. Such recommendations include: (i) conducting telehealth appointments from a private location; (ii) utilizing multi-factor authentication, if available; (iii) using encryption, when available; and (iv) avoiding public Wi-Fi networks for telehealth encounters.

The provider resource, “Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth,” is available here.

The patient-targeted resource, “Telehealth Privacy and Security Tips for Patients,” is available here.