Solutions for Challenges in Telehealth Privacy and Security

Telehealth, using electronic information and telecommunication technologies to provide care for patient visits, has rapidly grown and plays an important role as a valuable resource during and after the post-COVID-19 pandemic. According to CMS Reports in 2021, 68 million telehealth services were delivered from March to October 2020. This was a 2,700 percent increase compared to the same period in 2019.¹ However, privacy and security in telehealth practices have been identified as major concerns and challenges for the development of successful telehealth services. Millwood stated that “For telehealth to succeed, privacy and security risks must be identified and addressed.”²

Protecting patient privacy and security is necessary and should be a top priority in the telehealth environment. There is more to it than being HIPAA compliant. Ensuring privacy and security builds trust between providers and patients, which opens the door for patients to make the decision to share personal and health information without concerns. Patients’ information, both clinical and administrative, should be protected from breaches and cyberattacks. Ultimately, patients should have the ability to control, access, and manage their personal and health information. For these reasons, it is important to identify challenges and issues for privacy and security related to telehealth visits during and after the post-COVID-19 pandemic in order to apply the appropriate solutions.

Telehealth Types and Methods

Telehealth is widely used for many purposes such as live videoconferencing virtual visits, case collaboration, training, and distance learning synchronously. The store-and-forward approach uses training presentations or videos, digital images (X-rays, photos), patient videos, and the transmission of recorded health history asynchronously. Remote patient monitoring uses technology to deliver acute, chronic health management, and high-risk patient management. Examples of non-face-to-face virtual services include communication between a patient and their provider through an e-visit online patient portal, and a brief virtual check-in with a practitioner via telephone or other telecommunications device to decide whether an office visit or other service is needed.

Telehealth can be delivered from clinic to home, clinic to clinic, home to home, and clinic to community. According to Houser’s study, the major delivery methods for telehealth include telehealth apps or services (73 percent); non-telehealth apps or services, such as Zoom, FaceTime; video (59 percent); patient portal, such as secure messaging and email (52 percent); and phone only (49 percent).³ Some commonly used technology tools for telehealth include high-speed internet connection, web cameras, tablets, laptop computers, software, home-based workstations, remote monitoring, and digital health training.

Challenges and Impact Factors on Telehealth Privacy and Security

The challenges and impacts on telehealth security and privacy can be broken down into three factors: environmental factors, technology factors, and operational factors.

Environment factors refer to an individual’s surroundings, living conditions, and social connections, which have a direct or indirect impact on privacy and security protections. Vulnerable populations such as the homeless, elderly, adolescents, parents, and mental health patients are often concerned about the lack of private space for virtual visits. Telehealth visits created difficulty in the sharing of sensitive health information for patients with HIV/AIDS, behavioral or mental health issues, as well as contraceptive discussions for adolescent patients. Trusting providers and other healthcare workers when sharing sensitive information often presents a challenge. Another privacy point of view is that the location of the videoconferencing may inadvertently expose details of the patient’s living conditions. The space, location, and accessibility to the use of telehealth are also an added concern for healthcare providers.

Technology factors include data security issues such as the hacking of video visits, limited access to the internet and technology, lack of digital devices, use of cellular data, or public Wi-Fi, digital literacy such as limited knowledge and understanding of the technology used, and poor quality of audio or video outcome. Another issue with telehealth technology is understanding its use and digital literacy that limits quality assessments and diagnosis.

Operational factors are a combination of reimbursement for telehealth services, monitoring payer denials for services, ensuring that the telehealth technology used is accessible for all patients, and providing appropriate training and education to both staff and providers. The COVID-19 pandemic opened the door to advance the use of telehealth services and provided a pathway for discussion of continued reimbursement coverage post-COVID-19. However, from an operational point of view, reimbursement and payor denials are a major factor in the decision to utilize telehealth technology.

Best Practices for Telehealth Privacy and Security

A multidimensional approach is essential and necessary for managing today’s telehealth patient visits. When building best practices for privacy and security in telehealth use, there are many issues to be considered, such as environmental factors, technology factors, and operational factors.

Protecting Patients’ Telehealth Privacy

Healthcare providers should be aware of the patient’s location before initiating the telehealth visit and be concerned about patient privacy and their needs. Providing patients with tips about how to find a private location, such as a private room at home or in a friend’s home, a car, or outdoors away from other people. If the patient is unable to find a private place for a video telehealth appointment, the provider may suggest the appointment be rescheduled or use email, chat, or text through the patient portal instead. The provider may also suggest a better location for the telehealth visit. When treating adolescent patients with parent(s) present, indicate when the parent should or should not be present to allow for confidential communication between the patient and provider. Suggest the use of headsets and respond to questions through chat to prevent disclosure of sensitive health information. Determine if patients need to fill out a release of information and obtain informed consent. Remind patients to be aware of their surroundings and background when sharing sensitive information.

Sharing Secured Information Online

When sharing information online, use appropriate measures to protect patient information. Use only secure websites with a lock icon in the address bar when entering personal and health information. Require passwords for all virtual visits and verify patient information while the patient remains in the “waiting room.” For patients with telehealth visits, do not set up a telehealth appointment or share personal information with an unknown provider, and use a regular provider’s main phone number to confirm their identity. Keep devices protected with updated antivirus software. Avoid using public Wi-Fi to access telehealth services and avoid accessing telehealth on devices shared with people outside of the home or family. Improve the quality of audio and video by working with IT staff to ensure adequate bandwidth is available in your area of service. Utilize network access, ensure internet connectivity is stable, and other measures to enhance the speed of the internet. Enable all available encryption and privacy modes when using telehealth technology. Provide patients and providers with tips for optimal camera placement. Suggest better lighting to enhance the patient’s environment for better visualization.

Building Privacy and Security Standards

Healthcare providers should incorporate telehealth services into their privacy and security policies, procedures, and workflows, as well as integrate telemedicine into the Notice of Privacy Practices. Conduct thorough training modules with multiple sessions, manually rehearse steps and ensure workflow integration is in place prior to beginning sessions. Ensure all staff and providers have received telehealth-specific privacy and security training. Include telehealth equipment and devices in the organization’s security management plan and annual security risk assessment. Determine the need for business associate agreements with telehealth vendors.

Ensuring Reimbursement for Telehealth Services

Healthcare professionals should check insurers’ coverage determinations for telehealth services when scheduling visits. Perform coding updates in the chargemaster to ensure billing codes meet payor requirements. Provide coding education for providers and office coding and billing staff. Ensure documentation for telehealth services is standardized and meets billing requirements. Use documentation templates or checklists for payor-specific requirements and use automatic time-tracking within the organization's EHR for CPT code selection. Smart and dot phrases with predefined, modifiable snippets, which allow for standardization and time-saving documentation. Be aware of potential fraud or identity theft. At the beginning of each visit verify a patient’s government photo ID and confirm their name, address, and device location. Document the names and professions of all participants during the telehealth visit obtain proper consent.

It has become apparent that telehealth is here to stay and is making changes frequently; therefore, there is an urgent need for health information professionals to address the technology, digital literacy, and accessibility issues. Minimizing privacy and security risks and challenges is a high priority as well. Building and using best practice guidelines and policies can ensure that we are meeting the needs of the patients and providers. Accomplishing this will help secure the successful use of telehealth services in privacy and security settings.

Notes

1. CMS Fact Sheets, “Fact sheet: Medicaid & CHIP and the COVID-19 public health emergency.” Published May 14, 2021. Available online: https://www.cms.gov/newsroom/fact-sheets/fact-sheet-medicaid-chip-and-covid-19-public-health-emergency

2. For Telehealth To Succeed, Privacy And Security Risks Must Be Identified And Addressed. By Joseph L. Hall and Deven McGraw. Health Affairs. 33(2):216-221, 2014. doi: 10.1377/hlthaff.2013.0997

3. Houser SH, Flite CA, Foster SL, Hunt TJ, Morey A, Palmer MN, Peterson J, Pope RD, Sorensen L. Patient Clinical Documentation in Telehealth Environment: Are We Collecting Appropriate and Sufficient Information for Best Practice? mHealth. 2022:8:6 (20 January 2022). DOI:10.21037/mhealth-21-30. PMID: 35178437.

Shannon H. Houser (shouser@uab.edu) is professor in the Department of Health Services Administration at the University of Alabama at Birmingham.

Cathy A. Flite (cflite@temple.edu) is associate professor in the Department of Health Services Administration & Policy at Temple University.

Susan L. Foster (fsusan@wustl.edu) is a privacy compliance educator in the HIPAA Privacy Office at Washington University School of Medicine.

View the AHIMA policy statement on telehealth and remote patient monitoring technologies.