A doctor on a video call with a patient

Telehealth and HIPAA During COVID-19: Security and Privacy Risks

October 16, 2020 | Purdue Global Law School

The COVID-19 pandemic has caused a surge in the use of telehealth services. In 2019, just 22% of doctors said they had seen patients via telehealth in the preceding year, according to a survey by American Well. By the end of April 2020, telehealth volumes had increased by more than 500% in some health care facilities, Healthcare Innovation reports.

Telehealth (also known as telemedicine) was already on the rise before the pandemic, thanks to the many benefits it offers to both clinicians and patients. However, telemedicine can create security and privacy threats that run afoul of Health Insurance Portability and Accountability Act (HIPAA) requirements. The rapid and unplanned uptake of telehealth technologies only increases the risk. Health care providers must carefully balance HIPAA requirements with the need to deliver services remotely via telehealth.

COVID-19 Accelerates the Telehealth Boom

Telehealth is the delivery of health care and related services via audio and video conferencing, text messaging, and other technologies. While there are obvious limitations to remote health care services, telehealth has eased the strain on hospitals and medical practices while providing patients with faster access to care.

Many health care providers opted to postpone outpatient appointments for preventive care and elective services to reduce the risk of COVID-19 transmission and the need for masks, gloves, gowns, and other protective gear. For their part, many patients wanted to stay home to avoid potential exposure.

Telehealth filled the gap, allowing clinicians to evaluate patients for potential novel coronavirus infection and provide general health care services across various specialties. Forrester Research has predicted that COVID-19-related telehealth visits will exceed 900 million in 2020, with the total number of telehealth visits topping 1 billion.

The Centers for Medicare and Medicaid Services (CMS) have temporarily relaxed restrictions on telehealth services. The American Medical Association reports that CMS has added more than 80 services to its approved list, and according to CNBC, it is paying the same rates for telehealth visits as for in-person appointments. Additionally, an Executive Order issued August 3, 2020, extends Medicare coverage of telemedicine services in rural areas beyond the public health emergency created by the pandemic.

Even Before the Pandemic, Telehealth Usage Had Been Growing Rapidly

According to the American Well survey, the number of physicians using telehealth services increased 340% between 2015 and 2019. Willingness to try telehealth increased from 57% to 69% over the same period. Telehealth has seen the widest adoption in psychiatry, but urologists, emergency medicine providers, infectious disease specialists, pediatricians, and oncologists are among the professionals willing to try the technology.

Key to telehealth’s growth is the wide availability of cost-efficient, easy-to-use video conferencing and collaboration tools. Providers are also recognizing the benefits of telehealth services. Of the physicians surveyed by American Well, 93% said telehealth improves patients’ access to care. Providers can respond more quickly to urgent needs, continuously monitor patients, and check in more frequently with chronically ill patients.

From a business perspective, 77% of respondents said telehealth increases efficiency compared to traditional in-person medical appointments, and 71% said it saves money. Physicians were also willing to adopt telehealth to improve work-life balance, gain greater flexibility, and reduce burnout.

For patients, telemedicine technology provides a convenient, in-home option. A recent survey by Sykes found that only 19% of U.S. adults had used telehealth services, but the vast majority of those who had tried telehealth were satisfied with the experience.

Security and Privacy Risks: Telehealth, COVID-19, and HIPAA

Telehealth is not without drawbacks, and security and privacy risks are high on the list of concerns. The health care sector suffers more data breaches than any other industry, primarily because health care data is highly valuable on the black market. Telehealth opens up new vectors for cyberattacks and data theft because patient data is communicated across multiple networks and platforms.

HIPAA, 45 CFR Parts 160, 162, and 164, requires a health care organization to “ensure the confidentiality, integrity, and availability of all electronic protected health information” that the organization “creates, receives, maintains, or transmits.” The organization must also “protect against any reasonably anticipated threats or hazards to the security or integrity of such information.” To do so, the organization must implement security measures to ensure that only authorized users can access patient information.

HIPAA requires that secure channels are used for any communication of electronic data and that communications be monitored to prevent a data breach. Doctors need to choose a HIPAA-compliant telehealth solution to meet these standards.

Some HIPAA Restrictions Are Relaxed Due to Public Health Emergency

The Department of Health and Human Services Office for Civil Rights (OCR), which oversees enforcement of the HIPAA Privacy and Security Rules, has temporarily relaxed requirements on telehealth services due to the COVID-19 pandemic. Health care providers may use any non-public-facing communication platforms to deliver telehealth services, including the video calling capabilities on most smartphones.

Providers are not subject to penalties for HIPAA violations or data breaches that occur in the good faith delivery of telehealth services during the public health emergency. Bad faith would include the use of public-facing platforms, such as social media or public chat rooms, along with violations of professional ethical standards, use or disclosure of patient data in a prohibited manner, and criminal conduct.

Although the rules have been relaxed to facilitate telehealth during the pandemic, the OCR has made it clear that health care providers must still follow HIPAA requirements in all other areas of practice. What’s more, the existing rules will go back into place after the pandemic has abated. Naturally, providers should consider potential civil liability and reputational risk when choosing an online platform, even if selecting one allowed under relaxed guidelines.

Long-Term Ramifications

Telehealth has been around since the 1990s but was slow to take off due to costly and cumbersome video conferencing technologies. Adoption was limited before the pandemic, and many physicians remain concerned about insurance coverage and quality of care. Nevertheless, the pandemic has proven the technology’s success, and health care providers should operate under the assumption that telehealth will become a permanent part of their practices.

Providers who have hastily implemented telehealth during the pandemic should develop a long-term strategy and evaluate highly secure technology for the delivery of remote health care services. The U.S. Centers for Disease Control recommends that providers monitor federal and state regulations, develop protocols for the use of telehealth, and train clinicians and staff. Patients should be given updated privacy policies, and providers should obtain consent for the use of telehealth services.

Take Health Law Classes Online With Purdue Global Law School

In addition to its licensure-based Juris Doctor program, Purdue Global Law School offers an Executive Juris Doctor (EJD) program, which is designed for those who wish to develop advanced legal knowledge and skills without becoming a lawyer. The EJD program offers specializations in health law as well as law and technology, and individual online classes are also available. Classes include:

  • Cybersecurity Law

  • ADR and Technology

  • Health Law

  • Medical Malpractice/Professional Liability

  • Medical Products Liability

  • Risk Management in Health Care

See our list of single law courses, and request more information today.

About The Author

Purdue Global Law School

Established in 1998, Purdue Global Law School (formerly Concord Law School) is Purdue University's fully online law school for working adults.