The U.S. Department of Health and Human Services (HHS) improved access to health care during the COVID-19 public health emergency (“COVID-19 PHE”) by facilitating the increased use of telehealth.1 As a result of the Department’s actions, health care providers2 increasingly used telehealth to provide care to patients remotely.3 The HHS Office for Civil Rights (OCR) supports the continued use of telehealth and has published materials on its website to help entities subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations understand how to provide telehealth in compliance with applicable federal health information privacy, security, and civil rights laws.4 OCR is issuing this resource, as recommended by the Government Accountability Office,5 to help health care providers explain to patients, in plain language, the health information privacy and security risks that are present when using remote communication technologies such as video conferencing websites and applications (“apps”) for telehealth.6 The information in this resource expands on the Department’s existing resources for health care providers on preparing patients for telehealth with a focus on privacy and security.7 The HIPAA Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) do not require covered health care providers to educate patients about these risks; however, OCR is sharing this resource to assist providers who would like to explain to patients the privacy and security risks to their protected health information (PHI)8 when using telehealth services and ways to reduce these risks. Ensuring the privacy and security of PHI can help promote more effective communication between the provider and patient, which is important for quality care. If applicable, providers also may share the information in this resource with a patient’s personal representative or family member who is assisting the patient in receiving telehealth. When communicating this information to individuals, providers should be mindful that civil rights laws generally require providers to take appropriate steps to ensure that communications with an individual with a disability are as effective as communications with others, including by providing appropriate auxiliary aids and services where necessary. This requirement extends to all communications with an individual with a disability, including when communicating the information in this resource. Further, providers may need to use language assistance services, such as providing a written translation or a qualified interpreter, so persons with limited English proficiency receive the information below. Before the telehealth session, you can explain what telehealth is and the remote communication technologies that you will use in the telehealth session as part of providing telehealth to your patients. Inform patients that telehealth, sometimes called telemedicine, allows you to care for patients without an in-person office visit. You may provide care using remote communication technologies like a telephone, computer, tablet, or smartphone.9 Provide examples of the types of telehealth services, for example: Having a health care appointment by telephone for an audio-only call, or through a video conferencing app. Allowing a patient to send health care questions and receive responses from you using messaging technologies (e.g., text messaging, instant messaging through a website, such as a patient portal, or using a mobile app) or email. Using remote patient monitoring technologies, such as a device to collect vital signs or a video monitoring system to help you keep track of the patient’s health, vital signs, and safety from a remote location. Explain why health information privacy and security are important. Inform patients about the privacy and security protections of the remote communication technologies that you offer, which can help prevent breaches of the patient’s PHI such as their medical records, information discussed during an appointment, and any documents or images shared during a telehealth appointment. Without the appropriate privacy and security protections, such as those required by the HIPAA Rules, the risk that unauthorized persons could obtain this information and cause substantial harm to the patient significantly increases. Examples of potential harm caused by breaches include medical or financial identity theft, embarrassment, bias and discrimination, and other problems for the patient’s finances or reputation. Explain the possible risks to the patient’s PHI when using remote communication technologies for telehealth and ways to mitigate the risks. Tell your patients that using video conferencing apps and other remote communication technologies for telehealth can come with risks to the privacy and security of their health information and how these risks can be mitigated. Some examples of risks that may be relevant to your patients, depending on the circumstances and which technologies you use, may include the following: Viruses and other malware. Even with privacy and security protections, there is a risk of viruses or other malware infecting a website or app used for telehealth. Patients should be aware of the availability of anti-malware solutions to guard against viruses or other malicious software.10 There are many anti-malware solutions available for purchase and some that may be included on a patient’s device at no additional cost. Unauthorized access. Cyber-criminals might exploit unpatched software to gain access to a patient’s device and health information. Patients can lower this risk by applying updates to software installed on their devices as soon as they become available. Frequent updates improve security by fixing vulnerabilities cyber-criminals are known to exploit. Accidental disclosures. If the patient is not in a private location during the telehealth appointment, then other persons may hear or see sensitive health information about the patient. Patients can decrease the risk of accidental disclosures when others are present by positioning their device so others cannot see their device’s screen and, if available, using a headset or headphones. Or, if a live chat function is available on the telehealth website or mobile app, a patient can use this to communicate instead of using their device’s speakers and microphone. To help patients protect their health information, you could consider the following: Ensure that the patient knows when and how they will be contacted by you or the remote communication technology vendor. By providing this information, you can help the patient avoidpotential phishing emails or other scams. For example, you may give the patient the email address or phone number from where information will be sent to them on a specific date. You may also provide a patient with a phone number they may call if they want to verify a link or other information they receive in an email or text message. Encourage the patient to ask any questions they may have. Some patients may have questions about the remote communication technology, including how to use it or what privacy and security controls the technology has available. If you’re not able to answer a question, let them know who can. HRSA’ Telehealth Privacy Tips for Patients. If you use a remote communication technology vendor(s) for telehealth, provide information about the privacy and security practices of the vendor(s). Provide the names of the vendors of any remote communication technologies that you use and information about where to view the vendors’ websites and privacy practices. Tell the patient about the privacy and security safeguards the remote communication technology vendor has agreed to use. Tell the patient whether the telehealth app or website uses online tracking technologies.11 Tell patients that they can file a privacy complaint. An individual who believes that their or someone else’s health privacy rights have been violated can visit the OCR complaint portal at https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf to file a complaint online. DISCLAIMER: The contents of this document do not have the force and effect of law and are not meant to bind the public in any way. This document is intended only to provide clarity to the public regarding existing requirements under the law or the Departments’ policies. To obtain this information in an alternate format, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing OCRMail@hhs.gov. Language assistance services for OCR matters are available and provided free of charge. Resources Privacy and security tips for patients Telehealth Privacy for Patientshttps://telehealth.hhs.gov/patients/telehealth-privacy-for-patients Telehealth Security and Privacy Tips for Patientshttps://www.nccoe.nist.gov/sites/default/files/legacy-files/brochure-telehealth-patient-tips.pdf How to Recognize and Avoid Phishing Scamshttps://consumer.ftc.gov/articles/how-recognize-and-avoid-phishing-scams Privacy and security tips for providers Telehealth Privacy for Providershttps://telehealth.hhs.gov/documents/Telehealth+Privacy+Tips+for+Providers.pdf Protecting Patient Health Informationhttps://telehealth.hhs.gov/providers/legal-considerations#protecting-patient-health-information Your Mobile Device and Health Information Privacy and Securityhttps://www.healthit.gov/topic/privacy-security-and-hipaa/your-mobile-device-and-health-information-privacy-and-security Telehealth Security and Privacy Tips for Providershttps://www.nccoe.nist.gov/sites/default/files/legacy-files/brochure-telehealth-hdo-tips.pdf Telehealth Security and Privacy Tips for Providershttps://www.nist.gov/video/telehealth-security-and-privacy-tips-providers Additional telehealth resources OCR Guidance on HIPAA and Telehealthhttps://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html Audio-only HIPAA Telehealth Guidancehttps://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html Guidance on Nondiscrimination in Telehealthhttps://www.hhs.gov/civil-rights/for-individuals/disability/guidance-on-nondiscrimination-in-telehealth/index.html HHS Telehealth Websitehttps://telehealth.hhs.gov/ Guidance for Medicare and Medicaid Providershttps://www.cms.gov/files/document/telehealth-toolkit-providers.pdf Endotes 1 See Telehealth Policy Updates, at https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates. See also Telehealth policy changes after the COVID-19 public health emergency at https://telehealth.hhs.gov/providers/telehealth-policy/policy-changes-after-the-covid-19-public-health-emergency. 2 Health care providers are covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules (“HIPAA Rules”) if they transmit any health information in electronic form in connection with a transaction covered by 45 CFR 162 et seq. 45 CFR 160.103 (definition of “Covered entity”). 3 See, e.g., Assistant Secretary for Planning and Evaluation (ASPE) Report Medicare Beneficiaries’ Use of Telehealth in 2020: Trends by Beneficiary Characteristics and Location, at https://aspe.hhs.gov/reports/medicare-beneficiaries-use-telehealth-2020 (reporting a 63-Fold increase in Medicare telehealth utilization during the pandemic). See also, CMS Report Medicare Telehealth Trends, at https://data.cms.gov/sites/default/files/2023-03/Medicare%20Telehealth%20Trends%20Snapshot%2020230308_508.pdf. 4 See OCR’s materials on HIPAA and Telehealth at https://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html; and Guidance on Nondiscrimination in Telehealth: Federal Protections to Ensure Accessibility to People with Disabilities and Limited English Proficient Persons at https://www.hhs.gov/civil-rights/for-individuals/disability/guidance-on-nondiscrimination-in-telehealth/index.html. 5 “The HHS Office for Civil Rights should provide additional education, outreach, or other assistance to providers to help them explain the privacy and security risks to patients in plain language when using video telehealth platforms to provide telehealth services. (Recommendation 4)”. See GAO, Medicare Telehealth: Actions Needed to Strengthen Oversight and Help Providers Educate Patients on Privacy and Security Risks, GAO-22-104454 (September 26, 2022). OCR is also issuing this resource consistent with Executive Order 14058 on Transforming Federal Customer Experience and Service Delivery to Rebuild Trust in Government, which provided that “[T]o engender public trust, agencies must ensure that their efforts appropriately maintain or enhance protections afforded under law and policy, including those related to civil rights, civil liberties, privacy, confidentiality, and information security.” 86 FR 71357, 71358 (Dec 13, 2021). 6 This resource refers to such technologies, collectively, as “remote communication technologies.” 7 See the HHS webpages on Preparing Patients for Telehealth at https://telehealth.hhs.gov/providers/preparing-patients-for-telehealth. 8 The HIPAA Rules apply to a category of individually identifiable health information called “protected health information.” 9 OCR’s FAQs on telehealth and HIPAA during the COVID-19 nationwide public health emergency include additional information that may help you explain telehealth to your patients, https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf. See also, What is Telehealth?, https://telehealth.hhs.gov/patients/understanding-telehealth. 10 See the Cybersecurity & Infrastructure Security Agency (CISA) resource, Understanding Anti-Virus Software, at https://www.cisa.gov/news-events/news/understanding-anti-virus-software. 11 An online tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. For more information on online tracking technologies, see OCR’s guidance on the use of online tracking technologies, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.