"GAO Calls on OCR to Educate Patients on Telehealth Security, Privacy Risks"
The US Government Accountability Office (GAO) reviewed Medicare telehealth services provided during the pandemic, recommending that the Office for Civil Rights (OCR) give providers additional guidance on communicating telehealth security and privacy risks to patients. The COVID-19 pandemic caused the Department of Health and Human Services (HHS) to temporarily waive certain Medicare telehealth restrictions. Furthermore, in March 2020, OCR announced that it would not impose penalties on providers for noncompliance with certain Health Insurance Portability and Accountability Act (HIPAA) security and privacy requirements. OCR enabled HIPAA-covered providers to engage in telehealth services without the need for a business associate agreement with telehealth platform vendors. It permitted providers to conduct telehealth visits in good faith using any non-public-facing communication product. According to OCR, covered providers were encouraged to inform patients about potential security and privacy risks. However, OCR did not provide specific language for covered entities to use in explaining the risks and told GAO that it would be impossible to track the extent to which providers notify patients of security and privacy risks reliably. Some patients did notice security and privacy risks, and 43 telehealth security-related complaints were filed with OCR between March 2020 and December 2021. Six complaints claimed that providers were not using HIPAA-compliant telehealth platforms. Over 35 other complaints cited privacy violations, such as an unknown person appearing in the provider's camera view during a telehealth visit or patients seeing or overhearing another patient's Protected Health Information (PHI). GAO recommends that OCR expand its outreach, education, and assistance to providers in order to help them better explain telehealth security risks in plain language. HHS agreed with the recommendation and pointed out that the OCR had recently issued two guidance documents on the use of audio-only telehealth. This article continues to discuss the gaps in telehealth security and privacy communication revealed by GAO's review of Medicare telehealth services delivered during the pandemic.