Develop a privacy and security telehealth strategy
Determine how well your telehealth practice protects patient privacy and security by conducting a risk analysis to inform your telehealth strategy.
On this page:
Analyze privacy and security risks in your telehealth practice
Initially, it is important to conduct a risk analysis of your practice. Depending on the results of your analysis, you may need to establish, further develop, or update certain areas of your practice in order to mitigate against privacy and security risks. Even if you have done a risk analysis before, you should periodically review and update where needed as risks to your practice may emerge.
There are three broad areas to examine in a risk analysis that can be done through a series of questions, including:
- Policies. Is there a policy for verifying authentication of patients and other authorized users? Is patient consent obtained and regularly reviewed, specifically around the recording of telehealth sessions or taking and storing images? Is there a communications and data backup plan in case of incident or breach of privacy?
- Technology security. Is patient health data that was generated during telehealth visits or through remote patient monitoring secure? Does the telehealth system control access to patient health data through of use a firewall, anti-virus software, or encryption?
- Training. Does your practice hold training sessions for all providers, staff, and patients on the importance of privacy and security in the context of telehealth and where relevant policies are reviewed for compliance?
Steps to deliver a private telehealth visit
The actions described below can help with both conducting and evaluating privacy and security protocols in a telehealth visit.
Before the visit:
- Obtain informed consent from the patient and document their privacy preferences.
- Ensure there is a process to securely transmit and secure patient data.
- Check the physical facility at the practice for good lighting, quiet place, and minimal background noise.
During the visit:
- Use a patient-friendly telehealth platform to limit confusion in navigating features to reduce risk of security breaches.
- Use qualified medical language translation services, if needed.
- Hold the telehealth visit in a private, enclosed room to minimize the risk that patient health information is overheard.
- Take steps to verify the identity of the patient and that of any other authorized third-party prior to the visit by having them share a government-issued ID and confirm their name, address, and device location.
- Use an encrypted internet connection.
- Make sure the devices used for telehealth visits are password-protected, encrypted, and equipped with the latest security software.
- Avoid recording visits unless necessary. If they are recorded, obtain patient consent in advance and store/transmit recordings securely.
- Educate patients on privacy. Advise them to use a private space for telehealth visits and to maintain secure devices with strong passwords. Also, explain how to avoid phishing schemes by informing them not to provide personal information over the phone or through text messages from requests not associated with your practice.
After the visit:
- To ensure patient privacy, use secure communications, such as encrypted emailing and messages through the patient portal or telehealth platform.
- Send post-visit surveys to request feedback from patients about their experience. Ask how comfortable they are with the processes to protect their data.
- Collect insights from other clinical and support staff on their comfort with the telehealth platform and implementing the privacy and security policies and procedures.
More information
Securing telehealth remote patient monitoring ecosystem (PDF) — National Institute of Standards and Technology
Top 10 tips for cybersecurity in health care (PDF) — Office of the National Coordinator for Health Information Technology