Privacy Matters Part 2 – Privacy and security in telehealth

Ensuring privacy of patient data is a cornerstone of delivering a safe and effective health service.

Health professionals routinely handle sensitive health information about their patients and clients and the collection, storage and disclosure of this information is something that needs to be done carefully.

In Australia, health service providers who work in the private sector have professional and legal obligations to protect their patients’ health information. While those professionals who also operate a telehealth service, have additional privacy issues to consider.

In Part 2 of our Privacy Matters series, we take a closer look at embedding good privacy habits in your telehealth service. Read Privacy Matters Part 1.

Moving from traditional patient-and-provider, in-person consultations, to the online world of telehealth video conferencing and digital health records, enhances quality of care and health service efficiencies. However, because every time patient data is transmitted electronically, there is the potential of a privacy breach, it can also increase privacy and security requirements.

As we discussed in Part 1, all private health services, which includes telehealth services, are covered by the Privacy Act 1988. However, here are some specific privacy and security protocols you may like to consider in your telehealth practice.

Establish good telehealth privacy habits

• As a health service provider, make sure you are familiar with your privacy obligations, as outlined in the Privacy Act 1988.
• Ensure your teleconferencing room/space provides visual and audio privacy.
• Rather than using traditional video conference platforms such as Teams and Zoom, choose technology that is designed specifically for clinical telehealth settings, for example Visionflex telehealth technology. This way, you will know your software and hardware meets required security standards including end-to-end encryption and secure messaging systems. If you are considering a web conferencing solution, take time to review guidelines from the Australian Cyber Security Centre.
• If patient information is going to be sent overseas, specific patient consent is required, and the patient must be advised. Australian privacy laws also apply to information sent overseas. Where possible, look for a solution that stores data in Australia. If data is stored overseas, consider the risk. Read more about cross-border disclosure of personal information.
• Establish excellent IT support that is familiar with medical practice guidelines.
• Do not email patient data unless via server-to-server email encryption. Your IT support staff can assist with this.
• Ensure your IT systems are up to date, and regularly backed up. Do the same with firewalls, anti-virus/anti-malware software. Consider using a password manager to secure passwords and PINs.
• Establish a system to track and monitor portable devices used by practice staff to reduce the risk of loss and/or theft.

Privacy checklist for telehealth

The Australian Department of Health has created a simple and practical checklist to help telehealth providers comply with privacy obligations.

Some of the main points to consider include:

Patient consent & privacy:

• Before booking an appointment, obtain the patient’s consent to receive a telehealth service.
• Confirm the patient’s contact details.
• Where appropriate, draw the patient’s attention to your practice privacy policy.

Security:

• Select a telecommunications service that is secure and complies with privacy laws.
• Do you need additional IT access or physical security measures if you are going to be working remotely?
• Have a data breach action plan in place.
• Deliver services from a private and secure physical space.

Conducting a consultation:

• Verify the patient’s identity and the identity of anyone else in attendance, at the start of the consultation. Confirm ongoing consent.
• Collect only the information you need to deliver the service.
• Plan how you will manage any new kinds of information eg a patient’s emails and photos.
• Ensure you keep accurate and complete records, including when you sent records by email, text or fax. Your records should be at the same standard as for a face-to-face consultation.

Sending patient information:

• Obtain patient consent to send a prescription to a pharmacy of their choice, or make a diagnostic image request of specialist referral.
• Confirm contact details before sending information to a patient or a third party.
• Use secure means to send information eg one that offers end-to-end encryption.
• When sending records electronically, mark as confidential. Include a message asking recipients who believe the information was sent to them by mistake, to delete and advise the sender.

Click below to read the Department of Health’s full Privacy Checklist for Telehealth Services.

Europe and the United States of America – telehealth privacy regulations

It is vital that healthcare and allied health professionals provide a telehealth service that complies with local, and if relevant, international data privacy and security regulations.

Two of the most well-known privacy regulations are the European Union’s General Data Protection Regulation (GDPR) and the United States’ Health Insurance Portability and Accountability Act (HIPAA).

The key difference between GDPR and HIPAA is the focus: GDPR focuses on protecting all of an EU citizens’ personally identifiable information (PII), regardless of whether they are living in the EU or not. Therefore, any organisation that operates in a health setting and handles an EU patient’s information can be subject to GDPR regulations.

Who must comply with GDPR regulations? Any entity that has a base of operations in the EU; offers goods or services to people in the EU; or monitors the behaviour of people who are in the EU, whether the entity is established in the EU or not.

In contrast, HIPAA is focused on organisations that handle protected health information (PHI) within the United States.

Who must comply with HIPAA regulations? All “covered entities”; this includes:

• Health plans – including health insurance companies, health maintenance organisations (HMOs), company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
• Most healthcare providers – those that conduct certain business electronically, such as electronically billing your health insurance – including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
• Healthcare clearinghouses – entities that process non-standard health information they receive from another entity into a standard (ie standard electronic format or data content), or vice versa.

HIPAA also applies to many business associates and subcontractors of covered entities.

Find out more information about GDPR and HIPAA.