Getty Images

Telehealth Security Concerns Surrounding Mental Healthcare Persist

Over a third of surveyed mental healthcare patients said that they have had a telehealth appointment that did not meet HIPAA standards.

Telehealth enabled quality patient care during the height of the pandemic, but mental healthcare patients remain wary of security concerns, according to a survey conducted by Propeller Insights on behalf of DrFirst.

Over 1,000 individuals who had received mental healthcare, in the past year participated in the survey. Over two-thirds of respondents said that their mental health provider offered telehealth options during the pandemic, and an overwhelming majority of respondents utilized telehealth during the pandemic.  

Of the respondents who did not use telehealth, 14 percent said that they chose not to because they were concerned about their meeting getting hacked. Over 40 percent of total respondents said that they were worried that their personal information would be compromised.

In addition, 35 percent of respondents said that they have had a telehealth appointment that did not meet HIPAA requirements for the security of protected health information (PHI).

When asked how they felt about having a telehealth appointment that did not meet HIPAA requirements, over 30 percent of respondents reported being concerned about the meeting being hacked. Additionally, 15 percent of respondents said that they were worried that they would be connected to someone who was not a healthcare professional.

It is important to note that HHS’s Office for Civil Rights (OCR) issued guidance during the pandemic that allowed providers to deliver care via telehealth through technology that was not HIPAA-compliant. The good faith provision of telehealth gave providers flexibility and allowed them to deliver patient care without being penalized.

“Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said. 

“Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.”

California Governor Gavin Newsom recently extended the telehealth HIPAA penalty exemption until the end of the public health emergency. The order was originally set to expire on September 30 in California.

HHS’s Office of Inspector General (OIG) recently released a report citing a variety of challenges associated with using telehealth to provide behavioral health services to Medicaid enrollees. Surveyed states reported challenges with telehealth infrastructure and interoperability issues, limited internet connectivity, and lack of provider and enrollee training.

In addition, 27 of the 37 surveyed states reported issues with protecting privacy and security of personal information.

“These challenges may stem from the types of technology and methods of transmission used by providers and enrollees,” the study explained.

“For example, certain methods of telehealth, such as store-and-forward or text-only, can be transmitted via unencrypted devices or as unencrypted messages and thus could potentially be accessed by third parties. In addition, one State points out that protecting patient confidentiality is a particular concern for behavioral health services, especially when it comes to sharing sensitive health information, such as substance use.”

OIG recommended that CMS coordinate with OCR to ensure that providers are aware of HIPAA privacy and security standards and how they apply to telehealth.

Next Steps

Dig Deeper on Health data access & privacy