ATA Releases Data Privacy Principles for Telehealth Practices

The American Telemedicine Association's principles emphasize consistency in data privacy policies and the importance of consumer rights and consent.

Amid rising concerns about data privacy within the telehealth arena, the American Telemedicine Association (ATA) released a set of principles to ensure patient data is protected during telehealth utilization.  

The ATA's Health Data Privacy Principles include six components: consistency, the definition of consumer health data, the Health Insurance Portability and Accountability Act (HIPAA), consumer rights, consumer consent, sale of data and opt-out, and enforcement.

The ATA states that a federal policy would offer much-needed consistency in data privacy practices for telehealth providers nationwide. But in lieu of such a policy, there need to be efforts to establish uniformity with existing federal and state privacy laws and standards to reduce compliance challenges and confusion.

In addition, state laws should define consumer health data and other common terms for protected health information using language similar to HIPAA and exempt HIPAA-covered entities and their business associates from state privacy laws that differ from HIPAA standards.

"HIPAA is a proven, decades-old data privacy framework," the ATA states. "Requiring HIPAA-covered entities to adhere to additional layers of state privacy laws would negatively impact their ability to deliver services, increase compliance costs, and stymie innovation."

The ATA also emphasized the importance of consumer rights and consent. The association noted that consumers should have "a right to notice, a right to access, a right to correct, a right to portability, a right to delete" their data as long as the rights are consistent with other medical record retention laws and include legal exceptions.

Further, the ATA stated that consumers should be provided with clear disclosures on the patient data that is collected, how it will be used, and how to opt out of processing.

Finally, state attorneys general should be empowered to act when privacy laws are violated, the ATA stated. But, the association also noted that data privacy policies should not allow for private rights of action as they can result in frivolous lawsuits and out-of-court settlements.

"As states adopt privacy statutes and regulations, establishing uniformity with existing federal and other state standards would reduce both complexity of compliance and confusion for consumers and companies alike. Privacy laws should allow for innovation and the advancement of technology-assisted care," said Kyle Zebley, senior vice president of public policy at the ATA, in the press release. "The ATA supports efforts to ensure telehealth practices meet standards for patient safety, data privacy, and information security, while advancing patient access and building awareness of telehealth practices."

Concerns around data security on telehealth platforms have been steadily increasing.

In March, telehealth company Cerebral reported a healthcare data breach impacting more than 3.1 million individuals. The breach was related to the company's use of tracking pixels.

This report came just one month after Senators Amy Klobuchar (D-MN), Susan Collins (R-ME), Maria Cantwell (D-WA), and Cynthia Lummis (R-WY) sent letters to three telehealth companies, including Cerebral, detailing concerns over the companies' health data privacy practices. In the letter to Cerebral, the senators noted that the company's website claims that information entered on intake forms "is confidential and secure," but "this information is reportedly sent to advertising platforms, along with the information needed to identify users."

Amid the growing focus on data privacy in telehealth this year, the public health emergency (PHE) declaration ended, eliminating the Notifications of Enforcement Discretion issued under HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the pandemic.

The HHS Office for Civil Rights (OCR) issued four notifications that loosened HIPAA compliance obligations, including allowing telehealth providers to use non-public-facing communication technologies like Zoom and Skype.