Security and Privacy in Telehealth

If you decide that telehealth is a good option in a particular circumstance, how do you ensure security and patient privacy?

Modern technology is a chance to improve patient privacy

There has always been a risk that information communicated by phone, fax or regular post might be seen or intercepted by unintended recipients. With new technologies, we should embrace the opportunities for enhanced information security. Greater security is essential because electronic communication can very easily be seen by a large audience when it “goes wrong”. Stored data can be violated over a long period of time, compared to data that is only transmitted once, such as a telephone call.

General telehealth security points

• Be familiar and comply with privacy and confidentiality of health information requirements (state and federal).
• It is each doctor’s responsibility to ensure that telehealth delivery systems are adequate – get assurances from your vendor.
• Good information technology (IT) support is essential. Standard IT providers are not necessarily security experts. Use reputable companies and follow peer recommendation. Ensure your IT support providers are aware of, and act in accordance with, relevant medical practice guidelines and standards. Bennett et al (2010) lists potentially useful questions to ask and matters to discuss with those responsible for your IT security regarding telehealth services.¹
• Employ clinical software that uses a secure clinical messaging system.²

Video consult security

“The general privacy requirements for video consultations relating to confidentiality, patient consent and security of patient information and medical records, are the same as for face-to-face consultations… Video consultations should be conducted using secure infrastructure or encryption. If the possibility of a third party interception exists, the patient should be told and asked for their consent to proceed.”³

• Transmitting audio and visual information separately increases security,⁴ e.g. mute the sound over a video link and speak over a phone.
• Ensure physical privacy of the patient so that others cannot overhear or walk in.
• Skype™ has not been deemed “unsuitable” for telehealth consultations,⁵ but may be inappropriate due to privacy, confidentiality and quality issues.

Email security

If clinical messaging systems cannot be used and you must use email, remember that identifiable health information should not generally be sent by email – particularly unencrypted transmission. What doctors need to look at is encryption of the server to server transmission.⁶ Talk to your IT support staff about server to server email encryption.

When email encryption is not practicable, weigh up whether the benefits warrant the risk of electronically transmitting confidential information. Consider password protecting or encrypting attachments if you cannot encrypt the email itself, e.g. portable document format (PDF) files can be encrypted.

Always check use of the “BCC” field when sending information to multiple recipients and confirm the email address the patient wishes to use for information about their health care.

Tips for texting

• Do not communicate specific health information in text messages. Text messaging is essentially the same as leaving messages on an answering machine in that many people may readily access the information.
• It is fine to send a text message appointment reminder just identifying the doctor’s name and the date and time of the appointment, but do not say what the appointment is for.
• You must first ensure that the patient consents to their contact details being used this way – include this on the patient registration form and have systems to regularly check that patient contact details remain current.

Equipment pointers

• Have offsite information backup that is not physically connected to the main system.
• Use firewalls and current anti-virus and anti-malware software.
• Introduce policies for staff about the appropriate use of internet and email. “Use of external applications, software, websites and programs that can transmit information outside the practice poses a considerable security risk”. Have your technical service provider block specific sites and applications.²
• Position monitors to maintain information confidentiality.
• Manage the security of all portable devices.
• Have a security risk assessment.

Privacy laws in relation to telehealth

• Doctors must take reasonable steps to protect personal information from misuse and loss and from unauthorised access, modification or disclosure.
• Patients must be advised of, and consent to, how their personal details will be collected, stored and used.
• Australian privacy laws also apply to information sent overseas.
• Specific consent to overseas (cross border) transfer of information needs to be obtained from patients. Prior to giving consent, patients must be advised of the following:
  – where the information is being sent, i.e. which countries
  – the privacy protection laws in that country and how patients may complain about a breach of their privacy
  – that by consenting to the cross border transfer, patients may not have any recourse under Australian privacy law.
• The Australian Privacy Principles (APPs) come into effect on 12 March 2014. Notably, in relation to telehealth, the APPs introduce additional responsibility and consequent potential liability associated with disclosing information overseas if the international recipient violates privacy.
• See the “Privacy Law Reforms” article by Allyson Alker in this issue of the Defence Update for more information about changes associated with the APPs.

Embrace telehealth but ensure patient care and privacy are never compromised.

Nicole Harvey, MDA National Education Services

1. Bennett K, Bennet A, Griffiths K. Security Considerations for E-Mental Health Interventions. J Med Internet Res 2010;12:e61. Available at: jmir.org/2010/5/e61/.
2. The Royal Australian College of General Practitioners. Computer and Information Security Standards. For General Practices and Other Office-based Practices. East Melbourne: The RACGP; 2013. Available at: racgp.org.au/download/Documents/Standards/2013ciss.pdf.
3. Medicare Australia. Telehealth Frequently Asked Questions. Health Professional and Residential Aged Care Facilities. Canberra: Australian Government and Perth Central & East Metro Medicare Local. Available at: pcemml.org.au/wp-content/uploads/Telehealth-FAQ-Health-Professionals-and-Residential-Aged-Care-Services.pdf.
4. Wade V, Eliott J, Hiller J. A Qualitative Study of Ethical, Medico-legal and Clinical Governance Matters in Australian Telehealth Services. J Telemed Telecare 2012;18:109–14.
5. The Royal Australian College of General Practitioners. Implementation Guidelines for Video Consultations in General Practices. East Melbourne: The RACGP; 2012. Available at: racgp.org.au/download/Documents/Telehealth/telehealth_implementation_guidelinesv6.pdf.
6. Williams P. Personal communication from the leader of the Edith Cowan University eHealth Research Group, 2013.