9 Steps to Resolve Telemedicine Privacy Concerns

A patient entrusts their mental health and shares their everyday life experiences with their therapist. That’s why resolving any possible telemedicine privacy concerns is essential in a therapeutic relationship. Confidentiality forms the basis of successful communication and helps therapists better understand and guide their patients to improved mental health.

How can you ensure confidentiality as a therapist offering telemedicine services? Let’s explore what confidentiality is.

Patient confidentiality is the requirement that therapists have to preserve the privacy of their patients’ information unless there are cases when the information disclosure is mandatory, or they are provided with the patient’s written consent to it.

Teletherapy isn’t an exception to this requirement. If any private patient information falls into the wrong hands, the repercussions can be severe.

Let's go over how to maintain confidentiality while working with patients online in order to avoid possible problems with privacy.

#1 Warn patients about any possible telemedicine privacy risks

The collection, storage, and sharing of private patient information is regulated by the HIPAA Security Rule, therapeutic ethics, and a code of conduct for counselors and therapists. It is important for you, as a therapist, to ensure that your patients are fully aware of the measures taken to keep their information confidential and do not have any privacy concerns as they use your services. This should include an explanation of the terms on which you provide therapy services, so the patient knows what rights they have before they book a teletherapy session with you. These rights often include:

• therapist confidentiality and an explanation of its limitations (including how supervisors and/or treatment team professionals are involved)
• the ability of authorized parties to obtain clear information about patient records

Make sure to let patients know that the confidentiality of their private information is your priority.

You can describe your workflow and explain to your patients that while your communication is subject to HIPAA rules, other types of interactions that might include the patient’s data — billing, questionnaires, pre-visit and post-visit surveys, emails, etc. — are also subjected to HIPAA rules.

Additionally, as a therapist, you have to provide or receive the following documentation to or from your patient before you start providing services:

• A HIPAA notice that meets the requirements of notices of private practices (NPP)
• A telehealth consent form signed by your patient
• Written authorization by your patient to exchange, obtain, and release information in accordance with the Privacy Rule

This approach will help alleviate telemedicine privacy concerns.

#2 Follow the HIPAA Privacy Rule

The HIPAA Privacy Rule sets requirements you must follow within the US to protect medical records and identifiable electronic protected health information (also referred to as ePHI). If ePHI security is breached, the penalties can be severe. The fines in the U.S. for HIPAA violations reached $5,982,150 last year, making HIPAA one of the biggest concerns for practicing clinicians. Let’s learn more about HIPAA requirements and check out what you can do to avoid any patient record leaks and which telehealth platforms are HIPAA-compliant.

What information has to be protected?

The Privacy Rule requires you to use proper safeguards to protect your patients’ health information. It also limits the use of private patient information and requires that software used for ePHI collection, storage, and sharing be secure, use multi-factor authentication, and allow physicians to make a copy of or delete any private records at a patient’s request.

What features to look for in HIPAA-compliant software

Understanding the features you have to look for in HIPAA-compliant software is in no way less important than learning about kinds of protected health information. Let’s explore what functionalities a teletherapy platform should offer in order to be suitable for therapy sessions:

• Access controls. This feature should provide you and your patients with options to access their private information at any time.
• Session access handling. You and your patients need to be automatically logged out when the session expires to prevent any unrestricted third-party access to secure data.
• Data and communication encryption. SSL encryption has become the gold standard of security because it prevents unauthorized access to personal data by encrypting the data that is transmitted.
• Data management and backups. You should be able to delete or make changes to a patient's data at their request. Additionally, there should be a secure backup version of the patient's data.
• Multi-factor authentication (2FA). You can require your patients to use an authentication app or mobile number as an additional measure of security when they access the teletherapy platform.
• Regular updates. Over time, the danger of data breaches increases. To counteract any hacker attacks, the teletherapy application you choose should update their security measures on a regular basis.

#3 Keep patient records safe

The safety of patient records shouldn’t be taken for granted, even if you use HIPAA-compliant software and encrypted communication methods. Human error can play a significant role in security.

Sometimes, therapists and patients don’t suspect that some of their actions make protected health records vulnerable to third-party access. Let’s learn what precautions should be taken in order to keep patients’ data safe.

Password changes

It is optimal to change your password at least every three months to reduce the chance that it is hacked. Additionally, choose passwords that contain at least eight symbols, including uppercase and lowercase letters, digits, and special characters to provide additional protection. Also, encourage your patients to do the same.

Internet connection security

Your patient's data is also more vulnerable to hacking if you use an insecure internet connection (e.g. public Wi-Fi or a connection that can be accessed by third parties). This is one of the ways hackers steal data as it’s shared unencrypted.

Personal information disclosure

You are not allowed to disclose any part of a patient’s protected health information to third parties without the patient’s consent. This includes disclosure to business partners who need access to protected health information to provide certain services. In order to provide such access, you will have to create a Business Associate Agreement (BAA) in accordance with the Health Insurance Portability and Accountability Act.

Using patient data in research

You are not allowed to use patient data in any kind of research. If you want to do research that includes patient data, you have to inform patients beforehand so they can refuse to participate if they wish.

Archival records

One of the most important rules of therapy is to inform patients where their archived records are kept. This includes not only transcripts and health records but transaction information as well.

Keeping patient data secure is your responsibility. However, you still have to encourage patients to take extra steps in order to avoid situations when personal data leaks happen as a result of your patients neglecting security rules. These extra steps might include:

• checking if any unauthorized third parties have access to patients’ information or accounts (this includes family members)
• using protected communication channels to disclose any personal information

#4 Properly organize and dispose of paper records

If you use any kind of paper notebooks to make patient notes, ensure all these notes are kept in one place and that no one has access to them. You should also destroy all notes immediately after you are finished with the notebook. The longer you keep them, the higher the chances of them falling into the wrong hands.

Alternatively, you can use telemedicine software that has note-taking functionality. With this software, you can easily access your notes when preparing for a video meeting and can easily make notes during teletherapy sessions to review your observations later.

Virtual note-taking is a much more convenient and secure way to keep track of your patients’ progress. It allows you to easily access your notes and patient data and connect every piece of information in one dashboard.

#5 Protect your computer and data storage

While teletherapy software helps you protect patient data using two-factor authentication, encryption, and automatic logout when your session expires, your computer might still be vulnerable to third-party access. To minimize the risk of physical access to your patients’ data, implement these precautions:

• log out of your profile and turn off your laptop if you’re going anywhere
• don’t let your laptop out of your sight in public places
• use cloud storage rather than a hard drive to back up your data
• scan your OS for viruses to ensure you don’t have any malware installed
• regularly update your software

Though these safeguards might seem to be common knowledge, sometimes they are overlooked, and occasional data breaches occur as a result. Naturally, as the person responsible for your patients’ data security, you will want to reduce the risk of a data leak, even if the safeguards seem trivial.

#6 Stick to the code of ethics for therapists

Teletherapy and in-person therapy specialists use a similar code of ethics, so if you have been working with patients for some time, most likely you are already aware of the ethical norms and rules in the therapy field. However, there are still some ethical rules you must keep in mind. The American Psychological Association has discussed them. Let’s check them out.

Limits to therapist confidentiality

While preserving confidentiality is mandatory in teletherapy and may seem like a given, you still have to educate your patients about the ways their information is stored and used. This includes your records and notes monitoring their progress.

Permission to record

Teletherapy platforms allow you to record video sessions. However, you are not allowed to do so without your patient’s consent. Inform your patient if you plan to record anything and explain how these materials will be used to help the patient understand why you need them.

Consent to information disclosure

You can’t share any patient information with your colleague unless you obtain your patient’s consent to such information disclosure. There are no exceptions to this rule, even if it would be beneficial for your patient.

Ethics violations

Sometimes, you might suspect that another specialist has committed an ethics violation. If this happens, you need to try to resolve the situation by informing your colleague of your concerns while still ensuring that your actions don’t violate patient confidentiality.

#7 Always be aware of your surroundings

Public places are known for being disastrous to therapist confidentiality. If you want your patients’ data to be secure, ensure you aren’t using a public place for communication and that your patients are not communicating with you from a public place where they can be overheard. Don’t hesitate to ask your patients to close their door or change their location to ensure they have enough privacy for your session and won’t be overheard or distracted.

#8 Choose your words carefully

Your patients trust you with their personal experiences, and some of them might be traumatizing. Don’t react too impulsively, and don’t allow yourself to express shock. You don’t want your patients to know your personal reaction. Instead, try to express neutrality while ensuring their information will be kept confidential at all times.

#9 Learn your duties and responsibilities

In some rare cases, it is your duty to disclose confidential information. Third-party interference is called for if patients pose an imminent danger to other people or to themselves.

There are exceptions for breaking confidentiality rules that give you the right to disclose information in order to prevent severe harm caused to or by your patient. Such exceptional circumstances are:

• cases related to the abuse of children or elderly people
• high risk of suicidal behavior or speculation on the topic
• concern that anyone is at risk of committing homicide
• the need to testify or to provide notes for the court

All these cases are considered exceptions to therapist confidentiality because failing to alert anyone of the possible danger might cause a lot more harm than personal information disclosure.

Final thoughts

Although everyone seems to know about the importance of resolving telemedicine privacy concerns, data breaches still happen. Make sure you do everything in your power to preserve therapist confidentiality, and you will earn your patients' trust.

Subscribe to our newsletter below for more insights on teletherapy and to learn how it can improve your private psychology practice.