A recent survey uncovered security gaps in over a third of telehealth appointments by mental health providers. The survey, conducted by Propeller Insights on behalf of Dr. First, asked more than 1,000 mental health patients about whether or not they used telehealth services for their sessions, and for those that did, if those sessions met HIPAA standards. The survey findings, as well as telehealth security, are discussed in detail below.

What Did the Survey Find?

The survey uncovered that the security of many telehealth sessions fell short of HIPAA security requirements, with 35% of participants reporting that their sessions were not secure. However, even when the sessions were secure, participants were overwhelmingly concerned with the security of their sessions with 92% raising concerns.

Telehealth security

The participants were concerned for a variety of reasons:

  • 43% were worried about their protected health information being compromised
  • 35% were concerned about their session being hacked
  • 14% were worried that their session would be connected to someone other than their healthcare provider

While the majority of survey participants reported using telehealth services for mental health during the pandemic (75%), a quarter of those surveyed did not utilize telehealth during the pandemic.

  • 46% claimed personal preference
  • 30% stated that their provider did not offer telehealth
  • 30% did not have appropriate connectivity or devices
  • 14% were concerned about being hacked

Of those participants that had utilized telehealth services in the past, 84% reported that they would likely use telehealth going forward.

How to Improve Telehealth Security

 “Telehealth has proven its value to patients and providers alike, which is why it’s critical to stress the need to use secure platforms, so patients’ health information remains protected,” said Colin Banas, M.D., MSHA, chief medical officer for DrFirst. Using HIPAA compliant video conferencing software is one of the most crucial components of telehealth security. HIPAA compliant software solutions sign business associate agreements with their healthcare clients; and implement safeguards to ensure the confidentiality, integrity, and availability of PHI filtered through the platform.

Business Associate Agreements

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) released guidance on offering telehealth sessions securely. “Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.”

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

Easiest To Do Business With Summer 2024

The list below includes some HIPAA compliant video communication products that will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

Other Security Considerations

HIPAA compliant video conferencing tools implement safeguards such as encryption, user authentication, access controls, and audit logs to keep PHI private and confidential. What many people overlook with teleconferencing tools is that users are generally given a permanent link for their account, allowing anyone with the link to access a session. However, HIPAA compliant tools allow administrators to configure the platform by requiring organizers to admit participants manually. When participants are allowed to enter a session without having to be admitted by the organizer, patients can inadvertently be given access to another patient’s session.

Although the OCR temporarily eased telehealth restrictions to improve access to healthcare during the COVID-19 public health emergency, using HIPAA compliant teleconferencing software lessens the likelihood of breaches. “Healthcare providers should take every possible step to protect patients’ sensitive information. Providers who are still using technology that doesn’t meet HIPAA requirements owe it to their patients to switch to a secure platform as a long-term solution,” stated Banas.

See How It Works