Skip to Content

Privacy & Data

Privacy and Security Considerations of Telehealth

/ Joseph Lorenzo Hall

Telehealth – using telecommunication technologies to prevent illness and promote health – has incredible potential benefits. Telehealth can help reach underserved or remote populations, and it can also help reduce costs in general, while providing more real-time interaction between medical providers and patients. The benefits – and effectiveness – are becoming increasingly clear, however the full potential of telehealth cannot be realized unless privacy and security risks are addressed upfront.

While patients and health care provides are growing more comfortable with sharing medical information online and via mobile apps, the risks for privacy breaches and violations are real and growing. In a paper published this month in the journal Health Affairs that I authored with my colleague Deven McGraw, we address the privacy and security concerns that arise with telehealth, and propose a federal framework that would address such concerns. I want to stress that we really think telehealth can be an incredible tool for improving health care around the world.

The Health Affairs article is available for you all to read here, but hurry, the unlimited access link will only be live for 30 days.

The primary privacy risks of telehealth are centered on the lack of controls or limits on the collection, as well as the use and disclosure of sensitive personal information. One such example is sensors that could be connected in the home or to a person that may inadvertently reveal sensitive information about activities in the home, including information not about the actual patient or about non-medical but sensitive situations.

Given the amount of data telehealth creates, and anticipated telehealth business models (e.g., monetization of data by third-parties), the privacy and security risks and potential for data breach necessarily increase.

Many of these privacy and security risks are unfortunately compounded by the lack of a clear regulatory structure for telehealth. While HIPAA and HITECH cover certain aspects, there are troubling gaps in the laws.. Additionally, the Food and Drug Administration (FDA) and Federal Trade Commission (FTC) have rules that often apply to the security of medical devices and services, but generally they don’t explicitly address the wider realm of consumer-facing telehealth.

For telehealth to realize its full potential there is a clear need to develop a national privacy and security framework. We believe the FTC, with its jurisdiction over deceptive and unfair practices and growing experience with the technical aspects of consumer technologies, is best positioned to develop a framework that balances privacy and security with practicality. Ultimately Congress will need to authorize the FTC to play this role.

There is clear promise for telehealth, and as our technical capability continues to grow, especially in the mobile realm, we expect to see even further innovation. Factoring privacy and security risks into the development of any telehealth device or practice in the early stages, with clear guidelines from the federal government, will help create a workable system that encourages adoption and increases usage.

Again, be sure to read our article free of charge (general access to Health Affairs requires a subscription) before the end of the month.

Related Reading

White document on black background.

CDT Files Comments with DOJ in Response to Advance Notice of Proposed Rulemaking on Bulk Sale of Data
White document on black background.

CDT’s Matt Scherer Testifies Before Connecticut Senate’s General Law Committee on Senate Bill 2, An Act Concerning Artificial Intelligence
Samir Jain Testimony for House Committee. White document on black background.

CDT VP of Policy Samir Jain Testimony Before U.S. House Energy & Commerce Committee on “Legislative Solutions to Protect Kids Online and Ensure Americans’ Data Privacy Rights”