Telemedicine and telehealth are becoming increasingly important methods of addressing society’s healthcare needs. Their wide acceptance has been spurred on by the arrival of the COVID-19 pandemic and the social distancing measures required to limit the spread of the disease.
In many cases, using a telehealth solution was the only way to safely obtain a healthcare consultation as the virus raged across the world.
The use of telehealth solutions will continue to gain acceptance in the healthcare industry long after COVID-19 is brought under control around the world.
The benefits for healthcare providers and patients are too great to ignore, and over time, society will make more extensive use of telehealth solutions. However, maintaining the privacy and security of sensitive patient data will be an ongoing challenge for healthcare providers.
Telehealth Benefits for Patients and Providers
Telemedicine and telehealth solutions are here to stay due to the benefits they promise to provide. Some of the key advantages of telemedicine for patients and providers include:
- Extending the reach of healthcare providers to rural areas;
- Enhancing access to distantly-located specialists;
- Lowering the costs of telemedicine visits compared with in-person consultations;
- Improving access to healthcare resources for patients in communities underserved by traditional methods;
- Reducing exposure to and the transmission of infectious diseases by eliminating in-person contact and avoiding crowded waiting rooms;
- Saving time and money by minimizing travel for doctors and patients;
- Delivering services like physical therapy at home.
These significant benefits guarantee that the use of telemedicine solutions will continue to grow and become an essential component of our healthcare system. However, the key for the developers and manufacturers of telehealth products and services will be to keep sensitive personal health information confidential and secure.
How HIPAA Impacts Telemedicine Solutions
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law requiring the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.
Healthcare providers are considered covered entities under HIPAA and, along with the business partners who help them handle patient data, need to comply with the regulations.
Two main rules govern HIPAA compliance. The Privacy Rule pertains to ensuring the privacy of protected healthcare information (PHI) in any form. The HIPAA Security Rule applies to patient data stored and transferred electronically. Telemedicine solutions need to satisfy both rules to be considered HIPAA compliant.
- The HIPAA Privacy Rule establishes standards to protect patients’ medical records and personal health information. It requires safeguards to be put in place to maintain the privacy of personal health. The rule also sets the conditions with which this information can be used without patient authorization. In addition, patients are granted rights over their health information, including obtaining a copy of health records. Finally, the rule defines the covered entities and business associates responsible for complying with HIPAA guidelines.
- The HIPAA Security Rule focuses on the electronic personal health information created, received, used, or maintained by a covered entity. It does not cover PHI transmitted orally or in writing. The rule specifies administrative, physical, and technical safeguards designed to protect the security and confidentiality of electronically protected health information (ePHI). These safeguards include ensuring the confidentiality, integrity, and availability of ePHI. They also mandate the protection of ePHI and require the workforce to be trained in its proper use.
Development of telemedicine solutions need to comply with these two rules. Failure to maintain compliance can result in substantial fines, and more importantly, a data breach putting sensitive patient data at risk. Therefore, to protect both providers and patients, telehealth products and services must be HIPAA compliant and take the necessary measures to protect PHI and ePHI.
Ensuring HIPAA Compliance for Telehealth Solutions
Telemedicine products and applications pose additional security challenges to maintaining HIPAA compliance when compared to traditional healthcare. The mobile nature of the devices used to provide healthcare introduces new attack vectors that can lead to security gaps and data breaches.
One factor that needs to be considered is that to cope with the pandemic, certain HIPAA standards were relaxed. This allowed commercial products like Skype and FaceTime to be used for doctor-patient communication. As the dangers of the pandemic recede, the rules will revert to their original form.
This means that providers currently using a healthcare solution need to verify that it will conform to the full slate of HIPAA standards. In addition, healthcare providers looking to institute a telemedicine application also need to be aware that products currently in use may not be viable after the government reinstitutes the original HIPAA standards regarding ePHI.
HIPAA does not currently contain any telehealth-specific guidelines. Therefore, telemedicine solutions are held to the same HIPAA requirements as the technology employed during in-person consultations.
Steps for Telehealth Providers to Maintain HIPAA Compliance
The healthcare provider’s responsibility is to ensure they are using HIPAA-compliant technology when offering patients a telehealth solution. The following measures need to be taken to verify the compliance of their telemedicine product.
Performing Risk Assessments
HIPAA requirements include the need for risk assessments that:
- Identify where ePHI is stored, transmitted, or processed;
- Identify potential vulnerabilities that risk ePHI data breaches;
- Assess and document threats and security measures in place;
- Assign risk levels associated with the discovered threats and vulnerabilities.
Obtaining Business Associate Agreements
When engaging a third-party telemedicine solution that stores ePHI, the healthcare facility or doctor’s office needs to enter into a formal Business Associate Agreement with the provider. This agreement documents:
- The type of ePHI that the third-party vendor can access;
- How this information can be used;
- How the vendor will protect the privacy and security of ePHI;
- The actions that will be taken to address a security breach including patient notification.
A reliable vendor will be willing to sign such an agreement. However, reluctance on the part of a third-party vendor like a HIPAA compliant cloud solution provider to enter into an agreement should be concerning and indicates a lack of confidence in their ability to protect your ePHI.
Implementing Technical Safeguards
The technical safeguards designed to protect ePHI must be verified from the perspectives of the covered entity and its business associates. The healthcare provider or facility needs to:
- Ensure only authorized users access ePHI;
- Confirm the identity of individuals requesting access;
- Use encrypted and secure communication channels;
- Monitor communication containing ePHI to ensure its privacy and security.
Business associates and vendors have responsibilities that include:
- Creating and documenting a viable disaster recovery plan;
- Documenting the internal audit procedures that will be carried out to ensure ePHI is handled appropriately;
- Protecting against unauthorized physical access to ePHI resources;
- Implementing a HIPAA compliance training program for employees.
Following the steps outlined above are essential for healthcare providers offering telehealth solutions to their patients. A combination of diligence on the provider’s part and reliable business associate agreements will enable any healthcare facility to use telemedicine to address their patient’s needs while protecting their sensitive information.