The Protection of ePHI in the Face of Telehealth and COVID-19

What is Telehealth?

The Health Resources Services Administration (HRSA) defines telehealth as, “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health, and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”

In today’s healthcare landscape, telehealth technologies help bridge the gap between patients and providers, ensuring patients can continue to receive the highest level of care even when they’re unable to physically visit a physician.

How Has Telehealth Changed Before and After COVID-19?

The COVID-19 pandemic has disrupted the traditional means of patients seeking treatment (in-person) and has accelerated the need for hospitals and clinics to adopt telehealth technologies. As organizations adopt these new technologies, precautions and appropriate safeguards should be taken to ensure ePHI stays secure.
Healthcare organizations can proactively take steps to secure and protect PHI by being aware of the potential risks involved and what to do to prevent security violations. Providers looking to securely use telehealth technologies should consider platforms that fully encrypt data, ensure a private network connection, and do not store video.

Staying Safe and Cyber-Secure Through Telehealth

In addition to the list above, the following security precautions should be taken to prevent the misuse of telehealth:

Using a secure platform

To help, “empower medical providers to serve patients wherever they are during this national public health emergency”, Health and Human Services (HHS) issued guidance and enforcement discretion for organizations to be able to implement tools to provide routine care for patients with chronic diseases and high risk factors.

It’s a necessity that telehealth be operated on a secure platform. Of the available communication platforms, only a select few are regarded as secure and appropriate for telehealth uses. The list below includes some ‘non-public’ facing communication platforms that represent that they provide HIPAA-compliant video communication products that they will enter into a HIPAA BAA:

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts Meet
  • Cisco Webex Meetings / Webex Teams
  • Amazon Chime
  • GoToMeeting
  • Spruce Health Care Messenger

*The OCR has not reviewed the BAAs offered by the vendors and the list does not constitute an endorsement or recommendation of the technology. 

Knowing that hospitals need to adapt quickly to remote options for healthcare, the OCR will not impose penalties for non-compliance with the requirements under the HIPAA Rules against covered health care providers in connection with the provision of telehealth during the COVID-19 public health emergency. This means that Telehealth can be handled through the following platforms until the pandemic is over:

  • Apple FaceTime
  • Facebook Messenger video chat
  • Google Hangouts video
  • Skype

Platforms that are considered ‘public-facing’ and do not have the appropriate security measures that promote privacy and are regarded as inappropriate include but are not limited to:

  • Facebook Live
  • Twitch
  • TikTok
  • Chat rooms

Secure Endpoints

Endpoints such as laptops, phones, and tablets allow healthcare providers the flexibility to perform telehealth visits in various locations, however, increase the risks of breaches and inadvertent PHI disclosures go up significantly. It’s vital to secure and control the data being accessed as well as the security of the locations the devices are being used from. It is also important to implement encryption, multi-factor authentication and other security controls for the endpoints in use. Providers are encouraged to notify patients about privacy risks and should enable all available encryption or privacy modes when using such applications.

Business Associate Agreements

A Business Associate Agreement (BAA) is the best way to protect your practice or organization. Having a BAA is essential to manage liability in the event of a breach. Ensuring there is a BAA in place will grant shared liability and sustain a high-level of security and privacy.

How to Achieve Full Compliance

The security, policies, procedures, and enforcement required to adhere to HIPAA regulations and correctly implementing a telehealth solution can seem complex. That’s why at Intraprise Health, we’ve chosen to simplify these procedures and ensure complete compliance is easily attainable. The Intraprise Health offers various training courses that are created to address the proper use of information and how to prevent theft. Our HIPAA workforce training includes details regarding what safety measures providers are recommended to apply. Disregarding HIPAA compliance may result in hefty fines because of PHI breaches. HIPAA One® is here to help so you can easily achieve compliance and handle audits together.

Taking all these precautions will allow practitioners to stay safe while maintaining PHI security. For more information view our recorded webinars page.