During the coronavirus pandemic, many visits to the doctor’s office have been replaced with telehealth. Patients can confer with their physicians online from the safety of their homes. Symptoms and proper medication dosage can be discussed; doctors can even monitor patients’ conditions and provide counseling.
Telehealth isn’t new. Between 2018 and 2019, online searches for telehealth rose an estimated 25%. A survey conducted in March 2020, during the height of the pandemic, indicated that 41% of healthcare providers in the U.S. were using a type of telehealth technology.
As convenient and “safe” as telehealth is for providers, nurses, and patients there are also concerns about privacy and security. During the pandemic, the Secretary of Health and Human Services (HHS) has the authority to waive penalties and sanctions for certain HIPAA violations but when the national emergency is over, healthcare organizations will need to be in compliance with all standards.
3 Steps to Regaining HIPAA Compliance
Even during a pandemic, protected health information (PHI) still must be kept secure. Fines and penalties may be relaxed short term, but it is still important to protect patients’ private data. A pandemic does not mean that hackers are taking a break. They are constantly searching for vulnerable points in systems.
Now that government officials are discussing steps everyone needs to take to get “back to normal”, it’s time for healthcare organizations to regain technology that is HIPAA compliant. Here are three steps that can help you meet compliance regulations.
1) Protect patient data
Some healthcare organizations may have implemented telehealth technology in the last few weeks. Some did not take time to vet technologies and may be using platforms like Facebook or Messenger for video conferencing. The problem with this is that the information transmitted will not be encrypted. This is a direct violation of HIPAA standards.
Now that the virus is slowing down, healthcare organizations must vet all technologies they use. This includes everything from cloud-based storage to telehealth platforms. The type of encryption used must be documented, along with all cybersecurity measures.
During the pandemic, and before, using personal devices for work grew in popularity. While it’s definitely convenient, it also poses a potential security risk. All employees that bring their devices to work must have a virtual private network (VPN) installed on their devices so data is encrypted as it’s transmitted from the device to the system.
2) Monitor for, respond to, and report breaches
Regulations regarding monitoring cybersecurity protocols relaxed a little during the pandemic but things are going back to normal. This means you must start monitoring your cybersecurity protocols and documenting any changes that are made – with an enhanced eye for detail.
Even if you’re in a “hot spot” or the “epicenter,” any and all security breaches were still required to be reported. If you were extremely short-staffed at the time or overwhelmed with providing patient care, now’s the time to report the breach. If the reporting delay was caused by conditions beyond your control, fines and penalties can be waived at the discretion of the HHS department.
To prevent any new or additional breaches you need to run a complete test of your current security protocols and see if there are any lapses or vulnerabilities. If any are found, it’s time to implement new practices and train your employees on the changes.
3) Conduct risk assessments
If your telehealth platforms and external devices connected to the system are secure, now it’s time to run a risk assessment. This will help ensure that you are HIPAA compliant, and it is worth the time and effort to do this regularly. Fines were only waived during the pandemic if a healthcare organization could show that in good faith they were trying to follow compliance standards. Now it’s time to regain all compliance standards.
There are a few tools that can help you regain technology that is HIPAA compliant. One was developed by the Office of the National Coordinator for Health Information Technology (ONC) in coordination with the HHS Office of the General Counsel.
This tool, along with others, will help you identify any vulnerabilities with how PHI is handled. Once the vulnerabilities, if any, are identified you can implement the fixes and the technology you use will be HIPPA compliant.
A consulting partner such as Medical Advantage, with expertise in both compliance and medical technology, can quickly and easily help you assess, correct, and enhance your practice’s ability to ensure HIPAA compliance now and in the future.
