In the wake of the global pandemic, the popularity of telehealth skyrocketed. In fact, a study by the U.S. Department of Health & Human Services (HHS) showed a 63-fold increase in Medicare telehealth utilization during the pandemic.
While virtual appointments may have alleviated some safety concerns around contracting Covid-19, they also raised new concerns around telehealth security and patient data. This left patients wondering, is telehealth safe?
Patient Concerns as To Whether or Not Telehealth is Safe and Secure
In an effort to prevent the spread of the coronavirus, telehealth services— including video calls — were expanded for Medicare beneficiaries in 2020, especially for seniors and people with disabilities. HHS not only expanded Medicare coverage for telehealth, its Office for Civil Rights (OCR) relaxed HIPAA enforcement of noncompliance for some provisions.
“OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.” – OCR Notification of Enforcement Discretion for telehealth.
On the surface, this decision is a logical response to the global pandemic. However, it also raises patient concerns surrounding privacy. It is important for patients to fully understand not only the benefits of telehealth, but also what providers are doing to ensure that their personal health information is protected. According to HHS, providers can help alleviate these concerns by:
- Speaking openly with patients about the importance of privacy
- Suggesting patients attend telehealth appointments from a private location in their home or car, or in the home of a trusted friend or relative
- Explaining how to safely communicate using email, text, or your telehealth platform’s chat feature
- Asking prior to the appointment if the patient will have an interpreter or caregiver present and what, if any, topics are off limits when others are present
Setting Up A HIPAA Compliant and Secure Telehealth System
Some telehealth software already may have its own applications for telehealth, eliminating the need for a third-party platform. If yours does not, it has been suggested that healthcare providers could use non-public facing platforms for HIPAA-compliant telehealth including:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
- Microsoft Teams
- Skype
- Public facing chat and communications platforms such as Facebook Live, Twitch, and TikTok are not permitted for telehealth purposes.
Implement Your System Properly
To ensure your HIPAA-compliant telehealth system launch is a success, it is important to have buy-in from your staff. A best practice is to bring in individuals from various roles as a holistic approach to implementation. Different contributing viewpoints will help you to anticipate roadblocks and minimize disruptions to workflows during implementation.
Your telehealth implementation team also should help define metrics for success, such as patient and staff satisfaction, convenience, and continuity of care. For more information on telehealth implementation, read this article: How to Develop a Telehealth Implementation Strategy
Establish a HIPAA Business Associate Agreement with your Telehealth Vendor
To ensure HIPAA compliance, telehealth providers must use trusted vendors, or Business Associates (BA), with software that is designed specifically for healthcare. Vendors should have security measures in place for protected health information (PHI) and be willing to sign a business associate agreement (BAA). According to HHS, a HIPAA-compliant BAA should include:
- A description of the permitted and required uses of PHI by the vendor
- Provisions that the BA will not use or further disclose PHI other than as permitted or required by the contract
- Requirements that the BA uses appropriate safeguards to prevent use or disclosure of PHI other than those provided by the contract
Examples of platforms that sign BAAs and provide a HIPAA compliant telehealth service include TigerConnect, Skype for Business, Zoom for Healthcare, Updox and VSee.
Ensure Data is Secure and Encrypted
Ensuring patient privacy is at the heart of HIPAA, and that means protecting patient data. Telehealth.org recommends the following steps to ensure compliance with telehealth practices:
- Ensure the data security measures of your HIPAA-compliant vendor include safeguards for the confidentiality, integrity, and availability of PHI
- Limit PHI access to the “minimum necessary” required to complete a job function
- Ensure that your telehealth platform allows users to designate different levels of access to PHI by using unique login credentials
- Track data use and disclosure for each user
- Use only HIPAA compliant tools for telemedicine that allow users to keep audit logs that distinguish PHI access on a per-user basis
8 Tips to Ensure Your Telehealth System is Secure
It’s important to ensure that your telehealth system is secure. This will help protect the privacy of your patients, as well as your company’s data. There are many ways to do this, and this infographic will teach you the eight best tips for making sure everything is safe.
When it comes to telehealth, taking a proactive approach to security can greatly minimize risks to protected health information (PHI) and HIPAA-protected data. Here are 8 top tips organizations can follow to maximize security in their telehealth system.
- Encrypt all mobile devices used to capture and update PHI.
- Encourage use of 2-factor authentication for EHR database access.
- Always positively identify patients before beginning telehealth encounters.
- Update computer operating systems and relevant applications as prompted.
- Educate patients on security best practices through videos posted on your website or sent via email.
- Consider installing a VPN if your organization uses a wireless router and your providers conduct televisits from home.
- Use a telehealth platform compliant with HIPAA and PHI policies. EHRs with integrated telehealth programs that have been certified by the Federal Health IT Governance are compliant.
- Regularly review and update security policies in place for all personnel and contractors who work with smart medical touchpoints, including online patient portals, smart home devices, fitness devices, and more.
Medical Advantage’s telehealth consultants have extensive experience setting up, troubleshooting, and maintaining secure telehealth systems for a variety of clients. To learn more or to schedule a free consultation, contact a member of our team today.
Summary
When your platform is secure and patient data is protected, then HIPAA-compliant telehealth is a convenient and effective option for care. By taking the time to vet your vendor and choosing only HIPAA compliant tools, you can safely implement telehealth into your practice. By communicating the benefits of telehealth with your staff and patients – and the importance of data privacy – you ensure that your telehealth practice thrives.
Medical Advantage Can Help
Patients want to feel safe and comfortable when engaging with telehealth. You can reassure them their privacy is protected with HIPAA-secure measures in place. Medical Advantage telehealth consultants help minimize patient and provider exposure and maximize convenience – while ensuring your patients’ data is protected. We help our clients implement HIPAA compliant telehealth platforms in tandem with services including:
- Technology selection and setup
- Telehealth staff training
- Office staff engagement
- Scheduling optimization
- Promotion to patients
- Billing and coding advice
Contact us to get started on your telehealth strategy today!
