Since the onset of COVID-19, healthcare providers have been dealing with the challenges of implementing protocols to protect their staff and patients from possible exposure to the virus. One particular problem that they had to overcome was how to do routine consultations and checkups — a dilemma that telehealth helped solve.
What Is Telehealth?
Telehealth is the practice of using electronic communication and information technology to deliver health-related information, education, and care services. Healthcare practitioners have been using telehealth technology for years, but the recent rapid increase in usage can be attributed to the pandemic. In fact, the number of patients using telehealth services rose by more than 11,718% between March and April 2020.
As the virus continued to spread, healthcare providers rushed to find viable telehealth solutions so they could continue to provide proper care to their patients. However, most of these solutions were not compliant with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and could potentially put a patient's electronic protected health information (ePHI) at risk.
Security and Privacy Concerns in Telehealth
HIPAA provides guidelines for the protection of ePHI, which every healthcare provider must follow. Generally, the process of communicating ePHI directly between patient and physician complies with HIPAA standards. But when personal patient information is delivered using unprotected platforms, cybercriminals can exploit weaknesses in such platforms to gain access to a patient's data. For instance, communicating with a health professional through an unsecured channel such as SMS makes patients vulnerable to phishing scams.
But while the HIPAA rules are clear, the Notification of Enforcement Discretion for Telehealth Remote Communications issued by the Office for Civil Rights (OCR) in March 2020 complicates matters. This notice stipulates that if a healthcare provider is offering telehealth services in good faith, the OCR will not impose penalties for entities that may violate HIPAA's privacy, security, and breach notification rules. To further understand how the OCR notice and HIPAA clash but overlap, let's first define the basics.
HIPAA Privacy Rule
HIPAA Security Rule
HIPAA Breach Notification Rule
The HIPAA Privacy Rule is a set of cybersecurity standards that apply to healthcare providers, health plans, and healthcare clearinghouses that transmit patient information electronically. Under this rule, covered entities are required to implement appropriate measures to safeguard ePHI and limit its use and disclosure. This rule also gives patients rights over their ePHI, including the right to request corrections, and the right to review and procure a copy of their records.
The HIPAA Security Rule is a national cybersecurity policy designed to protect ePHI that is created, received, used, stored, and maintained by healthcare organizations. It requires the implementation of administrative, technical, and physical safeguards to ensure the security and integrity of ePHI.
The Breach Notification Rule requires healthcare providers and business associates to notify patients following a breach of unprotected ePHI.
Under the Notification of Enforcement Discretion for Telehealth Remote Communications, the OCR will evaluate all facts and circumstances when deciding whether a healthcare provider's use of telehealth is done in good faith. The OCR has also listed some examples of instances wherein a healthcare provider acts in bad faith, including:
- Intentional invasion of privacy or criminal conduct
- Unauthorized sale of ePHI
- Unauthorized use of ePHI for marketing
- Violations of professional ethical standards and state licensing laws
- Use of public-facing platforms such as Facebook Live, Twitch, and TikTok
What Are HIPAA-Compliant Telehealth Platforms?
The OCR encourages covered entities to use only communication software provided by vendors familiar with the Security Rule to ensure ePHI safety and maintain the trust of their patients. In addition, these vendors will ensure the security of ePHI by signing a HIPAA business associate agreement (BAA)*. HIPAA-compliant communication platforms include:
- Microsoft Teams
- Skype for Business
- Cisco Webex Meetings / Webex Teams
- Zoom for Healthcare
- Amazon Chime
- Google Workspace/Meet
- Spruce Health Care Messenger
While these platforms utilize end-to-end encryption to ensure that only a patient and the healthcare professional working on their case can see the information being transmitted, covered entities should notify their patients about the privacy risks involved in using these applications.
*Note that the OCR has not reviewed the BAAs provided by the vendors mentioned.
Is your business HIPAA-compliant? One way to find out is to partner with a managed IT services provider like Charles IT. Our HIPAA assessment services will identify cybersecurity risks and weaknesses in your infrastructure that can compromise ePHI. Our IT experts will then offer recommendations on how to address those issues to ensure you don’t violate HIPAA regulations. Call us now to learn more.