During the early months of the pandemic, telehealth visits increased by 50%, according to data provided in Morbidity and Mortality Weekly Report, a publication of the Centers for Disease Control and Prevention. Healthcare providers were scrambling to keep up with demand. Practitioners who were already using the technology had dramatic increases in telehealth visits and those who were not quickly set up programs to treat patients virtually and maintain a revenue stream.
Early in the pandemic, the Department of Health and Human Services (HHS) facilitated the move to telehealth by announcing waivers allowing the use of nonpublic facing technologies like Zoom and Skype to offer telehealth services. Under normal circumstances, these would not be HIPAA compliant. Months later, however, practices need to make sure telehealth modalities are secure, according to Adam Goslin, a compliance officer for Otava, a cloud service provider specializing in secure and compliant solutions based in Ann Arbor, Michigan. “They need to turn their focus now to making sure they have their telehealth systems buttoned up,” he said.
It is uncertain when waivers will expire, and ensuring the use of HIPAA-compliant software now will avoid patients becoming accustomed to using an app like FaceTime and then switching platforms, said Chad Anguilm, vice president of in-practice technology services with Medical Advantage, based in Ann Arbor, Michigan, which provides healthcare and telehealth consulting services as part of the TDC Group. If a practice must use noncompliant technology, the reason why it was chosen should be documented. Even with HHS waivers for the use of noncompliant apps, a patient or state could file a lawsuit if a breach should occur while using one, he said.
Even during a health emergency, legal requirements for security and privacy do not disappear completely, Anguilm said. Providers are still responsible for protecting the health information of all patients.
“What’s happening right now will continue,” he said. “The benefits and efficiencies of using telehealth will stick. Providers need to focus on new threats and vulnerabilities that [exist] with seeing patients remotely. As the number of visits grow, so does the lure for cyberattacks.”
Mei Wa Kwong, JD, executive director of the Center for Connected Health Policy, a program under the Oakland, California-based Public Health Institute, said she recommends providers go about their business as though HIPAA telehealth requirements were back to what they were prior to the pandemic. At some point, HHS will roll back the waivers, and to avoid problems in the future, it is better to be using the technology with full HIPAA requirements in mind.
“OCR lifted penalties for providers and business associates with good-faith use of non-compliant technology,” Anguilm said. “I believe that will be the first thing, and main thing, rolled back that will impact providers day to day.”
Kwong said a number of providers like to use programs like FaceTime and Google Hangouts, which are relatively simple to use and easily accessible for patients. But there are problems with using these platforms over the long term. The technology was not intended to be used for telehealth, she said.
A major component to keeping any system safe is mapping it – knowing what information is there, who has access to it, and how it moves around. “You have to go in with the guiding assumption that bad guys will get past the edge of the gate at some point,” Goslin said. Practices need to know their vulnerabilities and the damage hackers can do if they breach security.
Practices have to understand the path information follows, from servers to practitioners to patients. Not only should the transmission and storage be secure at each of these points, providers should know who is responsible for maintaining that security. Practices may assume that vendors are responsible for all aspects of a telehealth technology, but that is frequently not the case.
“Many cover surprisingly little of the general security responsibilities,” Goslin said of the vendors. “There is a division of responsibilities as it relates to various service providers, and most cloud vendors cover far less than [providers] think.”
Vendors should be able to provide clear information on who is responsible for which areas of security related to the telemedicine platform, said Jeremy Bigler, Otava’s director of product management.
Providers need to ensure they can take responsibility for the areas under their purview. Then, they should understand how to make sure each party can document their compliance.
The informed consent requirement for telehealth was also relaxed, but will likely be reinstated after the pandemic. Many providers have been getting verbal consent, which will eventually not be sufficient, Anguilm said. “Getting consent through an electronic form or in writing is really important,” he said.
Anguilm stresses that everything that occurs during a telemedicine visit, including consent, needs to be put into the patient’s electronic medical record (EMR). During the early days of COVID-19, providers were overwhelmed with patients needing virtual care, medication refills, and other services, and they might not have been documenting visits adequately in the EMRs, Anguilm noted.
“Many doctors were scribbling on notepads because the technology was so new and that [information] wasn’t getting into charts,” he said. “We were putting a ton on physicians’ shoulders and many didn’t get the proper training.”
Several organizations offer reliable information online about telemedicine security. The Doctors Company, part of the TDC Group, has a resource center. The Center for Connected Health Policy also has resources and information on a range of telemedicine policies and security guidelines.