In response to increased need for expedient and distant health treatments during the COVID-19 pandemic, the US Department of Health and Human Services (HHS) is temporarily giving HIPAA-covered entities greater leeway in the delivery of virtual care.
HHS recently announced that healthcare providers can offer telehealth services via previously noncompliant technologies. The department now allows doctors to provide health services through audio or video on sites like Skype and FaceTime so they can see a greater number of patients and reach out to those sheltering in their homes. The organization has said it will not impose penalties on providers using these alternative technologies.
With these temporary rules and an increasing number of providers and staff working remotely, healthcare organizations need to understand how to provide telemedicine and allow staff to work off-site while ensuring good cyber control and reducing risk.
“We are definitely living in an unprecedented time, and it is a time when providers are going to be providing care in different ways,” said Julie Pursley Dooling, Director of HIM Practice Excellence at American Health Information Management Association. “But this is not suspending HIPAA. They are relaxing the rules so providers can take care of patients in good faith during this public health emergency.”
The first thing to note is HHS is not waiving HIPAA requirements. They are just saying the health crisis has allowed them to be “judicious” when it comes to enforcements and penalties, said George Jackson, a senior principal consultant with Nashville, Tennessee-based Clearwater Compliance.
Providers and staff dealing with patients can take time now to look over the guidelines and ensure everyone understands how technology can and cannot be used. Pursley Dooling said in cases in which the provider uses an allowed video messaging application like Facebook Messenger, it is best for staff to use a company account rather a personal account in order to prevent sharing a provider’s personal information. Finally, she said, all virtual care provided should be documented like any other clinical visit.
Now is a good time for doctors to work with patients so they understand the risks of communicating on systems that are not HIPAA compliant. All patients should have an updated privacy and consent notification, especially if they are using telemedicine services. Jackson recommends even having talking points or handouts prepared to make sure security is good on the patient’s end.
Providers should also prepare for the possibility that some of the telemedicine changes may last beyond the pandemic, making the security changes permanent.
“Will the genie go back in the bottle?” Dooling asked. “There is a lot of discussion out there that the pandemic is potentially going to be a catalyst for healthcare transformation, so we’ll see when all of this is over.”
Another consideration for providers during the pandemic is the increased number of people who may be working outside of the office. Whether clinical or administrative staff, Jackson said, there are some simple things to be aware of when working remotely.
One consideration is cyber safety at home. Practices can set up virtual private networks (VPNs) so staff can log in to and work in a secured space. It is also important to ensure staffs’ home internet is as secure as possible. Most people use the default password, or none at all, on their home networks. For people who are not tech savvy, internet service provider (ISP) can provide a security check up, Jackson said. The ISP can update an older system and implement patches to bring it up to date and thereby reduce risk.
Among the ploys criminals use to take advantage of people when creating malware is emotions. People may be surfing the web for any information about pandemic, so staff members need to be quite vigilant about inadvertently clicking on phishing-related links.
Now is the time to check with an ISP to make sure emails are being monitored for phishing attacks. Individuals should be advised not to click on a link that comes in an email with a subject line that induces panic, Jackson said. Pursley Dooling recommends not opening any emails with COVID-19 in the title unless a user knows exactly who sent the message.
“Healthcare organizations should have been receiving regular training to make sure staff is aware of potential phishing attacks,” Jackson said.
Under the best of circumstances, humans are the weakest link in the security chain. When they are nervous, stressed and fatigued, it only makes them more prone to mistakes. Even though there has been some loosening of HIPAA guidelines, the major rules still apply. Pursley Dooling said she has already begun hearing about people posting personal information on social media or telling others they have seen someone in a clinic. Circumstances may stir temptation to snoop on people as well, Jackson said. Tools that track movement in a system can alert a provider if someone is looking in records they should not be accessing. As human error is not uncommon, Clearwater outlines how organizations can mitigate the vulnerabilities associated with careless users in its CyberIntelligence Institute Bulletin.