Privacy is a major concern with telehealth, especially when using common consumer apps to communicate with patients, says Savera Sandhu, JD, partner with Newmeyer Dillion in Las Vegas.
Technology that was not developed specifically for telehealth still can be used safely, but some caution is warranted. Providers must make a good faith effort to protect the privacy of the patient when using telehealth.
“It’s not as if providers can go sit at Starbucks and have a FaceTime call with a patient. There still needs to be privacy protections that are required under HIPAA,” Sandhu says. “A good idea is to designate an area in which your physicians have access to technology to communicate with patients, an area away from the public. This might be a room in the hospital that is designated during certain hours for physicians to communicate privately with patients.”
Sandhu also encourages telehealth-specific technology whenever possible rather than consumer apps like FaceTime, Zoom, or Microsoft Teams. Platforms developed specifically for telehealth contain built-in privacy safeguards, waivers, and encryption that will address some of the primary concerns.
Telehealth will continue to appeal to patients even after the pandemic is no longer an issue. Healthcare organizations still will make use of it if HHS makes the COVID-19 era regulatory changes permanent, or if the government at least does not impose the same regulatory barriers that stymied full use of telehealth in years past. More than 70 groups have asked Congress to extend and make permanent certain emergency telehealth policy changes.1
“As long as Medicare, Medicaid, and private insurance continue to accept telehealth claims, hospitals and other providers definitely will continue to use telehealth much more than they did in the recent past,” Sandhu predicts. “One day, the public health emergency will no longer exist. Then, the question is whether we go back to the ways we did healthcare previously, with the same restrictions on telehealth, or whether we move forward with what we’re doing now.”
Assess Operations Now
Hospital leaders should take a close look at telehealth operations that were put in place months ago to respond to the COVID-19 crisis, says Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA. Many hospitals and health systems implemented systems quickly to address the pandemic, spurred on by the loosening of regulatory requirements.
Fisher notes one of the changes HHS made at the start of the pandemic was to allow the use of telehealth in any setting, rather than only in rural settings and in specified buildings. Facilities that previously did not use telehealth at all quickly established the new option by using commonly available consumer technology that was not necessarily HIPAA-compliant.
Now that the industry has a slightly better handle on the pandemic, Fisher commends reassessing those telehealth operations for potential problems.
“To the extent that those systems are still in place, I think that is where there could be the biggest risk. As telehealth becomes more of a standard part of healthcare delivery, at some point there is going to be a requirement that these systems comply with HIPAA. The government is not going to continue the softer approach that was necessary at first,” Fisher predicts.
Any assessment and discovery of risks must be followed by a program that ensures adequate improvements are made in the telehealth operations. It is common for administrators to identify such risks, and then let the report sit on a desk without the follow-up necessary to make sure changes are made, Fisher observes.
“The question is what’s being done to ensure that modifications toward a more compliant setup are actually occurring. We all know that habit becomes engrained very quickly. People are not always going to be worried about the risks of what they are doing,” Fisher says. “If patients and clinicians got in the habit of just going to FaceTime, you want to make sure that is being cut off, and you’re directing your telehealth business to the preferred service that meets all the privacy and security requirements.”
The federal government may issue new rules on telehealth’s role in value-based care soon, along with restrictions and possible safe harbors related to anti-kickback laws, according to Fisher. Hospital leaders should keep an eye on those developments and be ready to respond with the appropriate modifications to any telehealth program established in response to COVID-19, as they might not be compliant.
“There are pending telehealth bills before Congress. The one that seems to be getting the most traction is one that would permanently encode a lot of the expansion that occurred during the pandemic,” Fisher says. “One of the key changes, however, is that it would not continue the lack of HIPAA enforcement. It would clearly state that HIPAA comes back full force for delivering telehealth.”
(Editor’s Note: There have been dozens of pieces of legislation regarding telehealth in front of the current Congress, dating back to before the COVID-19 pandemic. A sample of these is available here. The Telehealth Act, HR 7992, introduced in August 2020, is an omnibus resolution that would tie together several related proposals.)
Provider Sets High Standards
At Care Plus NJ, a provider of primary and behavioral healthcare for children and adults in Paramus, NJ, telehealth was in use before the COVID-19 outbreak, mostly as a way to avoid no-shows and appointment cancellations, says Michelle Alkhalaileh, LPC, chief information officer and security officer. When the pandemic hit, CarePlus NJ immediately expanded its licenses for the telehealth technology because leaders there anticipated a greater demand for remote care.
But as other healthcare providers seized on the relaxed guidelines to use FaceTime and similar apps, CarePlus NJ stuck to its standards for patient privacy and security.
“We were very strict about ensuring we were using a vetted platform that we knew was HIPAA-compliant and secure,” she says. “We’ve always communicated strongly with staff about security. But with our staff working from home, we’ve ramped it up more and consistently messaged about things like ensuring you are in a private space, away from family members and others who may be in your household.”
CarePlus NJ also emphasized the need for secure Wi-Fi connections. Further, staff are required to use headsets or earbuds to minimize the chance of anyone overhearing a patient during the telehealth visit.
“[Make] sure that home recording devices like Alexa and Google Home are disabled so they are not inadvertently recording and picking up bits of the conversation,” Alkhalaileh says. “There also was important messaging about staff meetings and other interactions that did not involve the consumer, like staff meetings held over Teams or another application. We wanted to make sure CarePlus’ business interests were protected, as well as the anonymity of our consumers.”
CarePlus NJ also made arrangements for patients who were willing to use telehealth during the period of coronavirus isolation but did not have a computer or smartphone. Caregivers would be working from home and providing telehealth, but CarePlus NJ opened some facilities to allow patients to come in and use telehealth connections.
“Regardless of whether the consumer is using telehealth from their own home or coming into one of our facilities, the consumer is consenting to the use of telehealth. There is an issue of informed consent around telehealth,” Alkhalaileh says. “We did a tremendous amount of training to make sure staff were comfortable with their Surface Pro and understood how to use it, much of it one on one. Then we did recording training as we brought on more staff to the telehealth experience.”
A team of administrative staff is available to help both caregivers and consumers with computer issues.
“It’s a tremendous amount of work. Having a team available to help individuals get online and understand the system is very helpful,” Alkhalaileh says. “We also use the program for group services, particularly with some of our substance use care. That was another logistical challenge to set up and get everyone on board.”
CarePlus NJ also uses telehealth to provide emergency psychiatric screening in the community.
“Having the infrastructure, communicating, and being able to allocate the human resources are all key to making a significant telehealth program work,” she says. “You’re always going to have Wi-Fi and connection problems. Privacy issues are difficult to work out sometimes when you have multiple people in the home, but it can be achieved.”
Alkhalaileh expects consumers to drive the future of telehealth. Unless regulators sharply restrict the use of telehealth again, she says consumers will demand it as a convenient option as long as they are confident of their privacy.
“If they previously relied on public transportation to get to the treatment center, they might say telehealth is a better option for them. They will expect us to make that possible,” she says. “I think we’re going to have to see how things go with the regulators and what consumers choose.”
Be Ready for Patient Questions
Hospitals and health systems should be prepared to respond to patient concerns about telehealth privacy, says Teri Dreher, RN, CCRN, iRNPA, program director with NShore Patient Advocates in Chicago. They can explain that providers are required by law to use HIPAA-compliant, secure means of conducting telehealth visits and produce documentation showing their technology conforms to those requirements.
“Even though many HIPAA regulations have been relaxed by CMS during the pandemic for phone conversations between providers in the interest of fast communication and decisions regarding transition of care, they are rarely abused,” Dreher says. Many safeguards that apply to online security are applicable to telehealth, says Steve Durbin, managing director of the Information Security Forum, a London-based authority on cybersecurity, information security, and risk management.
“Telehealth is coming into its own during the pandemic, but it should be used carefully. Many of the top tips for being safe online apply to this. Make sure you are using a service that is reputable; check out how the data you share will be used, including storage and destruction; only disclose relevant information that is absolutely essential,” he says. “Most reputable telehealth providers will be able to point you to a code of conduct and use of data explanation. Seek out references from people you know who may have also used the service to get some hints and tips before you need to use the service.”
- Advanced ICU Care, America’s Physician Groups, American Academy of Neurology, et al. Letter to Congress. June 25, 2020.
- Michelle Alkhalaileh, LPC, Chief Information Officer/Security Officer, CarePlus NJ, Paramus, NJ. Phone: (201) 265-8200.
- Teri Dreher, RN, CCRN, iRNPA, NShore Patient Advocates, Chicago. Phone: (312) 788-2640. Email: firstname.lastname@example.org.
- Steve Durbin, Managing Director, Information Security Forum, London. Phone: (347) 767-6772.
- Matthew R. Fisher, JD, Partner, Mirick O’Connell, Worcester, MA. Phone: (508) 768-0733. Email: email@example.com.