EXECUTIVE SUMMARY

As the use of telehealth increases, so do concerns over patient privacy. Best practices can reduce the risk of data breaches.

  • Conduct a risk analysis on telehealth services.
  • Closely review any programs hastily set up as a response to COVID-19.
  • Limit the use of telehealth to appropriate settings and uses.

With the use of telehealth increasing in response to the COVID-19 pandemic, there is growing concern the technology may pose risks to patient privacy. In particular, any telehealth services quickly established at the beginning of the pandemic may need a close review to ensure they do not result in data breaches.

While telehealth has captured a lot of attention since COVID-19, most of it has been focused on the changes to the care delivery model, such as the safety, convenience, and ability to provide some basic care remotely, notes David Finn, executive vice president for strategic innovation with CynergisTek, a cybersecurity consulting firm based in Austin, TX.

“From a technology perspective, it has focused on what providers need to do and the relaxation of certain rules related to physician credentialing, reimbursement, and what will remain of these changes as we return to something that looks more like our pre-COVID-19 world of healthcare,” he says. “We seem to have missed what is important to the people that all of this was done for — the patients.”

CynergisTek recently conducted a survey to address the emerging security and privacy concerns of patients who opted for phone and video consultations over in-person visits during a recent period. Seventy-three percent said they plan to continue to use telehealth.

Finn notes these other results from the survey:

  • 79% of male respondents who have used a telehealth solution during the COVID-19 pandemic will continue using them post-COVID, compared to 67% of females.
  • 81% of millennials will continue to use telehealth options after the pandemic, as will 79% of Gen X respondents.
  • 25% said they would not consider using a telehealth solution for any of the hypothetical appointments or procedures presented. That number is significantly higher among baby boomers at 41% and the Silent Generation (those born from 1928 to 1945) at 59%. (More information is available at: https://insights.cynergistek.com/news/future-healthcare-telehealth-security-risks.)

Patients Willing to Use Telehealth

Healthcare has clearly discovered a real opportunity, Finn says. Americans will look to telehealth to fill the gap for routine types of care. For example, nearly 30% of survey respondents would look to telehealth for chronic care check-ups or annual physical and children’s wellness exams.

“This is where it gets tricky for providers. We know from weekly incidents in the media and studies of the industry that privacy and security are lagging in the healthcare sector,” he says. “While patients are ready to embrace telehealth, providers most prioritize privacy and security when rolling out phone or other virtual services. If they don’t, they run the risk of potential breaches of sensitive and often legally protected patient information.”

Healthcare providers need to reassess and strengthen their security to reflect this new reality or potentially risk losing their patients’ trust and business, Finn says. He cites this further evidence from the survey:

  • 48% of respondents said they would be unlikely to use telehealth if their personal health data was compromised.
  • 54% of women indicated they would not use telehealth solutions again if their health information was compromised in a breach, vs. 41% of men.
  • Baby boomers and the Silent Generation are the least likely to return to telehealth solutions if their data were compromised (62% and 65%, respectively).

Responses also indicated that the older the group, the less likely they were to have the technology, skills, and capabilities to use these telehealth tools. However, these groups would most benefit from these types of services, Finn notes.

The first step any health system can take to ensure patient privacy is to understand the potential risks and vulnerabilities that exist when protected health information (PHI) is transmitted electronically, says William P. Dillon, JD, shareholder with Gunster in Tallahassee, FL. These risks and vulnerabilities can be learned by conducting a robust risk analysis of the health system’s processes for creating, receiving, maintaining, and transmitting PHI, he says.

“A risk analysis allows a covered entity to know what it is doing right — and more importantly, lets the covered entity know which areas need improvement. It is the failure to mitigate known deficiencies that still seems to be a big issue for many in healthcare,” Dillon says. “Only by properly securing ePHI can patient privacy be maintained with any level of confidence.”

Along with proper security measures required by the HIPAA security rule, one best practice is to learn how PHI moves through an organization, Dillon says. He notes the Department of Health and Human Services Office for Civil Rights (OCR) Summer 2020 Cybersecurity Newsletter focused on the importance of a covered entity understanding the IT assets that are under its control. (The newsletter is available at this link: https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-summer-2020/index.html.)

For example, the covered entity should be aware of both its hardware and software assets, Dillon explains. Once aware of its assets and how they are interconnected, the covered entity should ensure all known vulnerabilities are patched and/or otherwise remediated.

It is imperative to maintain that required privacy mindset, Dillon says. A healthcare provider can engage in a telehealth session on a device that is fully secure, but if that telehealth session is conducted in an area where unauthorized people can see or hear the interaction, the patient’s privacy is subject to compromise, he explains.

“Another pitfall or mistake would be to make sure that any technology that is being used for telehealth is not public-facing,” he says. “While OCR has indicated that it will exercise enforcement discretion during the COVID-19 crisis, it has specifically warned providers not to utilize communication applications such as Facebook Live, Twitch, and TikTok for patient communications.”

While more patients are aware of telehealth than ever, concerns remain about how the process works and how information is collected, Dillon says. One of the best ways to deal with these concerns is through patient education. Many healthcare providers require providing patients with a document similar to an informed consent form. Such documents outline how telehealth works and the pros and cons of the telehealth option, he says.

Respect Patient Concerns

Patient privacy is a valid concern with telehealth, and one that each healthcare provider and patient should take seriously, says Jay Backstrom, vice president at Impact Advisors, a healthcare consulting firm based in Boston. Concerns about internet privacy in general have spiked in recent years due to incidents of data breaches and internet fraud. Many patients are worried about the security of their personal information.

“Many patients are accustomed to seeing their healthcare provider in a private patient room, so perceptions about privacy are a greater concern with many more patients now having a similar visit via telehealth,” he says. “Secure connections and data encryption help protect information during telehealth visits, but many patients will want more assurances to ease their concerns. Patients should be asking their clinical provider how their privacy is being protected.”

Clinical care providers should continue to adhere to defined HIPAA requirements, and use HIPAA-enabled telehealth applications and videoconferencing platforms. Patient privacy and data protection policies should be established and made accessible to patients before their telehealth visit, he says.

“Additionally, clinical staff should be instructed to follow a defined process for performing all telehealth visits to ensure patient privacy is protected. The process should include functional, operational, and technical protections for patient privacy and data captured during and after the clinical encounter,” Backstrom says. “For example, before clinical care is provided, the care team should verify the identity of the patient. If it is a follow-up visit, have the patient validate some of his or her previous encounter information.”

Telehealth Best Practices

Backstrom recommends these telehealth best practices:

  • Only use telehealth applications and videoconferencing platforms that meet HIPAA privacy and data security requirements.
  • Ensure all telehealth staff receive HIPAA security training and only authorized providers have access to patient data.
  • Establish patient privacy and data protection policies and provide patients access to these policies before their telehealth visit.
  • Ensure telehealth application data is encrypted and protected.
  • Use telehealth applications that require a login and password for all users.
  • Integrate the electronic medical record with the telehealth platform for bidirectional information exchange to ensure a single source of record for the patient.

Patients also can take steps to protect their own devices against security and privacy risks for a telehealth visit or anything involving their online personal data, Backstrom notes. Patients should verify they are using a secure website (shown by the “lock” icon in the browser’s address bar), make sure their wireless connection is secure and password protected, and ensure they have an up-to-date antivirus software running on their computer.

“If you follow the best practices, then you will avoid many of the common mistakes. Beyond the best practices, clinical providers should avoid outdated views of patient privacy and data protections that shifts the responsibility to someone else,” Backstrom says. “Everyone who interacts with the patient through telehealth has a vital role to play in the protection and privacy of the patient’s information, including the patient.”

Treat Like Other Healthcare Services

Telehealth services still are healthcare services, and most of the compliance issues will look familiar, says Roy Wyman, JD, partner with Nelson Mullins Riley & Scarborough in Nashville, TN. A risk manager will want to ask if the proper services actually were provided, if they were billed correctly, and whether there are any problematic referral or compensation relationships, among other concerns.

“The compliance program for telehealth should look like the broader program: involve a risk assessment, risk management plan, benchmarking, auditing and monitoring, and more on a regular cycle,” he says. “New elements to address telehealth specifically may need to bring special attention to the relationship between any telehealth management or platform services and the physicians. Of particular concerns are the corporate practice of medicine, inappropriate compensation relationships, fee-splitting, and IT security concerns.”

The concerns are valid because attacks on the privacy and security of health information are increasing, Wyman says. Keep in mind there are two different aspects where privacy can be a concern. The first is when actually communicating as part of treatment. The second is when the provider accesses and stores the records of that treatment.

Each has unique risks, and the provider should speak to how they protect data in both those settings, Wyman says. Regarding the treatment itself, many providers are new to the telehealth space and may not bring enough knowledge and investment to make sure their systems are secure.

Wyman notes while relaxation of Medicare rules may permit using a broader range of platforms in providing telehealth, the hospital or system still must comply with HIPAA and avoid undue risks to patient privacy. That includes undertaking a risk assessment.

“That assessment should include a review of the overall security of the transmission and storage of PHI. Proper security, at a minimum, should include a review of the telehealth platform, involve additional training for providers and anyone accessing the system, and consider the level of security of the data being transmitted,” he says. “Other requirements of HIPAA security rules also apply and will involve things like access controls to determine how users are verified, integrity to assess ways of confirming the reliability of data, logging of data and identifying system intruders, availability of the data, and other concerns.”

Ensuring a secure telehealth program comes back to the common elements of any effective compliance program, Wyman says. That includes a team that can get the attention of others in an organization and has a regular compliance cycle, usually annual, he says. It also will include a thorough risk assessment (often undertaken by an outside contractor), a risk management plan, benchmarking, and auditing/monitoring.

“With regard to telehealth specifically, the program must address issues regarding training, coding, collection of information, proper contracting, and making sure that there are no improper ownership or referral relationships,” he says.

A common mistake is jumping into telehealth without any experience or understanding of the risks, Wyman says. For example, providers may be tempted to just start taking Zoom calls from patients and billing it.

“When the system breaks, or the unexpected happens, there isn’t a plan to address it. Likewise, simply signing up with a telehealth platform without consulting and legal assistance creates risks. If the system is hacked, or the platform breaks its promises, will the provider have any recourse against the platform?” Wyman asks. “Has there been due diligence to make sure that the platform is established and reliable? Are the providers trained, and do they understand the unique challenges of telehealth regarding coding, follow-up, and the provider-patient relationship at a distance? Will the system still work when and if we go back to the old rules from pre-COVID-19?”

SOURCES

  • Jay Backstrom, Vice President, Impact Advisors, Boston. Phone: (800) 680-7570.
  • David Finn, Executive Vice President, Strategic Innovation, CynergisTek, Austin, TX. Phone: (512) 402-8550.
  • William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Phone: (850) 521-1708. Email: wdillon@gunster.com.
  • Roy Wyman, Partner, Nelson Mullins, Nashville, TN. Phone: (615) 664-5362. Email: roy.wyman@nelsonmullins.com.