All Blogs

Telehealth Security: Protect Patient Information and Your Practice


Posted Jun 1, 2018
Share: Share on Facebook Share on Twitter Share on LinkedIn
All Blogs

Telehealth Security: Protect Patient Information and Your Practice

Posted June 1, 2018
Share: Share on Facebook Share on Twitter Share on LinkedIn
Telehealth Security

Offering telehealth services means more convenient access to healthcare for your patients and the possibility of more billable services for you. But, it also introduces significant security threats to your patients’ electronic private health information (ePHI) that can lead to massive fines if there is a breach.

Your practice is responsible for protecting your patients’ ePHI at both the origination site (where the patient is located) and the distant site (where the provider is located). You must ensure that both locations have appropriate administrative, physical, and technical safeguards in place as outlined in the HIPAA Security Rule.

To make sure your telehealth services and your patients’ ePHI are protected, and that you are compliant with HIPAA regulations, follow these Administrative, Physical and Technical Safeguard pointers.

Administrative Safeguards

While you may already have established policies and procedures in place to protect your patients’ ePHI, it’s good to take a second look at a few areas to ensure you have adequate Administrative Safeguards in place as you plan your telehealth programs.

  • Contracts: It is estimated that 30% of privacy breaches happen through your vendors that have access to your patients’ ePHI. HIPAA calls these vendors business associates, and it’s essential that you have a solid Business Associate Agreement in place for every single one of them. If not, you will be on the hook for any breaches they may cause. This is even more important in telemedicine. Finally, be sure to include all vendors responsible for maintaining your communication networks and thos who may provide your communication software.
  • Coordinated Response for Security Breaches: If you have a documented response plan for security breaches in place, it may not be sufficient for your telemedicine services. Your plan isn’t complete unless it considers how you’ll respond to a breach at your remote site as well. Your plan should include details such as how you will identify and resolve remote site breaches, who will be the key contact to coordinate a response, and what activities the remote site will need to take to contain a breach.
  • Staff Training: HIPAA security training is essential to protecting your patients’ ePHI. Conduct training with all staff who will be involved in your telemedicine services, and be sure to document who received the training, the date and the specific subjects covered.

Physical Safeguards

It’s also important that you review your processes for protecting your computer hardware and software from unauthorized usage and natural disasters.  Zeroing in on these areas of your plan is the only way to ensure you don’t end up accidentally violating HIPAA.

  • Service Locations: Assess the locations where your telemedicine services will be provided. Both the patient and the provider should be in a private setting, preferably an office or exam room, out of earshot of unauthorized individuals. Include policies that specify where these services should be rendered and what steps should be taken to protect the privacy of these conversations.
  • Access to ePHI: You must document specifically who will have access to your patients’ data and for how long at both the originating and distant sites. For example, you should have a policy in place regarding how to handle when staff at remote sites are terminated so that you can promptly revoke access.

Technical Safeguards

Perhaps the most important area to focus on in your HIPAA compliance plan for your telemedicine services are Technical Safeguards (processes, policies, and tools that you have in place to protect access to patient data).   The transmission of data, voice, video, and images associated with your patients’ care can easily lead to serious violations if not handled appropriately.

Here are a few things to consider:

  • Communication Services: While there are many commercial applications that enable two-way voice and video communication, it’s essential that you choose one that is HIPAA compliant. Avoid programs such as Skype and FaceTime, which are not intended for medical purposes and don’t have the appropriate security measures in place.
  • Encryption: Any software or service that you use to exchange data between your origination and distant sites (including email) must be encrypted before it’s transmitted. You should train your staff on how to use all encrypted services before sending any electronic communications including private health information. Note: Don’t forget to document your training just in case you get audited.
  • Audit Controls: Ensure that you have technology that allows you to see which records are accessed, when, and by whom. You should also have systems in place that alert you to any significant data exports or downloads as this could be a red flag that someone is stealing your patient information.

Take Away

Offering telemedicine services is a great way to improve the quality of care and convenience that you offer your patients. Just make sure that your privacy policies solidly address the additional risks these services may introduce.

Healthcare attorney, Nicole Hughes Waid, Esq., conducted a 60-minute online training session that will provide you with the proven strategies you need to stay out of HIPAA hot water, HIPAA Compliance: Avoid Online Communication Danger Zones – you’ll be surprised by what can land you in serious trouble. Learn More