Your practice has created a Notice of Privacy Practices, overhauled your policies, and ensured that you don’t have any privacy breaches. But if you haven’t yet performed a HIPAA risk analysis, you’re falling short of the security rules. And with telehealth in such wide use, now is the time to make sure your patient information is secure.
Performing a risk assessment is required as part of the HIPAA Security Rule — and you can’t stop there. After you complete your analysis, you must take steps to reduce any risks you’ve identified, or you could face massive fines and sanctions from the government.
Make sure you evaluate any risks in your telehealth program with a few key steps.
Evaluate Interception Risks for Telehealth
You should be sure that your telehealth transmissions are secure and aren’t vulnerable to being intercepted. Your first step is to confirm with the vendor for the telehealth program you’re using and ensure that privacy is built into the software. But you must also go beyond that.
Even if you aren’t an IT expert, you can confirm that you’re keeping telehealth visits away from interceptors. For instance, suppose your practice has a secure Wi-Fi account for employees, as well as a publicly accessible Wi-Fi account for patients in the waiting room. If the devices that your providers use for telehealth visits are connected to the public Wi-Fi, you could be risking interceptions. It’s a good idea to manually remove those Wi-Fi accounts from your providers’ devices, and only allow them to connect via the secure account.
Determine Whether You Should Encrypt Communications
Most apps that providers use for telehealth have encryption built in, HHS notes, including such platforms as Zoom and Skype. This means that only the people on either end of the conversation can see what’s being transmitted. However, there are other programs that do not provide this type of encryption, such as TikTok or Facebook Live, HHS says.
If you’re using an unencrypted program, you should either switch to one that’s encrypted or bring on an IT professional who can add encryption to your program.
Encryption concerns don’t stop after the telehealth session ends. If your program creates a transcript or recording of the conversation, make sure you store them in a secure, password-protected area, and that the data is encrypted during storage.
See if Storage Areas Require Authentication
Anyone accessing your telehealth records should be a confirmed, authenticated user. That means they have passwords, PINs, tokens, fingerprints, facial recognition, or smart cards that they can use to access the system. No one should be able to simply move around the mouse on a computer and access telehealth records. That would make those documents vulnerable to unauthorized access, which could lead to a breach and the fines that come with it.
Consider Whether You Should Add Time-Outs
Any device that stores ePHI on it, including records from telehealth visits, should have a setting that automatically times out after a certain period of inactivity. This ensures that if someone is reading a telehealth transcript and then walks away from the device, anyone else walking past it would have to log in again to see what’s on the screen. Many practices set devices to lock out after 60 seconds, but it’s up to you to determine what works best for you.
To learn more about your HIPAA requirements when you use telehealth, check out the online training session, Ace NEW, Stricter HIPAA/Telehealth Audio Rule Requirements, presented by Amanda Waesch. During the 60-minute training, you’ll find out how to master the HIPAA requirements that apply to telehealth so you don’t face audits, fines, or penalties.
 |
Subscribe to Healthcare Practice Advisor |
| Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter. |
|
|
|