Telehealth or telemedicine is one of the fastest growing areas in healthcare, estimated to be over $35 billion globally by 2020. Using electronic communications with patients is an obvious choice today with the internet, email and texting. Patients often prefer electronic communication because they’re accustomed to it in every area of life.
Lots of people benefit from telehealth today. Rural areas don’t have enough doctors, so being able to talk to a provider long-distance brings relief to many who may not otherwise receive care. For others, even in urban areas, transportation or mobility can be a challenge so telehealth brings vital healthcare services closer.
Finding and seeing specialists can be easier over the internet. Remote patient monitoring allows providers to read vital signs, check blood pressure and other measures of health status, while the patient stays at home. Among the many benefits of telehealth are speed, reduced costs, wider access and increased patient engagement.
One caution is that electronic communications require protections to ensure that risks of breach or theft are minimized. Following HIPAA is the best way to reduce those risks and keep patients engaged.
Telehealth is defined by the U.S. Department of Health and Human Services (HHS) as:
“the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications .”from HealthIT.gov
Common applications include:
- Live videoconferencing – two-way communication between a patient and a provider
- Recorded videoconferencing – transmission of health information, often from provider to provider
- Remote patient monitoring – recording personal health and medical data in one location for review by a provider in another location, usually at a different time
- Mobile health – health care and public health information provided through mobile devices
HIPAA Contains Telehealth Guidelines
HIPAA applies, so healthcare providers and business associates who want to use telehealth should review the basics to ensure they are keeping patient information secure. The key is to have Administrative, Physical and Technical Safeguards in place to minimize the risk of unauthorized disclosures of electronic data.
The HIPAA Security Rule says, when transmitting electronic protected health information over an electronic communications network:
- Only authorized users should have access to EPHI;
- A system of secure communication should be implemented to protect the integrity of EPHI; and
- A system of monitoring communications containing EPHI should be implemented to prevent accidental or malicious breaches.
One method of securing communications over email and text is to use encryption. In 2014, HHS issued guidance saying that encryption is a “reasonable and appropriate Security Rule safeguard” when transmitting ePHI. However, the Privacy Rule’s right of access rules say that patients have the right to receive information in the format they choose, and if they prefer NOT to receive encrypted messages or email, they may. This has resulted in a “Safe Harbor Rule” for covered entities who communicate with patients electronically.
Telehealth Without Encryption
If a covered entity uses the “Safe Harbor Rule”, it may communicate with patients via email and text message by following the patient’s preferred communication method. The three steps of the Safe Harbor Rule are:
- Duty to Warn – warn the patient of the risk of unencrypted communication – that it may be intercepted or hacked
- If the patient chooses to receive unencrypted communications after being warned, go ahead
- If the patient prefers encryption, all electronic communications must be encrypted
- Document the warning and the patient’s choice for your records
Access Controls and Telehealth
A central Security Rule technical safeguard is to make sure that access to EPHI is restricted only to those who need access in order to do their job. Each person should have a unique log-in and password, and where feasible, an automatic log-off feature should be on every computer.
Integrity of EPHI and Telehealth
Protecting the integrity of patient information is a primary goal of the Security Rule. Maintaining integrity means making sure the data has not been altered or destroyed – the risk of altered data should be obvious – patients could be endangered.
HHS does not prescribe exactly how organizations need to protect data integrity, but recognizes that it may be altered by accident or intentionally, from outside or within an organization. There are programs that can automatically check for data integrity, looking for alterations or missing information – HIPAA does not require an exact specific solution, but asks that organizations take “reasonable and appropriate” steps, based on their identified risks and organizational structure.
Risk Analysis is the First Step
Protecting patient data starts with a HIPAA Risk Analysis. After a Risk Analysis is completed and the risks identified, an organization can implement security measures to reduce the those specific risks. If telehealth is a part of your business, make sure you have the protections you need and your compliance is up to date.
The HIPAA E-Tool® has all the HIPAA policies required, for the Privacy Rule, the Security Rule, the Breach Notification Rule and the Enforcement Rule. It also includes an interactive Risk Analysis you can complete yourself.
If you need help, request a HIPAA Quick Start Kit below. Requests during the remainder of October will receive a free Think Before You Click security reminder magnet. Or, write us separately on the Contact page to request a magnet or ask any HIPAA question.