The following is a guest blog post by Dr. Sherry Benton, Creator and Chief Science Officer at TAO Connect.
Kaiser Permanente Venture, the corporate venture capital arm of Kaiser Permanente, announced in December 2015 that it would strategically invest $10 million Vidyo, Inc., a leader in high-quality visual communications, to increase patient convenience and the improve the overall quality of care. This endorsement of telemedicine technology by one of the nation’s largest health networks is a strong indication that telemedicine has begun to emerge as a go-to strategy for hospitals and health systems.
In addition, a breadth of clinical research consistently shows that virtual visits either by phone or videoconferencing are just as effective as face-to-face encounters. This is particularly true for synchronous “real-time” communications using technology. Such communications not only increase patient engagement, but they also increase accountability, resulting in more positive outcomes.
Kaiser Permanent’s venture into telemedicine is one of many examples we’ll likely see over the next few years as patient engagement continues to take priority. According to research firm Parks Associates, the use of video conferencing to facilitate an encounter between a provider and patient is projected to reach 130 million visits in 2018.
However, as providers embrace telemedicine technology, they must also keep HIPAA privacy and security at the forefront. Kaiser Permanente, for example, has stated its telemedicine solution offers HIPAA-compliant encryption—a necessity for any provider offering virtual visits. Far too often, providers resort to Skype, FaceTime, or a host of other video service providers without thinking about the potential for breaches of PHI.
Ask your potential video service provider whether it meets federal government standards for HIPAA compliance as a covered entity. The TeleMental Health Institute provides additional guidance on selecting a specific video service provider.
Also consider these six important privacy-and security- questions as you explore video telemedicine options:
- Will your video service provider sign a business associate agreement as required by the HIPAA Omnibus Act?
- Do you and your patient both have a secure/encrypted Internet connection to prevent interception?
- Can your video service provider encrypt data” in motion” and “at rest” as per HIPAA requirements? Data “at rest” refers to data stored on the video service provider’s server and can potentially include non-video elements (e.g., exercises, assessments, and logs) as well. Data must be secure and encrypted for the entirety of the time that it’s retained as dictated by state and federal regulations. Data “in motion” refers to data moving from the patient to the server or from the patient to the provider via the server. This requires security and encryption as information flows through routers, load balancers, firewalls, and Ethernet networks. Ask your video service provider how it incorporates HIPAA-compliant security protocols during every step in the process and for its various delivery platforms and applications, including mobile, web-based, and desktop.
- How will you define your legal health record? Will it include the actual video recording itself? If so, how will you handle patient requests for copies of this information? Some specialties, such as mental health, rarely store video unless it’s used for supervision/educational purposes.
- Have you implemented role-based access to the virtual visit software at the point of logon?
- Have you provided sufficient patient education? For example, patients should be in a private place during the actual virtual visit so no one else can observe the conversation. When patients use a mobile device to participate in a virtual visit, we advise passwords requiring re-entry after a brief period of inactivity. Patient education goes a long way toward risk mitigation in telemedicine.
Many of the HIPAA challenges related to telemedicine are the same ones we face in a non-virtual world. However, telemedicine certainly requires a heightened awareness of the potential for hacking and virtual interceptions. Give careful consideration of privacy and security at all points in the delivery care process. Take your time in searching for the right video service provider and ensure they are willing to meet all HIPAA requirements in writing…and in practice.
About Sherry Benton, PhD
Dr. Benton is the creator of TAO Connect and director of the University of Florida Counseling Center. She is also a fellow in the American Psychological Association and the President Emeritus of the Academy of Counseling Psychology. Dr. Benton has been a psychologist and mental health care administrator for 22 years.