Recently, WEDI released a paper offering a pretty basic overview of the main categories of telemedicine services. From my standpoint, most of the paper wasn’t that new and exciting, one section had some interesting suggestions worth sharing. While you’ve probably heard some of them before, you probably haven’t seen the full package they shared.
First, WEDI provided some general principles providers should consider when delivering telehealth services, including that all interactions should be conducted through a secure transmission channel and that privacy notices must be displayed or easy to find on the telehealth site. Makes sense but not earthshattering.
Where things got interesting was when WEDI went through its own telemedicine security Q&A. Its feedback on key topics included the following:
- Make sure you have a policy addressing provider-to-provider disclosures of HIPAA-protected information which is gathered via telemedicine consult.
- Secure all telemedicine data. Verify and authenticate user identities and their authority levels before patient treatment, possibly through the log-in process. This could include making sure that there’s a one-to-one match with the person logging in to view the data being retained.
- Set up standards for data storage and retention, as well as establishing policies, procedures and auditability for access, use and transfer of telemedicine-related PHI. Afterward, monitor compliance with those standards.
- Decide how telehealth data breaches will be handled, and who will be responsible for doing so. Determine who will be notified when a breach occurs, what the timeline is for doing so and who else might need be notified. Also, identify what experts should be part of a breach response process, such as legal, information security and public affairs representatives, and make sure they know what their roles are if a breach takes place.
- Bear in mind that any technology used for providing telemedicine services needs to be included in your HIPAA risk assessment.
Unless you work for a large organization, you probably won’t dig into security issues this deeply. Particularly if you work for a smaller practice with ten or fewer clinicians, you may end up outsourcing your entire IT function, including security and privacy protection.
However, it’s important to remember that members of your organization are ultimately responsible for any security violations, whether or not a contractor was involved in permitting the breach to happen.
It’s important that at a minimum, you have a security protection and incident response process in place — going well beyond “call the IT consultant” — that protects both patients and your practice from needless health data breaches. As you add telemedicine to the mix, make sure your process embraces that data too.