Mysteries Solved: Telehealth, Data Security and Privacy

The following is a guest article by Gerry Blass, President and CEO at ComplyAssistant and Donna Grindle, Founder and CEO at Kardon.

Even prior to the COVID-19 pandemic, the use of telehealth applications and services was on the rise. A January 2020 survey by the American College of Physicians (ACP) showed an increase in usage of telehealth technology for remote care management, patient monitoring, e-consults and video visits. The survey results indicated that video visits saw the largest year-over-year increase in usage, from 3 percent in 2019 to 10 percent in 2020. When asked about barriers to using telehealth technologies, respondents cited their top five:

  1. They were more comfortable examining patients in person and communicating face-to-face.
  2. They had challenges integrating virtual care into an already established workflow.
  3. They did not have the staff to set up and run the technologies.
  4. They were concerned about potential medical errors.
  5. Their patients did not have access to technology to support virtual care.

If we fast-forward from January 2020 to April 2020, we saw that a vast number of physicians went from little or no usage of telehealth, to an astounding increase in the rate of usage. A physician survey from Merritt Hawkins conducted in April 2020 showed that nearly 50 percent of physicians have embraced telehealth, up from only 18 percent in 2018.

The good news is the use of telehealth technologies and services is on the rise. Nearly every type of provider is using telehealth technology. Despite the previous barriers to acceptance, physicians and patients love it. We won’t go back now.

The bad news? The sheer need to act quickly during a crisis, the desire for physician practices to do whatever possible to care for their patients and keep their businesses viable, and the temporary HIPAA waivers by the Office for Civil Rights (OCR) all meant that technologies were often not vetted or implemented properly to comply with HIPAA privacy and security regulations.

If we compare this to Meaningful Use (now known as Promoting Interoperability) and the Affordable Care Act, providers had years to implement usage of electronic health record (EHR) systems. Even with years to plan and implement, data security was not a priority, which is partially why we started to see an uptick in cyberattacks around 2015. With COVID-19, implementation of new telehealth technologies occurred so quickly that proper vetting and security protocols simply fell to the wayside.

In addition, when small practices began to roll out telehealth technologies, they quickly realized that the technologies may not work as well in practice. Performance and quality issues and the inability of providers to use such products as indicated led providers to the path of least resistance—video chat, email and SMS texting—none of which is secure or meet HIPAA regulation standards.

Providers’ top three questions answered

In our daily interactions with providers, we understand very clearly that patient care always comes first. Always. We agree, but also want providers to understand that HIPAA still applies, even during a crisis, and providers still need to maintain security of data and patient privacy.

And, since we are all moving at such a fast pace, there is no single point of real, accurate information. To that end, here are the top three questions from providers regarding the use of telehealth and ensuring data privacy and security.

  • Has HIPAA gone away?
    This is arguably the most common question we receive from providers. The answer is a resounding no! Though the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR) issued emergency waivers to provide flexibility during the pandemic and to grant payment parity between telehealth and in-person clinical care, the HIPAA Rules still apply.
  • How does enforcement discretion apply to me?
    The Office for Civil Rights (OCR) in March issued a Notification of Enforcement Discretion, which essentially says that covered entities (CEs) will not be subject to penalties for HIPAA breaches related to telehealth during the pandemic, assuming the CE made a good faith effort to protect the data. The OCR will use “enforcement discretion” to determine good faith or negligence. We’ve seen, however, that there are physician practices that intentionally decided to use a non-secure telehealth technology even when they had secure options already available and in use. This leaves them open for OCR to make the determination whether or not they acted in good faith and could be found negligent.
  • Do patients still have a right to privacy given the circumstances?
    Yes, yes and always yes. Patients have not given up their right to privacy because of COVID-19 or any other crisis. Unfortunately, there is a lack of true understanding—even among individuals—of what we can and cannot say. In working with providers, we often hear stories of COVID-19 diagnoses shared with parties who should not be privy to that information. In one example, we learned that a small town’s post office decided not to deliver mail to a particular person due to a rumor that the mail recipient had been diagnosed with COVID-19. Regardless of the time, the diagnosis, crisis or not, patients still have a right to privacy.

Budgeting and planning for data security in telehealth

Small practices and solo providers are very different from hospitals and health systems in how they budget, plan and manage IT. Here are our top four tips on what providers should do to focus on data privacy and security.

  • Create two line items in your budget: one for IT and one for security. Small and solo practices typically do not have these individual line items; rather all “IT” is often rolled under business expenses. Even if you use a managed service provider (MSP) to handle all of your IT, privacy and security efforts, make sure the expense is listed as a separate budget line item.
  • Prepare and budget to roll over your technology every three to five years. Common practice in a provider office is to use devices until they no longer work. However, this does not allow for upgrades in functionality or security over time.
  • Establish a long-term plan to bring patient treatment online. As we saw from the barriers to use of telehealth, providers cited challenges with “integrating virtual care into already established workflow.” With COVID-19, practices were effectively forced to use telehealth to maintain patient care and stay afloat, but operationally were not ready for the task. Take time to plan how you and your patients will use telehealth applications and how it will work to benefit your business.
  • Start talking about technology, data privacy, security, governance, risk and compliance in board meetings. “HIPAA” is so often perceived as a four-letter word among providers that it’s difficult to separate the perception of HIPAA from why data privacy and security are fundamental to running a business. Did you know that it is statistically unlikely that a provider will have a fine imposed by OCR? HIPAA is not the problem. The problem is violating your patient’s privacy and security, and the patients really do have a problem with it. Violations of privacy impact your reputation, referral base and much more.

What to look for in telehealth vendors

Just like any third-party vendor or business associate, telehealth providers and services should undergo the same level of scrutiny to ensure data security and patient privacy. Here are our top seven recommendations when evaluating telehealth vendors.

  • Avoid any vendor that claims their product is “HIPAA certified.” There is no such thing as HIPAA certification. This claim is false. If you see a vendor promoting this, it is an immediate indicator that they do not truly understand HIPAA. Along the same lines, avoid working with a vendor that asks you to tout their 100% HIPAA guarantee. This can make you a target for attackers who want to prove you and the vendor wrong. Also, pay attention to those that cannot properly spell “HIPAA” throughout their documentation and advertising. One instance is a typo, but several instances may show a lack of attention to detail required to meet the standards.
  • Look for a vendor that adheres to the NIST Cybersecurity Framework, or other similar frameworks. Remember that HIPAA is the bare minimum for privacy and security standards. If your organization has decided to adopt NIST CSF or another framework to go above the minimum requirements, you should evaluate telehealth vendors against those standards.
  • Ask for the vendor’s standard requirements for breach notification. Compare that with your own requirements and use this as a negotiation point. Preferably the CE (Covered Entity) should receive notification of breach within five business days; ten business days is the maximum you should allow.
  • Find out what the telehealth vendor’s standards are for software security. Telehealth software providers are just as vulnerable to breach as any other software development, especially during development and the push to production. Your telehealth vendor should have standards and processes for both data security and software security.
  • Make sure the vendor addresses standards for any downstream business associates and software providers.
  • Look for some sort of indemnification. If the vendor is responsible for the loss of data, they should pay for the loss. Similar to #3 above, rather than sending them your business associate agreement (BAA) template, ask for theirs. You will get an immediate indication of how the vendor conducts business.
  • Request a service level agreement (SLA) that clearly outlines what the vendor will do if and when the technology goes down and what they will do to support your organization, especially if patient care relies directly on the technology. Make sure you include a section in your business continuity plan that allows for telehealth services to be unavailable for an hour, a day, a week, a month or longer.

One final thought. Small and solo practices typically do not have the time or expertise to handle all of this on their own. Consider engaging a consultant who can help evaluate telehealth vendors, discover potential risks and gaps that you might have in your current telehealth service, and protect your business—and your patients—from data and security breaches.

It’s clear now that telehealth technologies and virtual patient care are here to stay. And so is HIPAA. In fact, we anticipate that software providers, even those such as Apple, will be more likely to update their software to adhere to HIPAA before HIPAA loosens any privacy restrictions. And, we know that regardless of the circumstances, patients always have a right to privacy. You need telehealth to care for your patients and stay in business, but you need data security to protect that business. Both are equally important and fundamental to the future of healthcare.

Want more? Check out these additional resources.

About Gerry Blass

Gerry Blass brings over 35 years of experience in healthcare information technology. Prior to ComplyAssistant, Gerry was the Chief Information Security Officer (CISO) for a major healthcare system in New Jersey. As the CISO, Gerry built the HIPAA Privacy and Security programs and chaired their multidisciplinary governance team. In 2002 Gerry founded ComplyAssistant to provide software and service solutions for HIPAA and IT strategic planning. Gerry currently chairs the NJ HIMSS Privacy, Security and Compliance Committee and participates in national and local chapter events that include NY, NJ and Delaware Valley. Gerry contributes to healthcare compliance articles and postings in various blogs and publications. Gerry shares content in HIPAA 411, a LinkedIn group he co-founded, along with many other related LinkedIn groups. Gerry is an active member and presents at industry association events with HIMSS, HFMA, AITP, NCHICA, NJPCA, NJAMHAA and HCCA.

About Donna Grindle

Thirty years is a long time to do anything, but that’s how long Donna Grindle has been helping those in the healthcare profession with their IT, security and privacy needs. After spending her early years in software development, she progressed through the ranks to management and executive positions throughout the 1990s. She struck out on her own in 1998, specializing in consulting and technology support for a variety of businesses in the medical industry. As founder and CEO of Kardon, Donna’s extensive experience is focused on developing and maintaining effective privacy and security programs for a variety of businesses, with a particular focus on those that must be HIPAA-compliant. A Certified in HealthCare Privacy Compliance (CHCP) professional by the Compliance Certification Board, she educates clients and peers alike about the complexities of healthcare privacy compliance as a sought-out speaker, trainer and podcaster. She is also an active member and sponsor of many healthcare and compliance-related groups including HIMSS, AHIMA, HCCA, GMGMA, DMA, SOMSA, NGMGMA and MGMGMA.