As the COVID-19 pandemic continues to sweep the globe, telemedicine and telehealth services have seen an unprecedented surge in demand. In the United States, medicare telehealth visits increased from 840,000 in 2019 to 52.7 million in 2020. This explosive growth is likely due to a number of factors: the ease and convenience of telehealth services, the lack of available in-person healthcare options, and heightened concerns about exposure to the virus.
In response to the increased demand for telehealth services, the Department of Health and Human Services (HHS) has issued a number of guidances that relax certain HIPAA standards to allow patients access to care. These guidances also allow providers more time to attend to patients, and less time focused around administrative duties. While this is good news for patients and providers alike, it also brings with it a host of new cyber security risks.
What HIPAA Standards Have Been Relaxed Due To COVID?
Although convenient for providers and patients, the guidances issued by HHS result in less secure transfer and storage of data. Despite these guidances, telehealth providers are still expected to take measures to protect patient data and adhere to HIPAA requirements. Below we list a few of the HHS guidances, and what telehealth providers can do to keep patient data secure.
According to the remote communications guidance, Under the good faith provision, telehealth providers are permitted to use telecommunication technologies that may not fully comply with HIPAA requirements, such as FaceTime and Skype. This poses a potential problem because these telecommunication technologies may leave vulnerabilities for patient data. For example, some of these telecommunication technologies may not be encrypted, which means telehealth providers using these platforms to communicate with patients could risk exposing patient data in transit.
In an effort to protect data, providers should look into and encourage the use of encrypted HIPAA compliant telecommunication technologies such Doxy.me, Zoom for healthcare, and Updox for telehealth visits. See the HHS guidance for a more thorough list of acceptable (and unacceptable) telecommunication options during the COVID-19 pandemic.
Inherent in the previously mentioned telecommunication guidance is the fact that health care providers can see patients at home or other non-traditional locations without violating HIPAA requirements. This poses a potential data security problem because telehealth providers have little control over their patient’s environment (network, devices/software) which could potentially lead to a data breach.
To mitigate the risk of a data breach, telehealth providers should encourage their patients to install and use anti-virus software (Kaspersky’s Security Cloud is a good free option) and only connect to their consultations via secure networks.
Sharing of Patient Information
HHS also relaxed HIPAA’s prohibition on telehealth providers sharing of patient information. This now allows that covered entities may disclose, without a patient’s authorization, protected health information about the patient as necessary to treat the patient or to treat a different patient. Sharing of patient information is also permitted to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
Although health providers are allowed to share this information, they should only do so with trusted health professionals who will not abuse the privilege. Sharing should be limited as much as possible.
Operating in Unlicensed States
HHS has also clarified the circumstances under which a provider is permitted to treat patients in states where they do not have active licenses. This rule states that covered healthcare providers can provide telehealth services to patients in other states as long as they adhere to the telehealth laws of the patient’s home state. This has cyber security repercussions because it risks exposing patient data to healthcare professionals who do not have fully secure systems.
In order to mitigate risk, health providers should ensure they review telehealth guidelines by state before providing services in that particular state. If they cannot meet those guidelines, they should refrain from providing services to patients in those states. To get a better understanding of what is required in a certain state and the status of this waiver, you can view the AMA’s up-to-date list of telehealth laws and COVID amendments by state.
Timing of Treatment
HHS has also relaxed the timing requirements for treatment under HIPAA. This means that telehealth providers are no longer required to document the date and time of every telehealth interaction.
While this may seem like a win for telehealth providers, it could also lead to an increase in data breaches as telehealth interactions are not properly documented. To mitigate this risk, telehealth providers should continue to document all telehealth visits, even if not required by HIPAA.
Health providers must exercise caution when adopting telemedicine or telehealth services in light of the relaxed HIPAA standards. Although these guidelines allow telehealth providers to provide care during a global pandemic, they also increase cyber security risks.
The telehealth industry is relatively new and will likely experience growing pains as telehealth providers try to balance meeting HIPAA requirements with providing quality care to their patients. By being mindful of the cyber security risks, telehealth providers can safely provide telemedicine and telehealth services during this time of crisis.
Are you a telehealth provider with further questions regarding HIPAA compliance? Feel free to reach out to Red Lion and we’d be glad to help!