HIM’s Role in Evaluating and Securing Telehealth Solutions

The adoption of virtual patient care services, including remote patient monitoring, video conferencing, and patient engagement applications, was steadily rising among provider organizations before the declaration of the public health emergency this year.¹ The COVID-19 pandemic merely accelerated adoption of these tools in an way that defies precedent in the annals of health IT.

Patients and providers have accepted the use of telehealth applications as the new normal for patient-provider interaction. In fact, a recent Updox survey showed that more adult patients are using telehealth services. Of the respondents, 65 percent said they enjoy using telehealth because the visits are more convenient than meeting their physician in an office, and 63 percent said they like not having to worry about being exposed to other potentially sick patients.²

A Win-Win-To-Be-Determined Scenario

For patients, using telehealth services puts them in the driver’s seat, enabling them to be more accountable and responsible for their own care. With a telehealth visit, a patient can have all their information displayed in front of them when talking to their physician. And, since patients commonly feel more comfortable in their own home setting, they will ask more and better questions of their providers.

For providers, telehealth allows them to see a patient anywhere he or she might be located. This is especially helpful for providers who have patients in rural areas, or who otherwise have difficulty with transport to an office location.

And health information management (HIM) leaders, as the end-users of patient data, ultimately benefit from increased access to health records and patient information. Telehealth applications enable the availability of more information via interoperability with electronic health record (EHR) systems, medical devices, wearables, and other services.

However, the rush to provide telehealth options during the COVID-19 pandemic left healthcare organizations with limited time to properly vet telehealth services and applications, opening potential data security gaps and vulnerabilities. Providers have to consider the added responsibility of securing all of their patient’s data stored and transmitted via telehealth applications or devices.³

How can providers and HIM leaders focus on protecting patient information while still offering new ways to engage with patients?

In this article, we explore the HIM leader’s role in selecting and implementing telehealth solutions, along with top data security and contractual considerations for telehealth, and steps to take if organizations implemented telehealth services during the COVID-19 pandemic.

HIM’s Role in Making Decisions Around Telehealth

HIM leaders should take an active role in the evaluation and implementation of telehealth services, specifically in the areas of security, interoperability, and reimbursement. HIM leadership is crucial to ensuring governance standards are created and met with telehealth vendors, and with providers and patients who interact with those services.

More specifically, HIM leaders should focus on the following in relation to telehealth:

• Create documentation standards and ensure those standards are followed.
• Collaborate on the development of telehealth policies.
• Develop checklists that providers should follow for telehealth services.
• Develop training around telehealth services for both providers and patients.
• Educate physicians on proper documentation, patient safety, and data security when using telehealth applications.
• Work with the IT and Security teams to vet telehealth services, considering security and compliance implications.

Moreover, though the COVID-19 pandemic introduced fluidity into the operations of patient care, the standards for documentation of care should not change. Documentation is still crucial for helping organizations ensure accurate billing, coding, and public health reporting.⁴

Data Security for Telehealth

When working with their partners in IT and security to evaluate telehealth solutions and vendors, HIM teams should remember these essential data security elements:

• The telehealth solution must work on a VPN. Regardless of the device—laptop, desktop computer, or mobile device—the telehealth service cannot simply use cellular or Wi-Fi service. For security purposes, it must connect through a VPN.
• The telehealth application must be secure and HIPAA-compliant in the way it captures, stores, and transmits information.
• The solution must also capture proper patient information for billing purposes, without adding extra work for the organization.
• Leaders should budget and plan appropriately for security around telehealth solutions. When evaluating solutions, consider adding 10 percent to the cost of the solution to cover security costs.
• IT and HIM teams should bring the chief information security officer in early during evaluation discussions, to ensure his or her team is aware of the impending purchase and can support post-implementation.
• The IT team should make sure the organization’s network can support the technology. Consider all provider locations, internet speed, VPN, and Wi-Fi. Is the organization functionally set up to support a telehealth solution?

If the healthcare organization, regardless of size or scope, already implemented one or more telehealth solutions, now is a good time to review the current state. Review your processes, standards, and controls since implementation—especially if the organization had to move quickly during the pandemic. Identify any gaps in security and privacy controls and create an action plan for mitigation.

Telehealth as Business Associates

Telehealth solutions, like any other third-party vendors, are considered business associates (BAs). When selecting a telehealth application or service, what should providers look for and include in contracts to protect patient and organizational data? Here are our recommendations:

• Verify how the telehealth solution works with Medicare, Medicaid, and private insurance carriers. Has the solution been tested for reimbursement? If so, what were the results? Ensure that your organization will get paid appropriately with use of the solution.
• Perform a risk assessment on the telehealth solution, and on any downstream BAs. If the solution is cloud-based, ask the vendor to provide SOC reports. Treat telehealth applications like any other high-risk third-party vendor.

Telehealth in the Age of COVID-19

For better or worse, the COVID-19 pandemic required fast-paced—and perhaps not-so-secure—implementation of telehealth applications and services. Under normal circumstances, proper vetting of third-party vendors and software would occur, but the rush to operationalize remote patient care, unfortunately, resulted in security gaps and vulnerabilities.

Physicians using personal mobile devices and SMS texting, or other paths of least resistance, open providers to non-secured communication of patient data, which violates HIPAA. So, what should providers do now to make sure patient data is secure when continuing to use telehealth applications and services?

Now is the time to step back and re-evaluate any telehealth solutions currently in place to make sure they are secure. Perform security and compliance assessments on all telehealth solutions, ideally using a governance, risk, and compliance (GRC) solution to capture audit documentation.

This may come in handy if the organization is audited for security and compliance protocols that were put in place during the pandemic. Conduct an electronic protected health information (ePHI) vulnerability assessment to document every location that ePHI exists. Finally, cross-check the organization’s administrative, technical, and physical controls against the HIPAA Rules, and against the NIST Cybersecurity Framework or other similar framework.

Operational patient care is always the number one priority for providers. However, with HIPAA regulations around telehealth temporarily relaxed, stepping back from HIPAA seemed almost natural—without fear of penalties, providers could deliver care in the way they saw fit. But, this is a misconception. HIPAA never went away, nor did the need for healthcare organizations to consider privacy and security as foundational to providing the best patient care. Patient care comes first, but that doesn't mean that security and privacy can be sloppy. Take the time to evaluate vendors before signing on the dotted line.

Notes

1. Landi, Heather. “Half of physicians now using telehealth as COVID-19 changes practice operations.” FierceHealthcare, April 23, 2020. https://www.fiercehealthcare.com/practices/half-physicians-now-using-telehealth-as-covid-changes-practice-operations.
2. Reynolds, Keith A. “Survey: Telehealth on the rise, popular with patients.” Medical Economics, May 21, 2020. https://www.medicaleconomics.com/view/survey-telehealth-rise-popular-patients.
3. Robinson, Judy. “Why You Must Consider Cyber-Security for Telehealth.” Clinician Today, January 22, 2019. https://cliniciantoday.com/why-you-must-consider-cyber-security-for-telehealth/.
4. Lusk, Katherine. “Telehealth: For HIM Professionals, Challenges Worth Meeting.” Health Tech Magazines, April 28, 2020. https://www.healthtechmagazines.com/telehealth-for-him-professionals-challenges-worth-meeting/.

Gerry Blass (gerry@complyassistant.com) is president and CEO at ComplyAssistant.

Paul Garrin (Paul.Garrin@urbanhealthplan.org) is chief information officer at Urban Health Plan, Inc., and chief technology officer for Tradepostusa.com.