By Michael Hawkins
It was announced in March that in light of the COVID-19 pandemic and the need for speed in related testing and treatment, the federal government would waive certain sanctions and penalties for HIPAA violations related to telehealth services. The goal of loosening the restrictions is to enable providers that don’t have a robust telehealth setup already in place to more easily make the transition, potentially using applications such as Google Hangouts and Facebook chat to converse with patients.
While the loosened restrictions have helped providers and patients alike in the emergent pandemic situation, it’s important to remember that the government—and other entities—will likely be taking a long, hard look at privacy and security issues once the current crisis has passed.
Health information management (HIM) professionals need to think not just about what is necessary to enable clinicians to communicate and exchange information in the moment but also about the impact that relaxed standards for privacy and security may have in the future. In other words, it’s essential to think about what may occur after the fact of the COVID-19 pandemic well before we get to that point. And while the currently relaxed atmosphere for some regulations means the government will not penalize healthcare organizations for looser standards in guarding protected health information (PHI) during telehealth visits, that does not release those organizations from their moral obligation to do so.
Yes, patients want easy access to their providers. And yes, providers need help working efficiently as the entire healthcare system is taxed beyond its limits like never before. Still, as the guardians of that information it is up to HIM professionals to protect both patients and the organization.
HIM professionals responsible for managing privacy and security must find a way to balance risk and protection. They shouldn’t be so fearful or spend so much time analyzing the risks that they do nothing to help expedite the exchange of data. But they also cannot allow the desire to implement or expand telehealth in this time of need to turn their telehealth processes and procedures into the wild west.
Fortunately, most of the security and privacy protocols needed to take advantage of telehealth should already be in place. A good example is using a secure virtual private network (VPN) rather than standard open internet connections to access applications and share information from remote locations. All telehealth communications should be conducted over a VPN. HIM professionals should ensure their VPNs (and other systems) are prepared to scale, especially with the increased demand of multiple video calls. Other recommendations to keep in mind include:
- Ensure any telehealth applications have HIPAA compliance baked in. This should be a given for any application developed specifically for healthcare, although HIM professionals should confirm it anyway, just to be safe. If the organization decides to use an application that was not specifically designed for healthcare, those systems should have HITRUST certification, SOC 2 compliance, and be approved for HIPAA. Zoom, for example, has a business version that is HIPAA-compliant, but its consumer version is not. HIM professionals should exercise caution when multiple versions of a product exist. Selecting solutions that meet these standards protects not just the data itself, but also the organization in the future.
- Provide proper education and training. Clinicians who are new to telehealth may not think about the fact that PHI, passwords, or other confidential information may be readable in the background when they are conducting a video call. Likewise, they may not think to check whether such information is also accidentally included in a screen-share view of their desktop. Anyone who uses the telehealth systems should be trained—and reminded frequently—to be aware of their surroundings at all times as well as other best practices for securing PHI over video.
- Remind users about best practices they should already be following. When looking at the sources of new threats, it’s easy to overlook the threats that everyone “should” already know about. That can be a mistake. For example, electronic health records should always be closed when the clinician is finished and leaving the data terminal. Additionally, clinicians should only use secure, HIPAA-approved email, text, and other communications applications whether communicating internally or externally, and all files that are being shared should be encrypted in transit. Users should also be reminded about ways to detect phishing scams that are used to gain access to hospital networks. Overloaded physicians, nurses, and other employees may not think twice about clicking on a link or document that appears to be from someone they know (especially a clinical leader), so it’s up to HIM professionals to ensure they exercise extreme caution before doing so. All those best practices were implemented for a reason. They are more important than ever when working in a crisis.
- Drive home the importance of proper documentation. Just as with face-to-face encounters, it is important for clinicians to understand that all telehealth calls must be logged in the electronic health record (EHR). If they are working remotely, they should log in via the VPN to do so. If they are unable to access the EHR at the time of the encounter they should know it is permissible to log the information in a secure Word document, but it should then be logged into the EHR as soon as possible. Sharing documents via some of the popular Internet-based open systems should be forbidden. Only those that are willing to sign a business associate agreement (BAA)—such as Dropbox, for example—should be authorized. In the worst-case scenario, where a Word or other document must be emailed over an open system so the data can be entered by someone else, the document should first be encrypted. The encryption key should then be forwarded separately, preferably using a different mode of communication such as a phone call or secure text.
- Continue to perform regular user reviews. If your organization is new to telehealth, you may want to increase the pace of reviews to understand which users are using the VPN (if you have one) and following other rules as well as which are not. The earlier you can remediate any issues, the better off patients and the organization will be. These reviews can be performed without slowing down the healthcare professionals for whom every minute is precious right now. Additionally, demonstrating you were actively managing the situation is likely to be viewed favorably should a problem come up in the distant future.
It may be difficult to imagine at the moment, but we will get through the COVID-19 pandemic. When we are no longer dealing with the emergent crisis and are able to look back, “we were pressed for time” will not be an acceptable excuse if PHI is purposely stolen or accidentally released. HIM professionals must take the proper steps today to ensure their organizations are protected for tomorrow.
Michael Hawkins is chief technology officer and vice president of software development at Vivify Health.Leave a comment