Telehealth Post COVID-19
COVID-19 has dramatically changed the way healthcare is delivered. Providers were forced to pivot quickly from total reliance on “in-person” visits to total reliance on alternative delivery methods. Between early March 2020 and early April 2020, the number of visits to ambulatory practices declined by nearly 60%. 
While ambulatory visits are starting to rebound, the overall impact appears to indicate that there is still a significant decline in in-person visits to healthcare providers. Over the same period, telehealth visits have increased. While the use is declining somewhat, most experts believe that COVID-19 has fundamentally changed the delivery model to include an increased reliance on telehealth.
A recent McKinsey & Company report predicted that up to $250 Billion of the current healthcare spend could transition to telehealth.  The study also indicated that consumers were significantly more likely to use telehealth going forward, and providers view telehealth more favorably than they did before COVID-19.
The Healthcare Financial Management Association recently published an article in which a physician stated that by using telehealth, he believes he/she could reduce his/her in-office days to two per week.  It’s easy to see how providers will want to utilize telehealth going forward to reduce expenses.
All of this information suggests telehealth is here to stay. At the start of the COVID-19 response, the Centers for Medicare and Medicaid (CMS) Office of Civil Rights (OCR) issued a waiver of potential penalties for HIPAA violations related to telehealth use, which enabled providers to implement it quickly without fear of HIPAA enforcement.  However, at some point, OCR will rescind this waiver and expect providers to ensure their telehealth is HIPAA complaint. In addition, the waiver may not fully protect a provider from other legal actions should a breach of Protected Health Information (PHI) occur while using telehealth.
Securing Your Telehealth Environment
While consumers are showing an increased interest in using telehealth, there are still concerns about the security of PHI in the telehealth environment. A recent survey indicated over 25% of consumers surveyed were worried about the privacy of their PHI.  This concern is only heightened by media reports of the risk of video call hijacking or ‘zoombombing’. In order to increase consumer acceptance and ensure continued compliance with HIPAA requirements, organizations that have implemented telehealth in response to the COVID-19 pandemic need to take steps to secure their telehealth environment.
Step 1 – Evaluate Your Providers
As organizations raced to respond to COVID-19, many did not have a chosen telehealth provider. As a result, physicians and other practitioners often signed up with services independently. Recently one provider with an extensive provider network was quoted as indicating her organization had providers using FaceTime, Zoom, Cerner, and other telecommunication platforms. 
Before you can secure your environment, you need to understand what your providers are using. You will then need to make some decisions. Do you continue to allow providers to “pick their solution”, or do you go with a standardized product throughout the organization?
The pros of “pick their solution” are that your providers are comfortable with their choices. The cons of “pick their solution” are that it is significantly more risky to have multiple solutions. Additionally, your patients may find it confusing to use FaceTime for appointments with the cardiologist, Zoom for appointments with the internist, and Microsoft Teams for appointments with yet another provider.
Once you have inventoried your providers, you need to do a vendor evaluation. This should be done regardless of if you have one vendor or five. The vendor evaluation can also help you reduce the number of products being used. While a significant portion of the evaluation should focus on the ease of use, tool performance, and other factors, you also need to consider security.
Performing vendor due diligence is not only a HIPAA requirement but will help you reduce the risk of a data breach. Remember that even if the telehealth vendor has the breach, your organization will be subject to both potential reputational damage and a review by the OCR to verify you had appropriate controls in place.
At a minimum, your vendor assessment should include the following:
- Is the vendor HIPAA compliant? Can they provide you evidence of that compliance?
- Does the vendor have any security certifications, such as HITRUST?
- Have they provided you with details on what they do with your data? Is the data maintained by the vendor? If so, how is it stored and what protections are in place?
- What is their communication protocol? Do they have protections to prevent ‘zoombombing’?
- Do they train their personnel on the protection of PHI?
- Do they have a well-developed incident response plan?
Once you have evaluated and selected your final vendors, be sure to execute a Business Associate Agreement (BAA) outlining your expectation of their compliance with the applicable HIPAA regulations.
Step 2 – Secure Your Environment
Now that you know who you are going to use and are reasonably certain that they are protecting your data, you need to look at your environment. Even during a pandemic, bad actors have not reduced their efforts. In fact, they may be finding much easier targets as people work from home without readily accessible IT support or coworkers to advise them.
The Cybersecurity & Infrastructure Security Agency (CISA) has developed Guidance for Securing Video Conferencing.  While not specific to healthcare, they do give you a roadmap for establishing a secure environment. Their guidance can assist you in securing your telehealth environment. At a minimum, you should verify that your users are connecting securely, access is properly restricted, file sharing is appropriate, and your tool has all the current security features.
Securing your environment also extends to securing the devices used for telehealth. All devices, both organization-owned and personal, should be managed using a mobile device management tool that is password-protected, encrypted, and up-to-date with anti-malware software and other security measures. Your network should be configured to approve both the user and the device before allowing access and automatically log off inactive sessions. Logging of network activity should be done, and logs should be audited to identify potentially unusual activity.
Step 3 – Train Your Providers
You probably already do annual HIPAA training, but as we move towards more telehealth, make sure your training is enhanced to address the risks of telehealth. Specifically, training should remind providers that telehealth should be delivered securely. They should be aware of where they are and who can overhear them. Providing telehealth in a public space or in front of family members could result in a HIPAA violation. Remember, the current COVID-19 waiver only protects the telehealth activity; if you disclose PHI while providing care at Starbucks, the OCR would probably not think you had made a good faith effort to protect that information.
Training should also cover restricting access to the device used to provide services and the physical and logical security of that device. Take this opportunity to remind your workforce that leaving laptops unattended in cars or other places is never a good idea. Remember, a laptop is stolen every 53 seconds, and in 2018 45% of the healthcare information breaches were a result of lost or stolen laptops. 
This is also a good time to do refresher training on IT security, including reminders of the risks of phishing. Finally, you should make sure your workforce is aware that even though you may be receiving emails and phone numbers for the provision of telehealth, care needs to be taken before using that information for any other purpose. You don’t want to comply with HIPAA only to find yourself subject to a TCPA lawsuit.
While HIPAA has been around for over 20 years, we continue to see breaches and OCR fines resulting from a failure to comply with HIPAA regulations. CompliancePoint’s HIPAA reviews consistently show that organizations have not fully implemented the HIPAA Privacy, Security, and Breach rules. The increased use of telehealth will only create additional opportunities for data breaches unless organizations take a step back now and verify that their telehealth environment is secure. Consumer confidence in your organization could be significantly impacted if it turns out you were using insecure tools or failed to take expected steps to protect the telehealth environment.
CompliancePoint has experienced assessors who can help you evaluate your HIPAA program, including your telehealth services. If you are interested in how we can help, please reach out to us at 855-670-8780 or firstname.lastname@example.org
Finding a credible expert with the appropriate background, expertise, and credentials can be difficult. CompliancePoint is here to help.