Through innovative solutions and connected health technologies, the challenges facing health care delivery in the country have been remedied. Connected health is a well-adopted and established system of healthcare delivery in the United States. It refers to a wide range of methods for delivering health and medical care with communications technologies, telehealth, and telemedicine.
Telehealth and telemedicine help patients manage their conditions through an improved communication channel with their healthcare providers. It empowers patients with self-care capabilities and allows doctors and other healthcare providers to extend clinical care outside of the traditional facility and in the home.
The use of electronic communications and information technology is central to the success of telehealth. These have allowed doctors, nurses, physical therapists, pharmacists, and many others to deliver health-related services at a distance. Telehealth has shown significant promise over the years, and with an improved service delivery model, it is believed to be the future of healthcare.
- Telehealth During the Pandemic
- Health Insurance Portability and Accountability Act – HIPAA
- Personal Health Information and Health Apps
- HIPAA, Telehealth and Your Privacy
- HIPAA Guidelines for Telehealth
- HIPAA-Compliant Telehealth
- Ways to Prevent Security Risks in Telehealth
Telehealth During the Pandemic
In light of the global pandemic, the demand for telehealth services has grown exponentially. Telehealth became the most welcomed change in the healthcare system during the COVID-19 pandemic. It is reducing hospital staff’s exposure to persons suspected to have contracted the virus and preserved the need for personal protective equipment (PPE). Most importantly, telehealth significantly is deemed to minimize the impact of patient surges coming into the hospitals. This is where telehealth made the most significant impact.
Healthcare systems had to innovate and find ways to attend to patients during the pandemic. Through telehealth services, hospitals and medical facilities were able to triage, evaluate and provide medical care for patients by utilizing ways that do not depend on in-person services. Telehealth services provided ways for hospitals to attend to patients while maintaining minimum to zero risks of transmitting the virus to healthcare personnel or other patients.
Telehealth and telemedicine technologies are not new, but they regained their appeal in the healthcare industry because of the pandemic. Adopting telehealth inpatient care became the first line of defense in local transmission within the hospital environment.
Policy Changes During the Pandemic
To ensure that patients and healthcare providers instantly access telehealth technologies, policy changes were paramount. This comes as a result of the high demand for telehealth services. In March 2020 alone, there was a 154% increase in telehealth visits. Patients and healthcare providers need and expect the technology to work.
Before COVID-19, telehealth initiatives were only perceived as a platform that fills the gap and shortcomings of access, quality, and healthcare costs in America. It includes, but are not limited to the following:
- Remotes clinical health care;
- Patient and professional health-related education;
- Public health; and
- Health administrations through the use of information and communication technologies.
Adopting technological advances into healthcare delivery services has allowed the integrating of artificial intelligence (AI) systems in telehealth. This makes for a seamless transition towards a wholly remote patient monitoring which is helpful and important for patients with chronic and deteriorating medical conditions.
What changes were made during the coronavirus outbreak?
Despite being a familiar technology, telehealth and integrated AI were not common in the American healthcare system. One factor that stunts the progress and widespread use of the technology is the long-standing rules and regulations that govern the country’s healthcare industry.
The use of telehealth technologies has been limited in the past.
Because of the following:
- Establishing a telehealth system entails high startup costs;
- Requires workflow reconfiguration;
- Clinician buy-in is arguably low;
- Challenges with patient interest and confidence in the technology;
- Reimbursement policies are often changing and ambiguous, especially across different states;
- State and federal regulation in the use of telehealth and artificial intelligence differ; and
- Different laws governing accepted and non-eligible costs and services availed through telehealth and telemedicine.
The widespread effects of the COVID-19 virus pushed the U.S. Department of Health and Human Services (HHS) to approve the use of telehealth and telemedicine services in the country. It immediately became a part of the Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020. The act earned unanimous approval from the Senate and House of Representatives.
The legislation includes an estimated cost of $500 million in the form of a waiver that removes Medicare providers’ restrictions. A remarkable effort that allowed Medicare providers to offer telehealth services to every beneficiary. The waiver is inclusive to all beneficiaries, whether they are in a rural community.
Effects of the waiver on the use of telehealth during the pandemic:
- Medicare requirements were waived, making remote care more accessible to every American regardless of where they live.
- A state law prohibiting insurers from refusing reimbursement or coverage because it was given through telehealth was suspended.
- Healthcare providers charge the same rate for telehealth services as in-person medical services.
- The reimbursement rate for telehealth services is now the same or comparable to in-person medical service.
- State-based licensing requirements are temporarily suspended for out-of-state licensed providers.
- The HHS issued the HIPAA or Health Insurance Portability and Accountability Act of 1996 Privacy Rule exceptions for providers.
Health Insurance Portability and Accountability Act – HIPAA
Passed in 1996, the Health Insurance Portability and Accountability Act or HIPPA was signed into law by then Pres. Bill Clinton. HIPAA is pivotal legislation that primarily provides security provisions and data privacy. This is to ensure that patient’s medical information is protected and kept safe. The law is divided into five separate “titles,” which highlight the objectives of the federal government.
- Title I – HIPAA Health Insurance Reform
- Title II – HIPAA Administrative Simplification
- Title III – HIPAA Tax-Related Health Provisions
- Title IV – Application and Enforcement of Group Health Plan Requirements
- Title V – Revenue Offsets
In summary, HIPAA provides:
- Enables beneficiaries to transfer and continue health insurance coverage. This allows millions of American employees and their dependents to transfer their data when they change or lose their jobs.
- Minimizes health care fraud and abuse.
- Institutionalized industry-wide standards for handling health care information, especially on electronic billing.
- Mandates the protection and confidential treatment of protected health information of every American.
What is HIPAA?
HIPAA mandates the creation of national standards to protect sensitive patient health information from leak, fraud, or disclosure without the patient’s knowledge or consent. This federal law set the industry-wide standard for handling sensitive medical information reduces the security risks that patients may experience, especially in the age of electronic data processing. It also requires that specific patient health information be protected and secured. The United States Department of Health and Human Services issued the HIPAA Privacy Rule to address this. The Privacy Rule was necessary to implement the requirements set by the HIPAA.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule or Privacy Regulation sets healthcare service providers’ standards and public and private insurance providers to use and disclose an individual’s health information. A patient’s health information is considered highly confidential and is referred to as protected health information (PHI). Healthcare providers or insurance providers or collectively called “covered entities,” need to comply with the standards for every individual’s right to know, understand, and control how their medical records are used.
The Privacy Rule aims to achieve a two-fold goal.
- One, it aims to ensure that every American’s health information is well protected, and
- Two, it must do so while allowing the seamless flow of health information between various entities, enabling them to provide high-quality health care.
With a two-fold goal, the Privacy Rule needs to protect a patient’s personal health information and ensure that public health and well-being are not compromised. It must permit the use of information needed for the medical assistance of patients whose right to privacy is observed.
What does the HIPAA Privacy Rule cover?
The Privacy Rule covers Protected Health Information in general, while the HIPAA Security Rule (SR) specifically deals with electronic Protected Health Information (ePHI). SR is a subset of the Privacy Rule, which is highly relevant to telehealth and telemedicine. With both the Privacy and Security Rule having the force and effect of federal regulations, health care providers, organizations, and their associates need to develop and strictly observe the standards for ensuring confidentiality and security of PHI.
HIPAA Privacy Rule covers how PHI is handled, transferred, received, or shared. Further, it applies to all forms of PHI regardless if it is recorded, written, or typewritten on paper, oral, or electronic, etc. Most importantly, the rule provides that only what is necessary or only the minimum health information needed for the medical service is shared or used.
What is Protected Health Information?
HIPAA defines Protected Health Information or PHI as individually identifiable information. This information includes medical records collected, created, or transmitted in the past, present, or future health status of a patient. PHI “Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual.” Sensitive health information such as the patient’s diagnoses, medical test results, treatment plan, and prescription information are all protected data under HIPAA.
With the introduction of telehealth and telemedicine, it is important that HIPAA also covers ePHI or electronic Personal Health Information. ePHI is those health information that is created, transmitted, stored, or received through electronic means. While PHI contains patient information or health plan members, an individual’s educational or employment records are not covered by HIPAA. What makes a piece of information considered PHI is the possibility of it being identified to belong to a specific individual. In effect, when all identifiers are removed from health data, it ceases to be a PHI, and HIPAA Privacy Rules will no longer apply to that information.
The extent of HIPAA Privacy Rule on Protected Health Information?
HIPAA remains binding on Protected Health Information when:
- PHI is transmitted through electronic media;
- PHI is stored and maintained in electronic media; or
- PHI is transmitted or stored in other forms of media.
What does Protected Health Information include?
All identifiable health information falls under PHI’s definition, including demographic data, test results, insurance information, medical histories, and other information used to identify patients. PHI also includes that information that health care service providers use to provide high-quality medical care effectively.
Under the Code of Federal Regulations, protected health information is defined and applies to health records only and does not go beyond what is stated. Academic and employment records are covered by other federal laws and not by HIPAA. However, individuals’ records who have been dead for more than 50 years are still covered by HIPAA.
What is individually identifiable information under HIPAA?
HIPAA covers individually identifiable information, especially when used by HIPAA-covered entities or their associates connected with payment and reimbursement healthcare services. A total of 18 identifiers are used to identify, contact, or locate an individual. If any of these identifiers are used concerning a patient’s health, it is considered identifiable, thereby, Protected Health Information.
The following are the individually identifiable information that is considered PHI:
- Full Names;
- All geographical identifiers smaller than a state;
- Dates that can identify an individual;
- Phone Numbers;
- Fax numbers;
- Email addresses;
- Social Security numbers;
- Medical record numbers;
- Health insurance beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers (including serial numbers and license plate numbers);
- Device identifiers and serial numbers;
- Web Uniform Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger, retinal, voice prints;
- Full face photographic or comparable images; and
- Any other identifying data such as number, characteristic, or code that can uniquely identify an individual.
Personal Health Information and Health Apps
The unprecedented rise of telehealth carries confusion and fear around how health apps will handle PHI. Health apps operate online, and they gather and record information, including personal identifiers. As much as HIPAA Privacy Rules protect patients’ PHI, online health apps and trackers are not always under the HIPAA provisions. While app developers can associate themselves as covered entities, most of the apps and health trackers in the market are not HIPAA-compliant. If, for instance, your doctor recommends that you use a certain app or wearable to track your heart rate or BMI, the information gathered by the app is not subject to HIPAA Privacy Rules.
What is the rule on health apps?
Compliance with HIPAA will depend on the nature and function of the application. Developers that build eHealth or mHealth apps for patients to use may or may not be HIPAA-compliant. When the app collects the user’s data, but this data is to be used only by the user, it will not be subject to HIPAA compliance. However, if personal data collected and stored will be shared with another covered entity or medical professionals, the app must comply with HIPAA Privacy Rules.
A complication usually arises when the app is created for and provides services for a Covered Entity.
HIPAA, Telehealth and Your Privacy
Telehealth continues to bridge the gap between medical health providers and patients in the country. Despite the growing popularity and availability of telehealth technologies, privacy concerns persist. This is a reasonable concern as the same connectivity that makes remote healthcare possible also carries threats to patients’ data. Data collected, stored, and transferred over the internet runs the risk of being intercepted by hackers, threat actors, and illicit data collectors. Telehealth has become a prime target for cybercriminals. Healthcare data breach costs the industry billions of dollars.
In 2019 alone, the data breach cost a total of over $4 billion as hospital organizations put an estimated cost of $423 per compromised patient record. Cybercriminals continue to target healthcare, demanding more and more ransomware, putting increased value on millions of patients’ records. All these data breaches take place even in the most secure hospital networks. Arguably, this has created a disconcerting image of telehealth.
HIPAA Guidelines for Telehealth
Connecting with patients via telehealth and collecting and transmitting their data potentially puts their data at risk. If not the biggest risk, one of the risks is the patient’s lack of control over how their PHI is collected, used, and shared among different healthcare entities. Even wearables and health apps that only supposedly collect heart rate or detect falls may gather information about a user’s other activities – activities that many wish to be kept private. Despite the security measures, data breach always remains a possibility.
Communicating electronic Personal Health Information via Telehealth
HIPAA guidelines surrounding and governing telemedicine and telehealth affect all parties in the healthcare sector. Medical professionals, insurance providers, or healthcare organizations that provide remote medical care are covered by HIPAA and HIPAA Privacy Rule. Contrary to what the public believes, HIPAA Privacy Rule remains applicable to communicating ePHI via the telehealth platform. Many assume that when ePHI is communicated directly from the patient to the physician, the HIPAA Privacy Rule would no longer apply. The channel of communication, often the telehealth app or platform, must be HIPAA-compliant. This is true when healthcare providers, healthcare organizations, and insurance providers comply with telemedicine’s HIPAA guidelines.
Elements of the HIPPA guidelines on telemedicine as provided within the HIPAA Security Rule:
- Only authorized entities and users are granted access to ePHI;
- To maintain the integrity and secure patients ePHI, telehealth providers must develop a system of a secure line of communication; and
- There should be back-end support or monitoring communications to provide a backup to prevent accidental or malicious data breaches.
As to the first bullet point, physicians may access their patients’ ePHI, provided that they implement and use “reasonable and appropriate safeguards.” This is to ensure that ePHI will not be disclosed or shared with unauthorized parties.
In addition, the second bullet point emphasizes that unsecured channels of communications, like text messaging, Skype, and email, should not be used for transmitting ePHI remotely. However, in light of the pandemic, the U.S. Department of Health and Human Services issued a limited waiver of this safeguard as provided under HIPAA Privacy and Disclosures in Emergency Situations. Further, the HHS allowed some telehealth discretion during COVID due to the HIPAA business associate agreements (BAAs). The following service providers represented that they will provide HIPAA-compliant communication to aid the demand for telehealth.
- Skype for Business or Microsoft Teams
- Zoom for Healthcare
- Doxy. me
- Google G Suite Hangouts Meet
- Cisco Webex Meetings or Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
Despite the discretion granted by the HHS, the following should NOT be used for communicating ePHI at a distance:
- Facebook Live
- Similar video communication platforms
Without question, physicians and healthcare providers want to keep their patients at ease by keeping their PHI and ePHI secure. Although it tends to be expensive, availing of HIPAA-compliant telehealth service is the ideal way to go about the service. Undoubtedly, the cost will deter some patients from availing themselves of HIPAA-compliant telehealth service providers, but you must first put your privacy and security. To do that, only choose to communicate with your physician and healthcare organizations through some of the top HIPAA-compliant telehealth tools.
Zoom expanded its reach and provided a telehealth platform that makes communication through video conferencing convenient and flexible for its users. Through Zoom for Healthcare, patients and their physician and other healthcare providers can connect through group video conferences. Also, healthcare professionals can hold webinars and record sessions that can aid patient care.
Zoom offers both HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) compliant plans for healthcare providers and organizations that offer remote medical care to their patients.
Simple, easy-to-use, and approachable. Doxy.me offers accessible cloud-based electronic medical records (EMR) and telehealth tools that cater to small clinics and large-scale hospitals. Users are assured that Doxy.me will keep their personal health information secure as the platform is HIPAA, General Data Protection Regulation (GDPR), Personal Health Information Protection Act (PHIPA), Personal Information Protection and Electronic Documents Act (PIPEDA), and HITECH compliant.
Doxy.me is available for download for Android and iOS devices.
A sophisticated choice for telehealth tool. Webex for Healthcare is accessible on any device. You can use your computer or smartphone to connect with your healthcare provider or your patient. Webex makes connecting with clients easy while maintaining HIPAA Privacy Rule compliance. When you need to present something to your patient or client, you can use the share screen feature. Physicians can easily empower the patients of their condition while keeping their and your organization’s information secure.
VSee is known to be a versatile technology that provides “all-in-one” services needed for telehealth. The platform features video visits, remote medical exams, and patient monitoring. Most importantly, VSee has optimized its platform to cater to areas with poor internet service. This makes it the best choice for clients who are overseas or for those living in rural areas. VSee is straightforward, affordable, and easy to deploy and can accommodate your growing scale of operation.
Initially designed to cater to general telecommunications, GoToMeeting is also built to meet HIPAA compliance. It has become one of the top options for healthcare providers looking for secure yet reasonable telehealth solutions. GoToMeeting carries all the features that make telehealth approachable to every consumer. You can easily record and share resources with your patient or physician for future use. The platform makes telehealth comfortable.
Similar to Doxy. SimplePractice also offers cloud-based telehealth and teletherapy solutions that assist licensed medical professionals in their everyday operations. SimplePractice features scheduling automation, documentation, and payment processing while keeping data secure. It meets and boasts to exceed HIPAA requirements, including the Business Associate Agreement (BAA). Through SimplePractice, your physician and therapist may be able to securely share notes to give you the best possible medical attention.
Ways to Prevent Security Risks in Telehealth
Like in any venture, the best way to prevent or minimize risks is to develop best practices. Best practices will only work if all parties implement them. Here are a few ways to prevent security risks when you use telehealth solutions.
- Implement strong identity authentication
Identity authentication must be continuous but consistent. Through this, we can assure that only authorized individuals will have access to secure personal health information and data. A multi-factor authentication is a good approach to keeping access secure and limited to authorized persons.
- Improve telehealth platform’s security
Telehealth service providers and technologies must continue to endeavor to improve their platform’s security. HIPAA requirements must be met at all times. However, despite HIPAA’s requirements, the user often fails to secure their data on their end. This is why telehealth tools need to integrate strong and virtually impenetrable software with multiple security layers to fill user vulnerability.
- Recognize the importance of patient education
Protection from potential data breaches and risks lies on the end-user. Your cybersecurity will depend on how much you protect yourself from cyberattacks and threats. So that secure telehealth may be established, it must be complemented with an empowered patient by educating patients and users about cybersecurity to ensure their online communications’ overall safety.
- Educate your patients about possible threats in telehealth security;
- Encourage them to use Virtual Private Network (VPN) whenever practicable;
- Advise your patients always to keep their software up-to-date;
- Enable anti-malware or anti-virus scans while on any of telehealth platforms; and
- Restrict app permissions and only permit those which are necessary for the platform’s functionality.
- Do not open malicious messages
Phishing emails and messages are the easiest ways for cybercriminals to infiltrate your device and maliciously collect data. Whenever you receive an email or message from an unrecognized sender, it is best not to open the message or click on the link indicated in the email. Disregard phishing emails to prevent the sender from acquiring sensitive information, especially your personal health information. Delete them immediately.