- May 8, 2020
- Posted by: Keith Frechette
- Category: Blog
In the face of the ongoing COVID-19 pandemic, telemedicine has experienced an increase in activities. This increase in activity is as a result of the rapid processing and sharing of protected health information across several computing environments. With this sudden spike of pace with virtualization in the healthcare industry, it is imperative that healthcare providers understand the security and regulatory compliance requirements associated with HIPAA and the recent OCR Waivers for the maintenance of secure telehealth activities.
As countries around the globe continue to grapple with the COVID-19 pandemic, telehealth has proven invaluable for both patients and healthcare providers. The usage of telehealth technology infrastructure has contributed to the reduction of crowded medical facilities; deployment of rapid response to non-emergency health issues; and quicker access to specialty healthcare providers for consultation.
As shown in the graph below, between 2010 and 2017, 76% of U.S. medical centers implemented telehealth technology to help boost access to healthcare professionals. Although telehealth has been cost-effective for both patients and healthcare providers, it has also become a viable vector of attack for malicious actors.
Although the benefits of telehealth are enormous, security and regulatory compliance remain a significant concern. In addition to the recent pandemic-related OCR waivers for certain HIPAA requirements, this article provides a checklist that will help healthcare providers practice telemedicine in a secure and HIPAA/HITECH-compliant manner.
Image Source: aha.org
HIPAA In Telemedicine – Scope and Guidelines
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a U.S. law pertaining to the data security and privacy of medical information. HIPAA aims to prevent abuse and fraud in healthcare by instituting industry-wide standards for handling sensitive data and other information processes (manually or electronically).
Within HIPAA, the ‘Privacy Rule’ and ‘Security Rule’ are structured to specifically safeguard the confidentiality and integrity of Protected Health Information (PHI), including medical records. These clauses pertain to Electronic-Protected Health Information (e-PHI). Therefore, telemedicine operations are required to be adherent to healthcare industry regulations.
With regards to HIPAA in telehealth, communications between healthcare providers, physicians, and patients must be carried out in a secure manner using physical, technical, and administrative security controls. The HIPAA Security Rule demands the following:
- For mitigating cyber risks, e-PHI access should be limited to authorized users.
- The means of communication should be secure and HIPAA-compliant to safeguard the integrity of e-PHI.
- All e-PHI-related communications must be monitored to prevent malicious and accidental breaches, as well as to ensure the confidentiality, integrity, availability, and privacy of critical data assets.
- Healthcare providers are required to ensure compliance by their workforce.
HIPAA Regulations Concerning Third-Party Telehealth Data Storage Providers
Healthcare organizations and medical professionals that create e-PHI, which are stored by third-parties, must have a Business Associate Agreement (BAA) with said third-party. The BAA must categorically itemize methods implemented in the assurance of data privacy and security. Additionally, BAAs must allow provisions for designated audit and evaluation of data security controls.
Incorporating BAAs into healthcare regulations will affect the future of telemedicine during and after the COVID-19 Pandemic because it will require an indirect compliance requirement for third-party service providers. This administrative control, if implemented properly, will help to improve the security posture of telehealth infrastructures by:
- Ensuring that the third-party service providers are taking the appropriate measures to remain compliant with regulations, hence building trust with regulators and customers.
- Minimizing organization risks by implementing proper cybersecurity safeguards.
- Preventing any reputational or financial losses that may originate from a data breach.
Checklists For Achieving HIPAA Compliance In Telemedicine
As per HIPAA regulations, the following cybersecurity best practices must be implemented by healthcare providers to ensure that telemedicine computing infrastructures are in compliance when handling PHIs:
- Encryption: this security control prevents data breaches and unauthorized access. Additionally, it helps to ensure the integrity and confidentiality of e-PHI across different formats, including video, audio, and/or paper-based.
- Reduced Data Storage: sensitive data should not be stored by the telemedicine solution providers, as this could easily become an attack vector for malicious actors. This data security single-point-of-failure vulnerability should be avoided at all costs.
- Peer-to-Peer Networking: P2P networking allows the sharing of files, without the need for central servers. Hence it is less prone to fraudulent activities.
- Business Associate Agreements (BAA): healthcare providers and technology service providers must have a BAA that is compliant with HIPAA regulations. At GoldSky, we are equipped with cybersecurity legal specialists who are available to help healthcare providers develop the required content for business associate agreements between technology service providers.
- Participant Security Awareness Training: all parties involved in telemedicine, including physicians, healthcare centers, and patients, should be continually made aware of cybersecurity best practices, such as using strong passwords; recognizing phishing emails; implementing firewalls, and antivirus software, etc. Video conferencing must also take place in private locations.
Recent OCR Waivers Of HIPAA Requirements Regarding Telemedicine
The U.S. Office of Civil Rights (OCR) is responsible for the enforcement of HIPAA rules. As COVID-19 disrupts the healthcare industry, the OCR has recognized that healthcare providers are communicating with patients and providing telehealth services via remote communication technologies.
Although certain communication technologies are not entirely compliant with HIPAA requirements, the OCR has exercised its discretionary powers and declared the following temporary waivers and guidelines:
- Temporary elimination of penalties against healthcare providers for non-compliance with HIPAA regulations, as it relates to telehealth services provided in good faith.
- Healthcare providers that wish to provide telehealth services can use non-public facing remote communication technologies to communicate with patients. This decision applies to all uses of telehealth, including those not related to the treatment of COVID-19.
- Healthcare providers have been encouraged to notify patients that the use of third-party applications may cause privacy risks; therefore, encryption and privacy mechanisms should be implemented while using said applications.
- Public-facing social media platforms, such as Facebook or Instagram Live, TikTok, or Twitch, should not be used for telehealth.
- Reliable virtual communication service vendors, such as Skype/Microsoft Teams, Zoom for Healthcare, Amazon Chime, Cisco WebEx, etc. are HIPAA-compliant platforms approved for telehealth activities. Therefore, healthcare providers are approved to partner with said vendors. However, OCR will also not impose penalties on healthcare providers for not having HIPAA BAA with video communications vendors.
Telehealth is a beneficial aspect of the healthcare system that will become increasingly prevalent in the post-pandemic world. Therefore, mandatory security measures will be developed to efficiently protect healthcare organizations from malicious actors, especially Advanced Persistent Threat (APT) groups.
Having collaborated with healthcare organizations across the United States, GoldSky security professionals understand the compliance challenges facing the healthcare industry in the 21st century, and they are equipped with efficient solutions for real time implementation.
With offices in Denver, Orlando, Nashville, Tampa, and Washington, D.C., GoldSky Cyber Security is a reliable 24/7/365 cybersecurity solutions partner to small and mid-sized healthcare service providers throughout the United States. Get in touch with us today to learn more about GoldSky’s strategic solutions for your cybersecurity compliance goals.