We learned early in life from the Three Little Pigs that a house made of straw or sticks, while much easier to build, lacks the safety and security of a brick house. This fable’s lesson applies to many scenarios including the recent rapid deployment of telehealth services. While a pandemic, not laziness, caused the hurried telehealth services implementation for many, that’s irrelevant to the big bad wolf (and there is always a big bad wolf). He will come and he will huff, and he will puff, and he will compromise the privacy of patient information in a system without adequate protections.
Until recently, most Americans had never experienced a telehealth visit and most healthcare providers did not offer telehealth visits. That changed almost overnight with the COVID-19 public health emergency. Many healthcare providers were forced to reinvent their healthcare delivery model without much investigation, testing or policy development. Some providers cobbled together a telehealth delivery system in a matter of days to meet access to care needs. At the same time, government agencies implemented new rules and waived enforcement of others to promote the adoption and immediate availability of virtual visits. As with all technology, this wave of telehealth comes bearing both good and bad news.
The good news is that the swift deployment of telehealth services met – and continues to meet – a critical access to care need during a public health emergency. Further, wide-spread temporary adoption of telehealth services forced serious consideration of permanent rules and regulations to keep telehealth as a key delivery mechanism even after the public health emergency is over. Most people in the industry agree that telehealth is here to stay.
Now for the bad news: many healthcare providers’ hastily constructed telehealth delivery systems may pose substantial privacy and security risks. In March 2020, the Department of Health and Human Services (DHHS) announced that its enforcement arm, the Office for Civil Rights (OCR), will not impose penalties for noncompliance with the Health Insurance Portability and Accountability Act (HIPAA) related to telehealth delivery. This move permitted healthcare providers to use common video conferencing or other communication platforms to deliver telehealth services, like FaceTime, Zoom and Skype, without assessing and addressing vulnerabilities or requiring platform vendors to agree to certain security standards.
Importantly, DHHS’s promise of enforcement discretion does not waive or remove HIPAA compliance requirements. Further, it does not relieve healthcare providers of their obligations in the event of a breach, even if that breach occurs as a result of using one of the temporarily permitted communication platforms. And as soon as DHHS makes the determination that its enforcement discretion is over, providers likely will have little or no time to come into compliance with HIPAA requirements.
More importantly, those looking to exploit system vulnerabilities and access patient information could care less about DHHS’s enforcement discretion. Therefore, regardless of enforcement discretion, it is important for providers to ensure that their telehealth delivery systems are built with bricks that protect patient privacy.
Ensuring Privacy in Telehealth
Privacy in healthcare is critical to a provider’s mission to deliver the best care possible. Without assurances of privacy, people will not seek care or will not disclose important information. These days, privacy in healthcare entails more than closing an exam room door or keeping files in a secured area. In the era of virtual visits, the privacy of a patient’s visit is inextricably linked to security.
While OCR is exercising HIPAA enforcement discretion for telehealth, following HIPAA rules remains the best strategy for ensuring privacy by implementing adequate security measures. There are four key HIPAA compliance areas that providers should consider: (1) a security risk analysis of the telehealth platform; (2) policies and procedures; (3) business associate agreements; and (4) training. Each of these is an essential brick in the construction of a secure telehealth delivery system.
1. A Security Risk Analysis
The first step is to assess the selected platform. The HIPAA Security Rule requires a risk analysis of systems that touch electronic protected health information, like a telehealth delivery system. A risk analysis is an assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information. Essentially, someone must huff and puff and try to blow the house down to identify notable vulnerabilities and risks.
This assessment necessitates a detailed review of the system’s functionality and how the provider uses it in light of certain HIPAA requirements. Performing a risk analysis is no small task. A provider can perform it internally if there are staff sufficiently qualified to assess the system. This task becomes a bit easier when assessing a platform designed for telehealth delivery. In other words, you will spend money or effort upfront implementing a healthcare-specific telehealth solution or you will spend money and effort on the back end customizing and configuring a platform to provide adequate protections. The best option for a provider depends entirely on the specific needs of the practice.
The risk analysis will uncover areas that require attention. The extent of remediation depends on the provider’s size, the complexity of operations and resources (i.e., a large hospital will be required to do more than a small physician practice). Managing identified vulnerabilities or risks can take many forms including adjusting available security settings, creating custom technical solutions or developing policies and/or procedures to address weaknesses.
2. Policies and Procedures
Not all privacy or security issues can be addressed through technical fixes or security settings; governance plays a key role too. For example, it is important to have a policy that providers can use only approved telehealth delivery systems for virtual visits. You could put a fantastic and secure telehealth delivery system in place but if a provider decides to use FaceTime for the visit, the privacy issue has not been addressed.
Policies may also be necessary to address the required use of certain optional settings (e.g., enabling a waiting room setting), the prohibition of the use of other settings (e.g., recording visits) and secure access to the system (e.g., strong passwords or the use of multi-factor authentication). In addition to policies that address technical issues, policies addressing how and where the provider delivers a telehealth visit to ensure maximum privacy are advisable.
3. Business Associate Agreements
Under HIPAA, a healthcare provider must have an agreement with all “business associates.” A business associate is an entity that uses or has access to protected health information in order to provide a service to a covered entity. The business associate agreement makes the vendor responsible for compliance with standards under HIPAA.
Telehealth platform vendors are business associates. Some mainstream platform providers like Skype have taken the position that they serve merely as a conduit for the transfer of information, like the postal service, and are not business associates. I disagree and I suspect that DHHS and OCR would as well. Notably, in DHHS’s notification of enforcement discretion, it encourages providers to obtain business associate agreements with the telehealth platform vendor regardless of enforcement discretion.
Having a business associate agreement in place with your telehealth platform vendor not only ensures that your business associate will adhere to certain HIPAA standards, it lends credibility to any platform vendor’s claim that its platform is HIPAA compliant.
As with all things related to HIPAA, training is key. All staff will need to understand the various technical aspects of the telehealth platform selected, how to use it in a manner that protects patient privacy and the policies and procedures surrounding its use.
For the first time, in addition to staff training, patient education on privacy is critical. Unlike a provider, a patient does not need to perform a risk analysis on his or her system. Further, a healthcare provider cannot control the device the patient uses, the setting the patient selects and the patient’s chosen method to connect to the visit (e.g., public WiFi). But these things can compromise the security of the visit regardless of the measures the provider has in place.
HIPAA does not explicitly require patient training and OCR will not initiate actions against providers for patients’ inadequate security measures. However, I suspect that DHHS and OCR will deem patient education on security risks to be a reasonable security measure under HIPAA. As a best practice, providers should design a simple educational piece about increasing the security of telehealth visits that can be posted on the provider’s website or delivered to the patient.
Use a Deliberative Construction Process
To return to the construction metaphor, it may be useful to think about constructing a telehealth delivery system in the same way we think about constructing a physical office space used to deliver in-person care. Most “off the shelf” communication platforms are akin to a large open physical space. Ask yourself where walls and restricted access are required to protect privacy. And where a wall, lock or physical structure cannot provide the protection you need, implement a policy to address the need.
A deliberative construction processes assist with compliance but most importantly they help design a telehealth delivery system that meets a provider’s specific needs and protects the privacy of its patients.
Telehealth is here to stay, and enforcement discretion surely will not last forever. Don’t be left scrambling to comply once DHHS and OCR resume enforcement. Take the time to lay the necessary bricks now. As we learned from the Three Little Pigs – hastily built structures will not last.