LuxSci

6 Essentials For Privacy and Security in Telehealth

Published: September 21st, 2017

HIPAA covers Telehealth but does this make it safe? Learn the measures that ensure patient safety and privacy while using a virtual doctor visit program. 

The rise of telehealth in healthcare has transformed patient-doctor interaction. Nonetheless, the privacy and security of protected health information (PHI) still remain a big question. These concerns make sense because a new technology, usually, comes with new challenges.

What is Telehealth?

Luckily, every problem comes with a solution. Thus, making a few smart choices can work wonders to keep the patient data protected.

What is Telehealth? Breaking the Barrier and Bridging the Gap

The Health Resources and Services Administration (HRSA) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient, and professional health-related education, public health and health administration.”

Technologies include:

  • The internet.
  • Store-and-forward imaging.
  • Streaming media.
  • Terrestrial and wireless communications.

Simply put, telehealth provides a dynamic structure that allows patient-doctor interaction even when they are a thousand miles apart. It embraces health information, health care, and education. Note that the scope of telehealth goes beyond the patient-doctor interaction. Thus, it also includes other members of the healthcare system. For example, nurses, radiology, pharmacy, and psychology.

The types of telehealth include:

  • Teleconsultations. Professional consultations between a physician and specialist who are distant apart.
  • Remote patient monitoring (RPM). Continuous monitoring of a patient by tracking the sensors on a device the patient is wearing.
  • Intraoperative monitoring (IOM). Expert monitoring of a surgical procedure especially during a complex surgery. For example, brain and spinal cord surgery.
  • Telehomecare (THC). A technique that allows caregivers to reassure a patient with some chronic conditions. For example, dementia.
  • Diagnosis and treatment at the “point-of-care”. This technique eliminates the need for a direct visit to a clinic or hospital. In essence, the patient gets tested and/or treated at or near the place where they live.

Does Telehealth Cover All Electronic Health Information?

It is because these two are entirely different concepts. Health information may become a part of telehealth if:

  • A patient and doctor far apart exchange the information by any means of electronic communication.
  • A doctor, in a rural area, consults an expert during the diagnosis/treatment of a disease, or during a surgery.

Common Misconceptions about Telehealth

  • It is not a single service. Rather it is a broad range of services. It involves the use of information technologies, devices, and professionals. You may categorize it depending on the specialty. For example, teleradiology, telepharmacy, telepsychology, teletriage, tele-ophthalmology, and telenursing.
  • It is not Health Information Technology (HIT) though they are related to each other. HIT is primarily concerned with EHRs, PHRs, and e-prescribing. Moreover, it may also include health apps and online health communities. But, the concept of telehealth focuses on the delivery of general or professional health information and not on the particular technologies involved.
  • It is not Telemedicine even though people use them interchangeably in most occasions. Telemedicine uses technology only to monitor and diagnose or treat a health condition. While telehealth includes diagnosis and management, education and other related fields of healthcare.

Will Your Insurer Cover Telehealth Costs?

Yes, but it depends on the state laws and type of the insurer. For example, private insurers or government plans like Medicare and Medicaid.

Telehealth is increasingly covered by health insurance

The good news: insurers are expanding the coverage for telehealth costs. Also, more insurers are joining the league.

Medicare Part B bears the cost of telemedicine services. But the patients need to fulfill certain conditions. Likewise, Medicare Advantage (MA), also follows the footsteps of Medicare.

Medicaid pays for telehealth services in 42 states as of January 2013. Depending on the state law, Medicaid may cover the cost of telehealth only in rural areas.

Private insurers are increasingly interested in covering the cost of telehealth services. For example, UnitedHealth Group, Cigna, and Aetna are already paying for virtual doctor visits. Similarly, Blue Cross also pays for virtual visits.

In short, insurers are paying for telehealth in many states now.

Let’s Talk About the Safety of Telehealth Technologies

Could PHI be compromised through a Skype conversation?

Why not? Regular Skype does not fulfill the Business Associate Agreement (BAA). Note that BAA is one of the keys to making a program HIPAA-compliant.

Find out why Skype is not HIPAA-compliant and what alternatives you have.

Like Skype, Apple’s FaceTime is also not HIPAA-compliant.

Protecting Health Data in Telehealth: 6 Solutions that Never Fail

To ensure the health data is safe and integrated, your telehealth system should comply with the HIPAA guidelines. For this purpose, you will need:

Business Associate Agreement (BAA). BAA is a written contract between a covered entity and a business associate. It establishes the permitted uses and disclosures. Thus, BAA prevents a business associate from using or disclosing PHI. Moreover, BAA must take appropriate measures to prevent unauthorized use or disclosure of the information.

If you are working in collaboration with a business associate, you must have a BAA. In fact, this is the first step to getting HIPAA compliance for your telehealth system.

Note: A “business associate” is a person or entity that works with or on behalf of the covered entity. Notably, a business associate can have access to PHI.  A business associate also is a subcontractor. The subcontractor creates, receives, maintains, or transmits protected health information on behalf of another business associate. 

 Transport encryption. Encryption, a must-have for data security, converts the sensitive information into a meaningless/undecipherable stream of seemingly random data. That way, it prevents the information from falling into the wrong hands. To decode the encrypted information, one needs an encryption key, which is available only to the authorized persons. Hackers can access the transmission en-route to the destination, especially over a public Wi-fi. If the information is not encrypted, the ePHI itself is available to them. Following a transport encryption protocol, you can maintain the confidentiality of all the data. That includes audio and video files.

Storage encryption for the videos stored in a device.  Storage encryption can also encode backed-up and archived data on storage media. It makes the information unusable to the hackers even when they gain access to storage media.

How will you store your data? When storing health data, you have more than one option. I.e., everything from a flash drive to cloud storage. In all cases, make sure you chose a HIPAA-compliant product or service. Different manufacturers provide encrypted flash drives and external hard drives. Likewise, others offer cloud-based storage systems that can be used for PHI. Two key factors differentiate great options from good ones. These are storage performance and storage capacity. It is critically important that you assess your general and security needs before opting for an option.

Both covered entity and a business associate must have provisions for access and audit controls. Also, they should regularly update their systems.

Access controls for stored and active video. Videoconferencing is the hallmark of telehealth. Because the video may contain audio and visual PHI, there should be limited access to it. Physicians, most cases, need to be able to access the stored at the time they claim need. Other entities such as providers or insurance payers can get the access on a need-to-know basis. Audit trails and restricted access are required to control and monitor access.

Want more tips on keeping your ePHI protected?

Talk to the experts at Luxsci.com for a Free Consultation.

See also, LuxSci’s easy-to-use SecureVideo telehealth service.

Leave a Comment


You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.