6 Telehealth Privacy and Security Essentials

September 21st, 2017

HIPAA covers telehealth but does this make it safe? Learn the measures that ensure patient safety and privacy while using a virtual doctor visit program. 

Over the past few years, the rise of telehealth in healthcare has transformed patient-doctor interactions. Nonetheless, the privacy and security of protected health information (PHI) remain a big question. These concerns make sense because new technology often comes with new challenges.

Luckily, every problem comes with a solution. Thus, making a few smart choices can work wonders to keep the patient data protected.

What is Telehealth? Breaking the Barrier and Bridging the Gap

The Health Resources and Services Administration (HRSA) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient, and professional health-related education, public health and health administration.”

Technologies include:

  • The internet.
  • Store-and-forward imaging.
  • Streaming media.
  • Terrestrial and wireless communications.

Simply put, telehealth provides a dynamic structure that allows patient-doctor interaction even when they are a thousand miles apart. It embraces health information, health care, and education. Note that the scope of telehealth goes beyond the patient-doctor interaction. Thus, it also includes other members of the healthcare system—for example, nurses, radiology, pharmacy, and psychology.

The types of telehealth include:

  • Teleconsultations. Professional consultations between a physician and specialist who are far apart.
  • Remote patient monitoring (RPM). Continuous monitoring of a patient by tracking the sensors on a device the patient is wearing.
  • Intraoperative monitoring (IOM). Expert monitoring of a surgical procedure, especially during complex surgery. For example, brain and spinal cord surgery.
  • Telehomecare (THC). A technique that allows caregivers to reassure a patient with some chronic conditions. For example, dementia.
  • Diagnosis and treatment at the point of care. This technique eliminates the need for a direct visit to a clinic or hospital. In essence, the patient gets tested or treated at or near the place where they live.

Common Misconceptions about Telehealth

  • It is not a single service. Instead, it is a broad range of services. Telehealth involves the use of information technologies, devices, and professionals. It may be categorized depending on the specialty—for example, teleradiology, telepharmacy, telepsychology, teletriage, teleophthalmology, and telenursing.
  • It is not Health Information Technology (HIT) though they are related to each other. HIT is primarily concerned with EHRs, PHRs, and e-prescribing. Moreover, it may also include health apps and online health communities. But, the concept of telehealth focuses on the delivery of general or professional health information and not on the particular technologies involved.
  • It is not telemedicine, even though people use these terms interchangeably. Telemedicine uses technology only to monitor and diagnose or treat a health condition. In comparison, telehealth includes diagnosis and management, education, and other related healthcare fields.

Protecting Health Data in Telehealth: 6 Solutions that Never Fail

To ensure the health data is safe and integrated, telehealth systems should comply with the HIPAA guidelines. For this purpose, organizations need:

1. Business Associate Agreement (BAA)

A BAA is a written contract between a covered entity and a business associate. It establishes the permitted uses and disclosures. Thus, BAA prevents a business associate from using or disclosing PHI. Moreover, BAA must take appropriate measures to prevent unauthorized use or disclosure of the information.

If collaborating with a business associate, a BAA is required. This is the first step to getting HIPAA compliance for telehealth systems.

Note: A “business associate” is a person or entity that works with or on behalf of the covered entity. Notably, a business associate can have access to PHI. A business associate also is a subcontractor. The subcontractor creates, receives, maintains, or transmits protected health information on behalf of another business associate. 

2. Transport Encryption

Encryption, a must-have for data security, converts sensitive information into a meaningless/undecipherable stream of seemingly random data. That way, it prevents the information from falling into the wrong hands. To decode the encrypted information, one needs an encryption key available only to authorized persons. Hackers can access the transmission en route to the destination, especially over public Wi-Fi. If the information is not encrypted, the ePHI itself is available. When following a transport encryption protocol, data confidentiality is maintained. That includes audio and video files.

3. Data Storage on Devices

Storage encryption can also encode backed-up and archived data on devices. It makes the information unusable to the hackers even when they gain access to storage media.

4. Video Data Storage

There are multiple options when storing health data that include everything from a flash drive to cloud storage. In all cases, choose a HIPAA-compliant product or service. Different manufacturers provide encrypted flash drives and external hard drives. Likewise, others offer cloud-based storage systems and databases that can be used for PHI. Two key factors differentiate great options from good ones. These are storage performance and storage capacity. It is critically important to assess the organization’s needs before selecting an option.

Both covered entity and a business associate must have provisions for access and audit controls. Also, they should regularly update their systems.

5 & 6 Access controls for stored and active video

Videoconferencing is the hallmark of telehealth. Because videos may contain audio and visual PHI, they should not be widely accessible to employees. Physicians, in most cases, need to be able to access the stored data. Other entities such as providers or insurance payers can get the access on a need-to-know basis. Audit trails and restricted access are required to control and monitor access.

Want more tips on keeping your ePHI protected?

Talk to the experts at LuxSci for a Free Consultation.