Telehealth, or the use of telecommunications technologies to provide health care services, allows the delivery of health care to patients despite the restrictions of geography. The scope of telehealth is wide-ranging; it includes connecting EMS providers using tablet devices to emergency room physicians to care for stroke patients, as well as virtual care, where the physician consults with the patient over a computer connection. In all its manifestations, telehealth is a surging industry that is expanding access to care.
While the benefits of telehealth may be apparent, the security risks are less obvious. Five security issues related to telehealth that health care providers may not be aware of follows:
When a health care provider is choosing which telecommunication provider they wish to use to provide telehealth services, they need to carefully review what security safeguards the telecommunication provider has in place. As with any new piece of technology, telehealth’s reliance on telecommunication services presents its own set of unique security issues.
An important consideration when evaluating the telecommunications platform is whether the transmission of the communication is encrypted. Encryption protects privacy by encoding the transmitted data so that if it is intercepted, it cannot be read without the decryption key. While a patient can request that their protected health information be sent to them without using encryption, and the Office for Civil Rights has indicated that the health care provider should comply with that request, it is a best practice to ensure that transmissions initiated by a health care provider containing protected health information should be encrypted.
Authentication, in technology, means the process of confirming that a person or machine is who they claim to be. Obviously, ensuring that a patient is who he or she claims to be is critical. In distant-site telehealth programs, authenticating the patient is usually relatively straightforward because health care providers are present with the patient, which can assist with that process. In virtual-care programs, however, authentication of the patient is a significant concern. Where the patient is known to the provider, the difficulty is minimized. However, often the patient is new to the provider and there is limited access to confirming data. Frequently, patients are required to select a username and password, which can be used to identify that individual for repeat visits. Two-factor authentication and the use of geo-location and machine recognition data can also help. Authentication is also supported by comparing the patient name with the payment information provided; however, that is not foolproof, as there are valid reasons for the names to be different. Health care providers should evaluate the mechanisms the telehealth vendor offers to authenticate patients.
Health care providers need to ensure that all parties involved in the telehealth transaction are taking all necessary precautions when it comes to security. Including auditing and security risk assessment rights in the underlying agreement helps ensure that the health care provider can regularly confirm that the telecommunication provider is fulfilling its contractual obligations to secure health information. Once you have the right to audit, it is important to exercise that right.
Conduit, Covered Entity and Business Associate
Telehealth arrangements may involve conduits, covered entities and business associates. Each role has differing levels of responsibilities and obligations under HIPAA when it comes to protecting patient information. It is important to understand what each role is and what responsibilities apply under HIPAA for each role.
In most cases, the telecommunication provider will be a “conduit.” Conduits exchange and transport patient information but do not access the information other than on a random or infrequent basis. They also do not maintain the information on a long-term basis. The telephone company and postal service are good examples of conduits. Many companies like to argue that they are a conduit when they are not. Cloud service providers are not conduits. Cloud service providers are business associates and must sign business associate agreements.
A health care provider that is treating the patient is a covered entity. A health care provider may also be acting as a business associate if it is providing administrative-type services that support treatment by another health care provider. If a health care provider is acting as a business associate, it must enter into a business associate agreement with the other health care provider.
Service Provider and Medical Records Owner
Due to the nature of telehealth, it can be complicated to determine which entity should maintain the medical record and who is responsible for the data generated from the telehealth visit. Careful consideration of data flows and responsibility for data security during the planning and contracting phase of the telehealth program will pay off in the long run. Consideration should be given to incident response in the event of a data breach, including cooperation in the event of a regulatory investigation. Finally, it is critical to remember that implementation of a telehealth program, by definition, creates a significant change to the computing environment of the health care provider; it is critical to complete an updated risk assessment that considers the new vulnerabilities and threats introduced by the telehealth program.
This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact:
- Melissa L. Markey at (248) 740-7505 or firstname.lastname@example.org;
- Andrew Lloyd Owen at (317) 429-3639 or email@example.com; or
- Your regular Hall Render attorney.
Melissa Markey and Andrew Lloyd Owen are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest health care-focused law firm in the country. Please visit the Hall Render Blog at http://blogs.hallrender.com/ for more information on topics related to health care law.