Telehealth and Coronavirus: Privacy, Security ConcernsAs Services Expand, What Factors Should Organizations Consider?
(See update on HIPAA rule waivers.)
To help deal with the coronavirus outbreak in the U.S., healthcare providers are examining how to implement or expand the use of telehealth services to remotely evaluate and care for patients. But some experts note that these providers need to carefully consider privacy and security issues as they work to quickly offer these services.
The use of telehealth services, including video conferencing, in dealing with the coronavirus can help lessen the demands on on-site healthcare resources while keeping sick or quarantined patients at a safe distance.
"But there is understandable confusion among healthcare providers and patients over what privacy and security protections are required when using telehealth services during the coronavirus crisis," says privacy attorney David Holtzman of the security consultancy CynergisTek.
A bill providing federal funding to fight the COVID-19 pandemic was recently passed by Congress and signed into law by President Trump.
"Tucked into that bill were provisions known as the 'Telehealth Services During Certain Emergency Periods Act of 2020,' which permits the secretary of the Department of Health and Human Services to waive certain requirements in order to allow for some telehealth services - including treatment services provided through the use of smartphones, standard telephones, fax machines and e-mail - to be reimbursed by Medicare," Holtzman says.
But while some restrictions were lifted on Medicare billable telehealth services that healthcare providers can offer amid the coronavirus outbreak, expectations for safeguarding patient's protected health information were not watered down in any way, he notes.
"Under HIPAA, covered entities must implement reasonable safeguards for PHI for unauthorized disclosures. And PHI may only be used or disclosed in ways allowed under the HIPAA Privacy Rule, like when needed for patient care or other specified purposes," Holtzman says.
"The HHS secretary does not have the authority to waive the HIPAA rules during a public health emergency, and the COVID-19 funding bill does not include any provisions that would preempt or repeal the HIPAA requirements," Holtzman says.
"A rush to establish new telehealth applications or a rush to expand existing ones to meet demands driven by COVID-19 can lead to overlooking important controls necessary to maintain security and privacy of information."
—Keith Fricke, tw-Security
The HHS Office for Civil Rights in February issued guidance reminding covered entities about when HIPAA allows PHI to be shared in a public health emergency, he notes.
"OCR reiterated that the HIPAA Security Rule requires that covered entities and business associates must ensure they safeguard the confidentiality, integrity and availability of e-PHI during a public health crisis just as they would normally," he says. "Healthcare providers and patients need to know that HIPAA's requirements to keep PHI safe and secure are there to protect patients in times like the coronavirus crisis," whether telehealth services are involved or not, he notes.
Critical Security Measures
Keith Fricke, principal consultant at tw-Security, notes that it's critical for healthcare entities to take a number of critical security measures when using telemedicine applications.
"I don't think these risks are heightened by the coronavirus," he says. "However, a rush to establish new telehealth applications or a rush to expand existing ones to meet demands driven by COVID-19 can lead to overlooking important controls necessary to maintain security and privacy of information.
"As with any technology deployment involving the storage, processing or transmission of PHI or other confidential information, it is important to implement telehealth services with the appropriate technical, physical and administrative controls."
As the use of telemedicine expands in dealing with the outbreak, new risks will also evolve, Fricke adds.
"As the coronavirus spreads, we may see some healthcare organizations opt to have non-clinical employees work from home. This will result in an above-average use of remote access services the organization may have in place," he says.
"The spike in data traffic due to remote workers could impact the quality of service of the organization's internet connection; consequently, this could affect the performance or availability of telehealth technologies if it shares using the same Internet connection as the remote workers. Capacity planning becomes more important in this situation."
Telehealth Uses and Constraints
Meanwhile, telemedicine's most prevalent use case is still a phone call and/or email to a primary care provider, notes Clyde Hewitt, executive adviser at CynergisTek.
"There is a small, but rapidly emerging market of direct monitoring and treatment systems that report back to care teams, such as wearable devices like heart monitors and insulin pumps. These, too, require components to be procured by the patient and a supporting infrastructure at the physicians' practices - both of which cannot accelerate fast enough to address the COVID-19 pandemic," he contends.
The advances in telemedicine will continue to be constrained by the deployment of technologies and the bandwidth to support video. Many rural areas, especially those that would benefit the most from telemedicine because of their physical distance from medical centers, simply don't have broadband, Hewitt says.
"Videoconferencing can be very beneficial and cost-effective to populations in nursing homes, assisted living facilities and rehabilitation centers," he says. "The high patient concentration will help support the implementation cost. The deployment of any solution will be constrained by the need for extensive training of already overworked caregivers."
Telehealth solutions use a wide variety of solutions, including point-to-point or a hub-and-spoke architecture, he notes.
"The point-to-point solution, including phone calls and texting photos, are the easiest to secure technically as there are minimum points that a third party could monitor the call. The exception is the storage of photographs texted to the physician, as they will either be on a mobile phone, or perhaps on a computer application that links to a mobile number," he says.
"Patients should be aware of the risk of sending very sensitive photos to their physician, as these would be stored outside of a typical electronic health record," he warns.