Which Video Technology to Use for Telehealth Services After COVID-19?
Providers wondering if which technologies to choose for telehealth services after COVID-19 will have a growing list of options. Fundamental to making those choices is a) understanding the law and b) understand a practice’s needs. This article will briefly review both aspects and point to other resources to help the practitioner make optimally-informed choices.
The Law (HIPAA, PIPEDA and Other Privacy Laws)
While most countries have a technology-related healthcare privacy law, the law referenced in this article is primary HIPAA, the US law — although Canada’s PIPEDA privacy law is similar to HIPAA in many respects, as are those in many other countries.
In the United States then, many clinicians seem to have misunderstood the COVID-related changes related to privacy and technology. In particular, many US providers believe that rules related to HIPAA have been relaxed for telehealth Services during COVID-19, but they have not. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has made it very clear that COVID-19 has led to the temporary relaxing of enforcement discretion, and NOT a relaxing of HIPAA rules themselves. In other words, the rules never went away. The only thing that changed is that the OCR has announced that it will in effect, look the other way during COVID-19. Krista Drobac, the Executive Director for the Alliance for Connected Care, a leading organization of healthcare and technology companies from across the health care spectrum, representing insurers, health systems and technology innovators, stated, “OCR is unlikely to extend HIPAA exceptions. When the emergency is over, you will no longer be able to use Facetime, Skype and you must use a HIPAA compliant platform.”
The difference in wording is pivotal. When considering which technology to choose for a telehealth practice because a provider’s switching from one video platform to another is likely to be disruptive to the delivery of care to clients and patients who are already struggling to maintain stability. Even a quick read of the title to the March 17, 2020, OCR’s COVID-related announcement regarding HIPAA shows that the OCR will not impose penalties for HIPAA violations, but the las is not repealed. The announcement is entitled, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.
Understanding One’s Practice Needs for Telehealth Services
The OCR announcement makes it clear that enforcement of the law is relaxed during COVID, for health care providers who provide telehealth in good faith. The issues of good faith actions then, much come into focus.
“Good Faith” in Delivering Telehealth Services?
The OCR article referenced above offers a number os ways that practitioners can operate in good faith. Those ways include doing the best they can do to supply as many privacy precautions as possible, including the:
- Release of the minimum necessary amount of information
- Use of as many security features as possible on the technology chosen
- Have a discussion with the client or patient of the risks to their privacy and security of the telehealth service can be compromised.
To operate in food faith in this context seems to involve being aware of the rules, how they are being broken for COVID, and explaining these issues to the client or patient in a way that is understandable in what seems to be a dynamic informed consent process. The issue of good faith may have repercussions regarding a practitioner’s choices related to technology as the world heads into a pandemic transition phase that already increasing the incidence of reported behavioral health issues, including post-traumatic stress disorder (PTSD), complicated bereavement, addictions and others.
With these clarifications in mind, providers wishing to continue to offer telehealth services after the pandemic emergency must make decisions about which telecommunication platforms to use, and how to educate their clients and patients about their use. When choosing a telecommunication platform to use for telehealth services, the following are a few of the several issues that should be considered.
Does the Telehealth Service Use Encryption?
Many telecommuting platforms pose a security risk when used in conjunction with sensitive information. While some telecommunication platforms are available for free, they often offer more customer service as well as security services for their paid subscriptions. However, there may still be risks associated with using paid services. For instance, it was recently discovered with the influx of Zoom users, that the company misled users into believing that the service used end-to-end encryption (E2EE). E2EE ensures that only authorized users have access to sensitive data. However, Zoom was using its own definition of E2EE, which led to the company being investigated by the New York Attorney General. While the service prevented outside access to meeting information, the company was still able to access the data, putting sensitive data at risk. For true E2EE, Zoom should not be able to access user data.
The zoom settlement reflected Zoom’s quick response to identified privacy and security concerns, including Zoom’s changed default settings, additional features to bolster user privacy, and removing questionable features that could impact privacy. The latest Zoom 5.0 platform reportedly addresses many outstanding issues, including implementing a 256-bit GCM encryption standard. As with many companies that were caught off guard by the COVID epidemic, standards have been improved and are now much safer. In fact, due to the recent investigation, there are chances that ZOOM may now be safer than some other video systems.
While many clinicians may feel a sense of security by knowing that they use a video company that is not in the mainstream news, they may be surprised to learn that many video systems use Zoom, Vidyo or VSEE at core, and develop a “wrapper” to re-sell one or more of these services to healthcare and other professionals seeking video services. That is because some of these larger companies have offered reliable services in the past, and have the types of funding that will keep their systems operational when needed.
As a HIPAA covered entity, telehealth service providers have an obligation to secure protected health information (PHI). Therefore, for sustainable telehealth services, providers should only use telehealth video platforms that utilize true end-to-end encryption.
Does the Telehealth Service Enable Access Controls?
Access controls enable providers to control who, within their organization, has access to PHI. HIPAA requires only the minimum necessary PHI to be used or disclosed, for a specific purpose. As such, each employee must have unique login credentials to access the telecommunication platform. This ensures that employees only have access to the PHI they need to perform all essential job functions.
Does the Telehealth Service Provide Audit Logs?
An audit log tracks access to PHI to ensure adherence to the minimum necessary standard. Audit logs provide information on what PHI was accessed, how long it was accessed for, and who accessed it. Keeping an audit log prevents insider breaches – unauthorized use or disclosure of PHI by an authorized employee – as normal access patterns are established for each employee.
Will the Telehealth Service Sign a Business Associate Agreement?
Even if a telecommunications platform has all of the necessary protections in place to secure PHI, if they are unwilling to sign a business associate agreement (BAA), they cannot be considered HIPAA compliant. A BAA is required to be signed by each of a covered entity’s business associates before it is permitted to disclose PHI to the business associate. A BAA mandates the security and privacy measure the business associate is required to have in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their HIPAA compliance.
Telehealth Service Resources
TBHI HIPAA-Related Resources
TBHI has created a number of reports that are of particular interest to the telehealth community. One that is a TBHI Learner favorite is entitled “30 Questions to Ask your Video Vendor.” It actually is a checklist of about 60 questions to conduct a needs analysis before selecting your video vendor. A knee-jerk purchase can involve hours of set up time, only to find that the system you chose does not meet your practice needs.
For professionals who are still scratching their heads about HIPAA and how it related to telehealth service delivery, TBHI has a basic telehealth legal course called, Rules, Regulations & Risk Management. It provides 3-hours of CME or CE credit, simplifies the basics of telehealth privacy and security, explains telehealth-related HIPAA rules, and provides a clear path for not only getting informed, but staying that way.
Resources for COVID Telehealth Services
Below are a number of COVID-related telehealth service resources that you may find helpful as you make decisions about how to handle Protected Health information of the people you serve:
To access the OCR’s HIPAA-related documents for enforcement discretion related to telehealth, see:
OCR also issued guidance in the form of frequently asked questions in support of the good faith rendering of telehealth services:
If you are concerned about whether or not to share PHI for public health reasons, OCR also issued guidance on when the HIPAA Privacy Rule permits a covered entity to disclose the protected health information of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s authorization.
For guidance in making decisions for your hospital, clinics, agency, small group practice or other entity, TBHI’s affiliate, the Compliancy Group may be able to help. They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Get HIPAA compliant today.
TBHI COVID Telehealth Resources
- TBHI has developed a number of COVID-related blog posts of interest to the telehealth professional community, ranging in topics from telephone reimbursement, group therapy procedures and reimbursement to an overall primer to help you find the right information without hunting on your own.
- A regularly-updated COVID-19 Telehealth Primer is available to help you navigate the many changes brought about by COVID-19 – all in one spot.
- TBHI specializes in offering you a step-by-step learning path of online telehealth training that helps you be legally and ethically compliant and clinically proficient.
- Essential Telehealth Technologies – overview of HIPAA-compliant technologies and how to choose which is needed for your practice after COVID
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues. These hours COUNT TOWARD ETHICAL TRAINING REQUIREMENTS.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other arenas
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individual.