Sustainable Telehealth Services: Telehealth Beyond COVID-19
Although the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has temporarily loosened restrictions to increase access to telehealth services, there will come a time when the restrictions will be reinstated.
“OCR is unlikely to extend HIPAA exceptions. When the emergency is over, you will no longer be able to use Facetime, Skype and you must use a HIPAA compliant platform,” stated Krista Drobac, executive director of the Alliance for Connected Care.
With this in mind, providers wishing to continue to offer telehealth services after the pandemic emergency has passed, must look to telecommunication platforms that are HIPAA compliant. When choosing a telecommunication platform to use for telehealth services, the following should be considered.
Does the Telehealth Service Utilize Encryption?
Many telecommuting platforms pose a security risk when used in conjunction with sensitive information. Telecommunication platforms often offer more security services for their paid subscriptions, however, there may still be risks associated with using paid services. For instance, it was recently discovered with the influx of Zoom users, that the company misled users into believing that the service used end-to-end encryption (E2EE). E2EE ensures that only authorized users have access to sensitive data. However, Zoom was using their own definition of E2EE; while the service prevented outside access to meeting information, the company was still able to access the data, putting sensitive data at risk. For true E2EE, Zoom should not be able to access user data.
As a HIPAA covered entity, telehealth service providers have an obligation to secure protected health information (PHI). Therefore, for sustainable telehealth services, providers should only use telecommuting platforms that utilize true end-to-end encryption.
Do They Enable Access Controls?
Access controls enable providers to control who, within their organization, has access to PHI. HIPAA requires only the minimum necessary PHI to be used or disclosed, for a specific purpose. As such, each employee must have unique login credentials to access the telehealth services platform. This ensures that employees only have access to the PHI they need to perform their job function on the telehealth services platform.
Do They Provide Audit Logs?
An audit log tracks access to PHI to ensure adherence to the minimum necessary standard. Audit logs provide information on what PHI was accessed, how long it was accessed for, and who accessed it. Keeping an audit log prevents insider breaches – unauthorized use or disclosure of PHI by an authorized employee – as normal access patterns are established for each employee.
Will They Sign a Business Associate Agreement?
Even if a telecommunications platform has all of the necessary protections in place to secure PHI, if they are unwilling to sign a business associate agreement (BAA), they cannot be considered HIPAA compliant. A BAA is required to be signed by each of a covered entity’s business associates before it is permitted to disclose PHI to the business associate. A BAA mandates the security and privacy measure the business associate is required to have in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their HIPAA compliance.