Sustainable Telehealth Services: Telehealth Beyond COVID-19
Although the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has temporarily loosened restrictions to increase access to telehealth services, there will come a time when the restrictions will be reinstated.
“OCR is unlikely to extend HIPAA exceptions. When the emergency is over, you will no longer be able to use Facetime, Skype and you must use a HIPAA compliant platform,” stated Krista Drobac, executive director of the Alliance for Connected Care.
With this in mind, providers wishing to continue to offer telehealth services after the pandemic emergency has passed, must look to telecommunication platforms that are HIPAA compliant. When choosing a telecommunication platform to use for telehealth services, the following should be considered.
Does the Service Utilize Encryption?
Many telecommuting platforms pose a security risk when used in conjunction with sensitive information. Telecommunication platforms often offer more security services for their paid subscriptions, however, there may still be risks associated with using paid services. For instance, it was recently discovered with the influx of Zoom users, that the company misled users into believing that the service used end-to-end encryption (E2EE). E2EE ensures that only authorized users have access to sensitive data. However, Zoom was using their own definition of E2EE; while the service prevented outside access to meeting information, the company was still able to access the data, putting sensitive data at risk. For true E2EE, Zoom should not be able to access user data.
As a HIPAA covered entity, telehealth service providers have an obligation to secure protected health information (PHI). Therefore, for sustainable telehealth services, providers should only use telecommuting platforms that utilize true end-to-end encryption.
Do They Enable Access Controls?
Access controls enable providers to control who, within their organization, has access to PHI. HIPAA requires only the minimum necessary PHI to be used or disclosed, for a specific purpose. As such, each employee must have unique login credentials to access the telecommunication platform. This ensures that employees only have access to the PHI they need to perform their job function.
Do They Provide Audit Logs?
An audit log tracks access to PHI to ensure adherence to the minimum necessary standard. Audit logs provide information on what PHI was accessed, how long it was accessed for, and who accessed it. Keeping an audit log prevents insider breaches – unauthorized use or disclosure of PHI by an authorized employee – as normal access patterns are established for each employee.
Will They Sign a Business Associate Agreement?
Even if a telecommunications platform has all of the necessary protections in place to secure PHI, if they are unwilling to sign a business associate agreement (BAA), they cannot be considered HIPAA compliant. A BAA is required to be signed by each of a covered entity’s business associates before it is permitted to disclose PHI to the business associate. A BAA mandates the security and privacy measure the business associate is required to have in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their HIPAA compliance.
Resources for COVID Telehealth Services
- Need assistance with HIPAA compliance? Compliancy Group can help. They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Get HIPAA compliant today.
- A COVID-19 Telehealth Primer is available through the Telebehavioral Health Institute blog to help you navigate the many changes brought about by COVID-19. Get updated information and other resources – all in one spot.
- TBHI specializes in teaching you how to relax when delivering telehealth. It offers you a step-by-step learning path of online training that helps you be legally and ethically compliant, clinically proficient, and able to handle even the most difficult of clinical scenarios. Take advantage of COVID discount pricing to learn how to sit back and enjoy your telehealth experiences, rather than struggling with ZOOM fatigue and clinical uncertainty. All courses are evidence-based, available 24/7 through any device. Two micro certifications are also available.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues. These hours COUNT TOWARD ETHICAL TRAINING REQUIREMENTS.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other arenas
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.