For healthcare providers securing and protecting electronic personal health information (ePHI) is a formidable challenge—one that’s been made even more difficult by the industry-wide integration of telemedicine services. Now, as ePHI is digitally disseminated in real-time via telecommunication platforms, there are new variables added to the security and compliance equation.
Although these emerging technologies promise faster patient communication and better care service delivery, for hackers, they also represent new potential points of attack. Should a data breach occur you could face significant repercussions, particularly if you failed to comply with HIPAA guidelines on telemedicine.
However, by following the HIPAA framework much of this security threat could be prevented or minimized. How is telemedicine affected by HIPAA compliance? Let’s review.
HIPAA and Telemedicine
The adoption and integration of digital technologies has helped spur the movement towards a value-based care model. But this exposed the industry to new threats (namely, cybercrime).
In response The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was created with one primary goal in mind—to protect personal health information and prevent it from being illegally accessed.
Although telemedicine hadn’t yet been invented when HIPAA’s Security Rule was added, today, it falls under its auspices.
Assess your cybersecurity
HIPAA Security Rule and Telemedicine
Per the Department of Health and Human Services, “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.”
For telemedicine simply keeping ePHI communication exclusive to a medical profession and patient isn’t good enough. The channel through which that information is shared must also be secure. HIPAA’s Security Rule guidelines state:
- Authorized users are the only people who should be able to access ePHI – This precaution ensures that only the right people access private information.
- An ePHI monitoring system needs to be integrated – This safeguard can prevent malicious or accidental breaches and alert you should a breach occur.
- You must implement a secure communication system – To protect the ePHI integrity you can’t use insecure channels such as Skype, email, SMS, or Zoom.
So what does all of this mean?
The communication platform you use must be HIPAA compliant and vetted for security. Even if patients are comfortable with having their information shared via an insecure method such as text or email, the risk of that data being intercepted is too high.
If you’re evaluating a new telehealth service, look for technology providers that practice telemedicine HIPAA compliance and provide secure, vetted technology solutions. By adopting a solution that has been tried and tested by a cyber-risk assessor you can take a large step towards ensuring your HIPAA compliance.
Common Telemedicine HIPAA Violations
Even if you use a secure communication platform, there may be ways that your telemedicine practices violate HIPAA. For instance, possible violations could include:
- Failure to train your staff – HIPAA requires that staff receive ongoing HIPAA compliance training. When you add telemedicine services to your practice, there are new protocols that must be implemented and followed to remain compliant. If staff aren’t trained, they won’t know the best practices for ensuring patient privacy and security.
- Messaging patients outside a secure portal – It may be tempting for staff to skip the hassle and relay ePHI via text or email. Those channels are not secure, nor are they HIPAA compliant. If data is to be transferred digitally, it must be protected by encryption.
- Downloading or saving ePHI on unsecured BYOD – Personal phones and tablets are vulnerable to loss or theft. For that reason healthcare providers must be wary about storing PHI on their mobile device. Ideally all devices will have safeguards such as dual-factor identification or remote wipe software.
- Shared logins and passwords – It’s easy for staff to become apathetic about security, which often results in shared passwords. Each user must have a unique ID and password. To maintain security those login credentials have to be kept confidential.
- Failure to share updated privacy policy with patients – Similar to staff, patients need to know when there are changes made to privacy practices. In fact HIPAA compels you to log every Notice of Privacy Practice (NPP). This includes changes to your telemedicine security program.
Penalties for HIPAA Noncompliance
Should a cyber breach occur because you failed to abide by HIPAA and telehealth strictures, you might face significant penalties. In 2019 the civil monetary penalties for HIPAA violations were increased. According to the HIPAA Journal, they consist of four tiers:
- Tier 1 – The provider has no knowledge of HIPAA violations. Had it done its due diligence, the rules would not have been violated.
- This results in a minimum fine of $117 dollars per violation, a maximum fine of $58,490 dollars per violation, and an annual maximum of $1,754,698 dollars.
- Tier 2 – There’s reasonable cause that the provider was aware of HIPAA violations or should have been aware, especially if they’d exercised reasonable due diligence.
- This results in a minimum fine of $1170 dollars per violation, a maximum fine of $58,490 dollars per violation, and an annual maximum of $1,754,698 dollars.
- Tier 3 – The provider willfully neglected HIPAA compliance but then took corrective actions within 30 days of discovery.
- This results in a minimum fine of $11,698 dollars per violation, a maximum fine of $58,490 dollars per violation, and an annual maximum of $1,754,698 dollars.
- Tier 4 – The provider willfully neglected HIPAA compliance and then took no corrective actions after discovery.
- This results in a minimum fine of $58,490 dollars per violation, a maximum fine of $58,490 dollars per violation, and an annual maximum of $1,754,698 dollars.
Covid-19’s Impact on HIPAA Security Rule and Telemedicine
In response to the Covid-19 pandemic some of the rules regarding privacy have been temporarily laxened. Per Health IT Security, “The OCR announced it would not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the regulation, following the Trump Administration’s expansion of telehealth services and HHS’ waiver of some HIPAA sanctions.”
This means that, for now, there are a variety of services that can be used to share ePHI, including:
- Google Hangouts
- Skype
- Zoom
- Facetime
- Whatsapp video chat
- iMessage
While you may be tempted to utilize these new ways to provide care, be wary of doing so. Though they have a modicum of security features—such as individual user accounts and credentials—they remain quite vulnerable nonetheless.
Put simply: a little extra convenience simply isn’t worth running the risk of a costly data breach.
Abiding By Telemedicine HIPAA Compliance
Telemedicine provides you with a new and exciting way to continue delivering high-quality care to your patients. But it doesn’t come without risks.
If a breach occurs and you’re found to be noncompliant with HIPAA, you might face serious penalties, especially if you were aware of the violations. Additionally, a loss of protected health information can destroy customers’ trust in your organization, damage your reputation, and impact your bottom line.
To prevent this you must take two main actions:
- Abide by the rules of HIPAA
- Enact security measures across your entire organization
If you need help with this process, we’re here to help.
RSI Security is the foremost compliance and cybersecurity provider. We specialize in cybersecurity consulting, guidance, and compliance testing.
Want to make sure that your telemedicine program is HIPAA compliant? Reach out today and we’ll make it happen.