Telemedicine and HIPAA

The digital age has presented numerous benefits for a variety of economic sectors with the health industry among the biggest winners. From faster communication between patients and health professionals to better service delivery, health organizations have seen improvements in a variety of daily operations. Sadly, the digital age is a double-edged sword, and as more health organizations use the latest technology, there is the looming threat of poor data security.

Threats such as the WannaCry ransomware attacks, which have wreaked havoc on the economy to date, are a constant reminder that data security should be a priority for organizations looking to leverage advancements in technology. For instance, while telemedicine promises improved service delivery, it introduces a security complexity.

HIPAA (Health Insurance Portability and Accountability Act) regulations have been a cornerstone for setting and raising the security standards in healthcare, and telemedicine might actually make it easier for health organizations to remain compliant. At the same time, a lot has to be done to improve the security loopholes presented by such technologies.

Here are how HIPAA and Telemedicine fit with each other and the things that need to be done for better data security.

The Constant Threat Of A Data Breach

Data collected by health organizations can be a gold mine for most threat actors. Some of the Protected Health Information (PHI) data include personal addresses, names, medical history, identification numbers, and even credit card numbers. In the wrong hands, these data can be used for identity theft, for buying medical supplies fraudulently, or even holding health data at ransom as in the case of WannaCry attacks. The sad truth is that ePHI will be at the disposal of threat actors unless the right security controls are put into place.

First, unless internal organization systems are strong enough, it can be easy for hackers to gain access to networks or even user accounts. In some cases, they may only need to access a low-level user account before escalating their privileges. Second, when it comes to third party business stakeholders, failing to pick security-concerned partners will easily lead to data breaches.

Lastly, insider threats continue to be a risk. If access control isn’t a staple of a health organization’s security system, it can be easy for a disgruntled employee to offer this data out to threat actors. All these are concerns that can be handled by HIPAA compliance, and embracing telemedicine with HIPAA compliance at the back of your mind is a step in the right direction.

How Telemedicine Has Revolutionized The Health Sector

In a nutshell, telemedicine has made the transfer of medical data at a distant quite easy. Diagnoses, medical history, lab tests, and prescriptions can be transferred more easily and cheaper than normal. It also saves the costs of having to transfer patients from their homes to hospitals for diagnoses that could easily be done via video calls.

The HIPAA Rules That Affect Telemedicine

The HIPAA guidelines cover more than the patients and doctors communicating ePHI at a distance. It deals with the communications channels and any third party involved in the communication process. Ideally, for telemedicine to be compliant with HIPAA, the parties involved need to comply with these security rules:

  • Ensure that only the authorized parties gain access to ePHI
  • The channels of communication used to communicate ePHI at a distance ought to be secure enough to the standards of HIPAA.
  • There needs to be a system in place for monitoring the different communications containing ePHI to prevent the chances of accidental or malicious data breaches.

As long as physicians have effective safeguards in place for addressing access control, the first bullet point should be easy to comply with. As for the second point, insecure channels such as email, Skype, and SMS are eliminated from ever being used. Lastly, the onus is upon those in charge of the ePHI technology to ensure that there are systems in place that can help monitor communication and facilitate the deletion of unused data if the need arises. Both of the last points also look to address issues relating to where ePHI is stored.

Why Conventional Communication Channels Might Not Suffice

If the ePHI created by a physician (covered entity) is stored by a third party, the third-party and the covered entity have to sign a Business Associate Agreement (BAA). The BAA ought to include details about the methods the third party will use to secure the data and procedures for auditing the data’s security in accordance with the HIPAA guidelines.

Since the copies of ePHI are bound to remain in the servers of conventional communication firms, such as Google, Verizon, and Skype, the covered entities ought to have a BAA with such bodies to remain compliant with HIPAA. Sadly, Verizon, Google, and Skype might not enter into such BAAs, meaning that the covered entities will remain liable for fines for any breaches that occur from the lack of HIPAA compliance by these third-party entities. The covered entities, telemedicine providers, might also fail HIPAA audits.

Aligning Compliance And Telemedicine

The ideal messaging solution should be secure. It should also offer the same communication speed as Skype, SMS, or email, while also complying with the HIPAA security rule. This means that only authorized users should be allowed to access ePHI, the communication channel should be secure, and it should be fairly easy to monitor the activity on the channel.

The channels of communication should also be user-friendly enough for both patients and physicians to use during interactions. Each authorized user can gain access to the channel through a centrally-issued username and password, which allows them to communicate with other users within the private communication network of the covered entity.

The channel should allow all types of communications, including images, documents, and videos. These media should be encrypted both while in transit and at rest. As for monitoring the communication, the messages should be monitored through a cloud-based platform to ensure secure messaging policies are adhered to according to HIPAA rules.

Telemedicine Makes HIPAA Compliance Easier

While this might seem hard to believe, telemedicine might actually make compliance to HIPAA easier for health entities. Unlike convention medical services that had to introduce HIPAA compliance as an afterthought, telemedicine can be crafted with HIPAA compliance at the center of it all.

As such, any applications and technologies used in the communication of ePHI at a distance can leverage the latest technological advancements and data security practices. These can include multiple data encryption methodologies and even comprehensive system testing. Any partnerships with third-party vendors will also be based on whether they can have a sustainable BAA with them or not.

Telemedicine presents too big an opportunity to be ignored. Even better, the HIPAA guidelines can act as a baseline for security standards for health organizations looking to embrace telemedicine. Since it is easy to be compliant, keen organizations can enjoy its perks without fearing costly fines.

About the Author

Anton Lucanus's picture

Anton Lucanus is a published cancer researcher who is interested in the role of digital technology, big data and telecommunications in the biomedical sciences. He currently serves as the Director of Neliti - Indonesia's most widely used research database.

Share this