Just because you’re using HIPAA-compliant telemedicine software doesn’t mean that you aren’t violating HIPAA. Here are six pitfalls to avoid.
by Teresa Iafolla
One of the most common misconceptions around telehealth and security may be this: using HIPAA-compliant telehealth software will protect you against HIPAA violations.
Of course, using telehealth software that follows the clear technical and physical safeguards laid out in HIPAA is a key part of building a HIPAA-compliant telehealth care program. But it’s only one piece of the larger puzzle in maintaining the security of your protected health information (PHI).
Navigating the intricacies of HIPAA can be tough, even for top-level healthcare executives trained in health security and compliance. When it comes to telehealth, compliance issues are often more complex because of the introduction of mobile devices, wireless connections, and a long list of technology vendors involved in delivering that telehealth solution. Plus, healthcare staff may not always understand how to apply HIPAA to new technology. Any software tool, no matter how closely it follows the technical and physical safeguards outlined in HIPAA, can be used in an insecure way by medical staff.
Beyond knowing the technical requirements of HIPAA and reviewing those with your telehealth vendor, you also need train your staff and put the right clinical workflows in place to create a truly HIPAA-compliant telehealth program for patients.
Here are a few of the most common ways your telehealth program may be breaking HIPAA.
1. PHI is being downloaded or stored on unsecured mobile devices
Using a telehealth mobile app can be incredibly convenient. But healthcare providers need to be cautious with any PHI that’s stored on their mobile device. Consider instituting a few extra precautions:
• Install remote wipe software on the mobile device to erase PHI if the mobile device is lost or stolen
• Password-protecting the device
• Requiring a review of data stored on the device before device is thrown away or recycled
2. Logins to your telehealth software are shared around the office
“A common HIPAA violation in many offices, is generic, shared passwords,” says Sheryl Cherico, CEO of Healthcare IT company Tier3MD. “Having a unique ID for each user, is required, and will also allow monitoring if necessary.”
Beyond having a secure login for any telehealth software that accesses PHI, each user needs to have their own login credentials and should keep those private.
3. You have no systematic HIPAA staff training in place for telehealth
One of the core administrative requirements of HIPAA is ongoing training for staff. Adding telehealth services to your practice often creates new workflows and new challenges for maintaining HIPAA-compliance. If you haven’t yet done additional HIPAA training as part of launching your telehealth program, you’re at risk. Staff won’t be able to maintain patient security if they don’t fully understand the new security protocols they should be following.
Just like your staff, patients need to be informed of how their PHI is being protected. HIPAA requires you to keep a current Notice of Privacy Practices (NPP) that’s specific to your own practice and covers your telehealth program. Make sure you update your NPP and share with patients.
5. You’re messaging patients outside a secure portal
Telehealth can make connecting with patients as easy as clicking a few buttons on your smartphone. This shift may tempt you to reach out to patients via text or email to follow-up to a visit. But doing so, and potentially sharing PHI in an unsecured manner, is a clear HIPAA violation. Any specific identifiable health information needs to be protected with encryption and shouldn’t be sent outside of telemedicine apps or tools that you know are secure.
6. You haven’t entered into a business associate agreement (BAA) with all business associates involved.
Do you know all the companies involved in storing, transmitting, and handling your PHI? Beyond signing a BAA with your telehealth vendor, you should know about any third-parties who manage your PHI. Your BAA should specify how the company will ensure the security of your patient data, encryption methods, documentation on their security practices, and emergency protocols, to name a few key HIPAA requirements.
Have all these potential HIPAA issues addressed? Chances are you’re on track ensuring your telehealth program is secure. Make sure you continue to review your telehealth workflows against HIPAA requirements on a regular basis. It’s likely your telehealth program and technology will continue to evolve – and with it, the processes you need to ensure HIPAA-compliance.