HIPAA Compliance for Telehealth: The Key Security Tips You Need

HIPAA Compliance for Telehealth: The Key Security Tips You Need

HIPAA compliance for telehealth has rapidly become a central priority for health care providers. Eighty-one percent of Americans own a smartphone, according to the Pew Center. Further, more than 50% of Americans aged 65 and over own a smartphone. Since older people tend to need more health care resources and many of them now have smartphones, there is a significant opportunity to provide this type of care.

Telehealth Is Booming and What That Means For IT Security

In the past, telehealth was little more than the ability to make a phone call to your physician or contact a call center. Those services still exist, and the health data they generate continue to require a high level of IT security protection. However, the current generation of telehealth systems collects vastly more data, like video calls. CNBC reports that telehealth visits may exceed 1 billion in 2020. Further, a critical regulatory barrier has recently shifted. According to the CNBC article, “[the US government] declared Medicare and Medicaid would pay the same rates for virtual visits as for in-office appointments. The administration also temporarily eased regulations to allow the use of their mobile devices for virtual visits.” These changes mean many more health care providers will be willing to provide telehealth services than ever before. 

While the change in regulations facilitating telehealth is described as temporary, patients and health care providers are likely to want to keep this option available in the future. Afterall, telehealth provides a high level of flexibility and helps vulnerable people from picking up infections in hospitals and clinics.

Given these trends, it is up to the IT security leaders to support telehealth security. At a minimum, it is critical to follow HIPAA requirements so that your organization avoids penalties. Violating this law is not only bad for your organization’s reputation, but the fines and potential criminal punishment could be life-altering!

HIPAA Compliance for Telehealth: Your 5-Day Roadmap To Success

No IT security program stays on track without occasional reviews and optimization. At the same time, few people have time to carry out an exhaustive review of your entire system. That’s why we have designed this five-day HIPAA compliance for telehealth program. In one week, you can address your essential requirements and identify projects to address any gaps you have. Note that HIPAA is a complex law with many different provisions. In this article, we will focus on the law’s security-related provisions.

Day 1) Inventory Your Organization’s Current and Planned Telehealth Services

Before you make changes, it is essential to make a list of the current telehealth services in your organization. For example, find out if there is a call center that takes calls. Keep in mind that telehealth services may not be formally organized. For example, there may be a few doctors here and there that personally accept video calls from patients. As you build the inventory of practices, also take note of the information systems used to contain and process health data. For example, some people may use paper folders, while others are using a patient information system.

Day 2) Identify Your Current HIPAA Compliance Processes

The second day of this process involves gathering information on the organization’s current HIPAA compliance practices. In particular, look for evidence of references to HIPAA requirements like the Security Rule in your IT security policy and procedures. Further, look for evidence of review showing whether or not anyone is regularly checking on HIPAA compliance. Finally, evaluate your training programs to detect the quality of HIPAA compliance training offered to staff.

Tip: To evaluate the quality of HIPAA compliance training, consider the frequency of the training first. If there is an annual refresher session offered, then employees are more likely to stay informed. In contrast, an organization that only provides training to new employees when they are hired will see a gradual erosion in HIPAA compliance knowledge over time.

Day 3) Analyze Your Telehealth Program For HIPAA Compliance Gaps

On Day 3 of the process, you will compare essential HIPAA security requirements (e.g., the Security Rule) and how your organization currently safeguards telehealth related information. At a minimum, use the following self-assessment questions to detect gaps in your HIPAA compliance for telehealth practices. 

  • Is all telehealth-related information uniformly protected by security safeguards?
  • Are you using access management software to restrict access to health records?
  • Are staff aware of the consequences of failing to maintain HIPAA compliance requirements?
  • Has management provided access to training and support so employees know where to get answers to questions?
  • Do you have processes to protect data during transmission and at rest? 

Day 4) Choose Your Top Two Gaps To Solve

On Day 4, you will make some decisions about your next step to move toward HIPAA compliance. In our experience, consistency is a significant challenge with HIPAA compliance. For instance, your call center has a robust process for managing telehealth records because all your agents are using the same system. However, individual physicians who take phone appointments may have different practices and systems for safeguarding health information.

In the scenario above, your call center is working effectively at protecting information. Therefore, there is little need to focus on that area. Instead, you will probably choose to focus on equipping physicians with better technology and training to serve patients without running afoul of HIPAA requirements.

Day 5) Start A Project To Close Your Top HIPAA Compliance Gaps

On Day 5, you will create a project plan to address the gap. In most larger organizations, you will need engagement from multiple groups, including frontline health care professionals, technology and human resources. Share your vision with each group and explain that you are worried about HIPAA compliance for telehealth. After you earn their support, you can start the process.

What’s Next For Your IT Security Program?After you achieve HIPAA compliance by completing a few projects, your organization will be much safer. Now ensure that you stay compliant by regularly consulting monitoring reports like password monitoring reports. Constant vigilance is the best way to stay HIPAA compliant!

Written by Nelson Cicchitto