Can Convenience, Healthcare Security, and HIPAA Compliance Co-exist?
Telehealth has done much to broaden healthcare access over the last decade, but the pandemic made it mainstream. Healthcare providers quickly realized the benefits of offering remote care, and many have been eager to adopt telehealth. For example, an estimated 20% of all emergency room visits — and 24% of routine office visits and outpatient volume — could be delivered virtually via telehealth.
But while this technology has created a wealth of opportunity, it comes with vulnerabilities that endanger patient privacy. In 2020, according to HIPAA Journal, there were 642 significant healthcare data breaches (defined as over 500 records), a 25.4% increase from 2019 and a 74.5% increase from 2018.
To ensure patient privacy, organizations using telehealth platforms and other software must consider the system’s security, how much data they gather, and how they store that data. By nature, telehealth involves large amounts of protected information that, if leaked, can lead to expensive fines and remediation. A healthcare data breach now costs $7.13M, up 10% from 2019.
What Is Telehealth?
First, let’s define what we’re including when we say “telehealth.” Telehealth encompasses a broad array of technologies and services available to patients and practitioners. Telehealth platforms may stand alone or integrate with patient portals and EHR systems.
Because telehealth services leverage the internet, they are subject to the risks that connectivity creates. Centralized data and management of access are essential to making these solutions secure. It requires using privileged access management (PAM), which provides identity governance and administration (IGA) to track and secure access. Patient privacy hinges on supplying the right access to the right people for the right resources only as long as necessary. IGA also ensures governance rules (HIPAA specifically) are applied and maintained consistently.
Read Data Access Governance for Healthcare Privacy Compliance to explore key privacy regulations such as HIPAA and CCPA.
With virtual appointments, patients log into a web-based portal to access a provider via a virtual conference call, which typically involves video. The interaction between patient and practitioner facilitates discussion, diagnosis, and prescribing for many conditions.
According to the APA, remote therapy services have been on the rise since 2017. Virtual appointments are common in behavioral health for therapy sessions. Follow-up appointments and lab result reviews are also conducive to telehealth. It’s important to note that virtual appointments aren’t always appropriate (or billable!) for certain diagnoses or conditions, particularly for patients with complex medical histories.
Virtual appointments offer convenience and protection from infectious diseases for patients and providers alike. Patients benefit from the flexibility, and healthcare organizations experience reduced no-show rates. But telemedicine must address privacy considerations. Protecting patient data requires healthcare organizations to exercise best practices in three areas: administrative, physical security, and technical security.
- Administrative – Healthcare organizations restrict access to the patient records generated in virtual appointments to only authorized personnel. As with an on-site appointment, only those providing direct service — and those with clearly defined administrative needs like insurance billing — require access to these records.
- Physical Security – Both patients and providers require a private location to hold the appointment. Avoid interruptions if possible to prevent others from overhearing sensitive patient information.
- Technical Security – Utilizing encryption protects patient data at rest and secures the communication over the network during the appointment. Healthcare organizations need to guarantee that no third parties intercept or spy on any appointment and prevent patient data from leaking.
Virtual appointments present compliance challenges for health organizations because of how HIPAA defines protected health information (PHI). The HIPAA Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
Patient portals offer patients convenient access to their health records. This helps meet interoperability requirements and allows health organizations to share patient data with authorized associates to deliver better care. Securing access to patient portals presents a challenge. Healthcare technology must walk a fine line between user experience and security. Bad actors easily acquire public information such as a patient’s phone number or address. Yet, access authorization can’t be too complicated for the average patient.
Healthcare organizations can take steps to verify a patient’s identity when they sign up for a patient portal. Integration with identity verification software helps prevent identity fraud by improving the ease and accuracy of identification. This allows healthcare providers to off-load some risk in protecting patient data.
Once the patient’s identity has been verified and associated with their medical records, they will need credentials to access them regularly. Credentials can be created and managed by the healthcare organization or a third-party authentication source such as Google, Yahoo, or Facebook.
Unfortunately, while federated authentication like this may be easier for patients, it adds risk. Third-party authentication vendors open the door for PHI exposure by relying on the third-party to ensure that a patient’s credentials are secured.
The rising use of telehealth also accelerated remote collaboration between providers. Specialists remotely connect with doctors and staff to review patient records, consult, and provide guidance. While this results in more comprehensive care, it also introduces a further risk of PHI disclosure.
Insider threats account for almost one-third of all attacks. Even individuals with the best intentions can unwittingly fall prey to bad actors through social engineering or phishing. Any compromised account is a security hole.
Experian describes the coming year as a ‘cyber-demic,’ calling COVID-19 vaccine rollout information and personal healthcare data “particularly vulnerable.” Healthcare organizations and their associates must implement identity access governance for collaborative tools and the data shared on them.
Security in telehealth requires that you have a full picture of a user’s risk profile, including access analytics, usage analytics, individual user activity, and inherent user risk. User activity should be tracked and monitored by type, role, permissions, data accessed, and functions performed. Healthcare security requires access management tools to perform real-time authentication and apply policies that deliver appropriate access to each user.
See what Cerner has to say about taking a proactive approach to healthcare identity governance administration.
Self Checkup: Collection, Storage, Sharing, and Protection
To maintain HIPAA compliance, you must collect only as much data as needed to provide quality care. For this reason, you need to know what information is collected, stored, and shared. Then, you must be sure this data is protected. Security goes beyond just encrypting data in storage — appropriate access controls must be maintained.
While healthcare security challenges with telehealth might seem significant, it’s possible to protect patient privacy and achieve regulatory compliance with the right tools. Using a unified platform that offers a convergence of identity governance and access management enables healthcare organizations and vendors to deliver convenient and comprehensive healthcare without compromising patient privacy.
Learn more about how healthcare providers can balance information sharing and patient privacy for better care.