This article was originally published in MLMIC’s Third Quarter 2020 issue of The Scope: Medical Edition
Authored by William P. Hassett, a senior attorney with Fager Amsler Keller & Schoppmann, LLP
The COVID-19 pandemic catapulted telehealth to the forefront of healthcare as an effective means for physicians to continue to provide care without exposing themselves or their patients to the highly contagious coronavirus. Through waivers of state and federal regulations, the use of this technology quickly accelerated, with many providers using common platforms such as Skype or FaceTime to communicate with their patients.1 As New York state slowly emerges from this health crisis, the use of virtual treatment through telehealth continues to expand as both practitioners and patients have realized its benefits.
However, the rapid expansion in the use of this technology has increased the risk of privacy breaches as well as cyberattacks. Health records present a treasure trove of valuable information for cybercriminals, and telehealth provides yet another avenue to gain access and exploit these materials for nefarious purposes. This article will provide an overview of applicable Health Insurance Portability and Accountability Act (HIPAA) standards related to cybersecurity, with a focus on practices that can help reduce the risk of privacy breaches or cyberattacks related to the use of telehealth.
Telehealth and the HIPAA Security Rule
HIPAA requires covered entities2 to develop and follow procedures that ensure the privacy and security of protected health information (PHI) whenever it is transferred, received, or handled.3 These requirements apply to all forms of PHI, including information obtained or transmitted via telehealth or teleconferencing.
The Security Rule, as a subpart of the HIPAA regulations, specifies that practices must implement reasonable and appropriate safeguards to ensure the confidentiality and integrity of electronic PHI.4 Although the Security Rule provides basic standards, it allows for flexibility of approach and permits practices to evaluate their own needs and use any security measures that allow compliance with the standards. In deciding what security measures to incorporate, the HIPAA regulations provide that a practice must consider its size, complexity, and capabilities, as well as its technical hardware, its software infrastructure, and the costs associated with security measures. The Security Rule is composed of three categories, called safeguards, that are aimed at protecting and securing PHI: administrative, physical, and technical.
Administrative safeguards require practices to implement policies and procedures to prevent, detect, contain, and correct security violations.5 Similar to any other device or software containing PHI, practices should implement strong password security on any telehealth platforms used to communicate with patients. Practices should also ensure that its practitioners using telehealth maintain individual passwords on these platforms and require that the passwords are changed with regularity.
Existing practice security policies pertaining to employees and staff should also be reviewed and updated to accommodate additional risks presented by telehealth. This should include the development of an incident response and remediation plan to address breaches should they occur. This plan should specifically address the manner of notifying the affected patients and potentially the Department of Health and Human Services or law enforcement, depending upon the nature and size of the breach.
Finally, practitioners must require that their telehealth platform vendor enter a Business Associate Agreement (BAA) that ensures the vendor will appropriately safeguard PHI that is stored or transmitted via its platform. Business associates are defined by HIPAA to include subcontractors who create, receive, maintain, or transmit PHI on behalf of the covered entity.6
A business associate can be held directly liable under HIPAA regulations for civil and criminal penalties for the unauthorized use and disclosure of PHI. In addition to confirming the vendor’s duty to safeguard PHI, the BAA should also limit the acceptable uses and disclosures of PHI by the vendor. Moreover, it should clarify that at the end of the contractual relationship, the vendor will return or destroy any PHI of the practice that it may have in its control.
Telehealth platform vendors will likely already have BAAs drafted for a practice’s execution. These agreements should be examined carefully to determine the extent of access and use of PHI being given to the vendor.
The Security Rule also requires practices to implement policies and procedures to limit physical access to their electronic information systems, including desktops, laptops, tablets, and smartphones.7
Any devices that contain PHI or are used for telehealth should be locked with user password access. Practices should also consider disabling USB ports on any devices that are used for telehealth transmissions. Ports are a prime source for the introduction of malware via thumb drives and other devices.
The facility where the telehealth devices are housed should be physically locked to prevent inappropriate access or theft.
Most importantly, when a provider is interacting with a patient via telehealth, it should be done in a secure location that would not allow audio or visual access to unauthorized third parties. Always be cognizant of conducting the telehealth patient encounter in the same manner as a face-to-face encounter in an examination room.
The technical safeguards of the Security Rule require that practices implement technical policies and procedures for electronic information systems that maintain electronic PHI to allow access only to those persons or software programs that have been granted access.8
First and foremost, the practice should confirm that its telehealth platform vendor is HIPAA compliant. The practice should also maintain a policy that software updates, including antimalware applications, are regularly performed on office computers, tablets, and smartphones.
Telehealth communications should be conducted over a virtual private network (VPN). This connection method will provide end-to-end encryption of data between the practice’s private network and the patient’s device.
Finally, the practice should consider if the telehealth platform is electronic health record (EHR) agnostic and whether its integration with an existing EHR system could cause security weaknesses that could expose additional PHI.
Other Important Considerations
Despite due diligence and developing best practices, privacy breaches or cyberattacks may still occur. In addition to developing or upgrading policy safeguards, there are many other components of risk prevention that a practice should consider relative to telehealth security.
Unlike practices, patients are not subject to the HIPAA Security Rule and may be their own worst enemies when it comes to a privacy breach stemming from telehealth. Practices should inform patients that the unauthorized use of their smartphones, tablets, and laptops can result in a privacy breach or cyber threat. Patients should also be informed that the use of electronic devices accessible by others, such as workstations, should not be used for telehealth.
The patient’s obligations should also be discussed when obtaining his or her consent to telehealth. When a written patient consent for telehealth is used, a practice should consider incorporating language in the document that acknowledges that the patient was advised and understands the practice has no responsibility for privacy breaches stemming from the patient’s own failure to take preventive measures.
Finally, before commencing a telehealth videoconference, a practitioner should also confirm that the patient is in a confidential location where PHI cannot be overheard by a third party
TELEHEALTH PLATFORM VENDOR AGREEMENTS
Not all telehealth platforms are created equal. Practices should research telehealth platform vendors and scrutinize contracts and service agreements.
Some of the things to look for in a vendor agreement include whether the vendor will provide assistance in the event of a privacy breach or cyberattack; whether the vendor provides indemnification for the practice relative to damages stemming from a privacy breach caused by its services; and whether there are limits placed on the vendor’s liability, such as an amount specified in the agreement or the fees already paid for service. Finally, the practice should confirm that the platform vendor maintains cyber-liability insurance, including the policy limits, to cover privacy breaches that may be caused by the vendor’s negligence.
Finally, a practice should assess its telehealth footprint and risks to determine whether it should maintain cyber-liability insurance to protect against a potential breach or cyberattack.
Many claims associated with cyberbreaches are not covered under a professional liability insurance policy. Without adequate coverage, this can prove costly for a practice.
Besides considering a policy’s limits of indemnity, a practice should investigate if the policy provides coverage for regulatory fines relative to HIPAA violations. Also, in the event of a breach or attack, does the policy provide coverage for post-event mitigation costs, including information technology contractors and legal counsel?
The rapid expansion of telehealth has provided many benefits to both practitioners and their patients. As the use of this technology continues to grow, practices must be aware of the risks presented by potential privacy breaches and cyberattacks. By developing HIPAA-compliant safeguards and assessing its own risks, practices can minimize these potential exposures and associated damages.
1 See, Department of Health & Human Services – Office for Civil Rights, Notification, 3/17/20, https://www.hhs.gov/hipaa/for-professionals/ special-topics/emergency-preparedness/ notification-enforcement-discretion-telehealth/ index.html. See also, Executive Order, Gov. Cuomo No., 202, https://www.governor.ny.gov/ news/no-202-declaring-disaster-emergencystate-new-york.
2 45 C.F.R. § 160.103 defines a covered entity to include a healthcare provider who transmits any health information in electronic form for billing or insurance purposes.
3 45 C.F.R. § 164.104
4 45 C.F.R. § 164.306
5 42 C.F.R. § 164.306
6 42 C.F.R. § 160.103
7 42 C.F.R. § 164.310
8 42 C.F.R. § 164.312