ERs are in critical condition—too many patients and not enough beds. Given the seriousness of the COVID-19 pandemic, the Office for Civil Rights (OCR) is allowing providers to use their discretion in setting up telehealth meetings (rather than in-office meetings) with patients. The goal is to keep healthy or non-critical patients—especially those who are immunocompromised or elderly—away from infected patients in hospitals.
1. Telehealth Tools
OCR’s support of telehealth appointments focuses on communication tools. OCR excludes public-facing video applications (e.g., Facebook Live), but approves of applications such as Facebook Messenger, Skype, Zoom, or Apple FaceTime; just about any phone, computer, or application that has a video feature that isn’t public will work. Each of these options is seen as secure enough to handle communication between patient and provider so every patient can receive the care they need.
2. Telehealth Privacy
Is telehealth private? In a word, yes.
Normal privacy considerations for in-person appointments are just as important during telehealth appointments. In most states (but not all), patients who use telehealth are required to sign a form agreeing to use this method of care. The American Telemedicine Association recommends obtaining informed consent from patients, and most organizations have adopted this approach to ensure patients are aware of their privacy rights.
Best practices for telehealth are the same as or similar to those for traditional in-person doctor visits.
- Doctors should be in a room by themselves for privacy and confidentiality reasons.
- Patients should also find a private space where they can speak freely without worrying about being overheard.
- Telehealth sessions should never be recorded.
- Physicians should never screenshot any part of the consult.
- Doctors should assure patients that if they’re concerned about privacy, they can talk to the business manager or vCISO to understand procedures more completely.
Doctors should also expect security-related questions before and after the consult. It’s a good idea for IT to equip physicians with answers to questions regarding security and how data will be handled.
3. Telehealth Security
In terms of both security and privacy, telehealth patient data is subject to the same level of protection as conventional face-to-face meetings with physicians. Telehealth data is stored in central EMR systems and is protected by the same technical and administrative controls as all other medical information in a patient’s medical record.
In the middle of a pandemic like COVID-19, physicians and hospitals have to consider new ways to accommodate patients without unnecessarily exposing them to existing sick patients. Done right, telehealth is a safe, secure option; and in order for Providers to ensure that security long-term, daily vulnerability scans, security risk assessments, security awareness training, and incident response plans, among other cyber-efforts, should be in place and executed on a regular cadence.
If you have questions about telehealth and cybersecurity, contact us. Agio is an authorized HITRUST CSF and we’d love to answer your questions and ensure your telehealth efforts are as secure as possible—both for your patients’ peace of mind as well as yours.