This post, Keeping Telemedicine HIPAA Compliant, first appeared on http://hitconsultant.net/.
Editor’s Note: Brady Ranum is VP of Products and Strategy at Dizzion, a cloud delivered desktop and end user computing solutions provider.
The healthcare industry is currently experiencing two major trends that are on a potentially dangerous collision course: the rise of telemedicine (and the corresponding increase in remote workers) and a spike in healthcare data breaches.
As early as 2014, a telemedicine survey by Foley & Lardner found that an astonishing 90 percent of healthcare organizations had already implemented or began developing a telemedicine program. Much of this has taken the form of remote appointments and monitoring, with the American Hospital Association finding that “70 percent of patients are comfortable communicating with their health care providers via text, e-mail or video.”
Meanwhile, data breaches compromising personal health information (PHI) are on the rise. Healthcare data breaches affecting more than 500 records rose by 17 percent in 2016, according to data from the Office of Civil Rights. With medical information now reportedly worth 10 times more than credit card information, according to Reuters, this trend isn’t likely to subside any time soon.
This makes HIPAA compliance and data security more important than ever before. As PHI and health services are put into the hands of more service providers outside traditional settings it’s imperative that healthcare organizations and their business associates have solutions in place to enhance security and strengthen compliance measures.
Telemedicine and HIPAA Compliance
Securing and protecting PHI has proven difficult enough for many organizations, with breaches commonly caused by unauthorized employees accessing records they shouldn’t be and the loss, theft or leak of unencrypted data. The rise of telemedicine adds another layer of complexity to the situation. Now PHI is being regularly discussed and transferred electronically and in real-time via voice, video and files – sometimes with providers in the healthcare organization’s physical location, sometimes with contractors at a call center and sometimes with work at home care givers.
Part of the HIPAA Security Rule requires covered entities to put technical safeguards in place to protect against unauthorized access to PHI that is transmitted over an electronic network. This is commonly interpreted as meaning that the transmission and storage method must be encrypted. While patients may be comfortable communicating with care givers via text, email and video, these tools aren’t inherently HIPAA compliant (because the transmission isn’t encrypted), leaving the healthcare organization and its business associates open to a data breach and HIPAA violation.
Is Technology the Solution?
While initially hesitant to adopt new IT solutions – particularly cloud based solutions – because of security concerns, the healthcare industry as a whole has recently been turning to technology to solve emerging issues, gain productivity advances and even strengthen security.
This same approach can be taken to address HIPAA compliance as healthcare organizations and third party service providers move deeper into telemedicine. When evaluating new technology services to enable telemedicine, covered entities should seek out providers that specialize in HIPAA compliance and offer a verified compliant solution. Choosing a solution that has undergone an independent audit by cybersecurity risk management advisors provides peace of mind that the solution truly is HIPAA compliant. This independent verification and asking the right questions during solution research are key as many organizations have higher level compliance that doesn’t necessarily trickle down to individual services, solutions or products. As a final piece, a healthcare organization should only work with partners that are willing to sign a business associate agreement, a key provision of the HIPAA compliance standard.
For an added layer of security and assurance, organizations should make sure that any employee or contractor accessing PHI is working within a secure, HIPAA compliant virtual desktop. This is particularly important with remote care givers since an in-house IT team has less (sometimes even no) control over the remote agent’s computer to ensure updated security measures. VPN’s aren’t a comparable solution because applications and data are still stored on local endpoints instead of the secure (off-device) environment offered by a virtual desktop.
Capitalizing on the Opportunity of Remote Healthcare Workers
Telemedicine offers an enormous opportunity for healthcare organizations to lower overhead while offering patients the kind of access to care they want by embracing a more remote model. In order to do this successfully, securely and in compliance with today’s (and tomorrow’s) standards, organizations can’t blindly move forward, putting any technology and solution provider in place. Remote working programs have been growing in popularity across industries, but in order for healthcare to adopt this model they need to actively seek out technology that meets HIPAA requirements and allows remote care givers to be productive, secure and compliant at the same time.
While there is no “silver bullet” solution to data security or HIPAA compliance, adopting solutions that are custom designed to address these key areas of importance can help healthcare organizations create stronger programs and more comfortably move into the future of remote working and telemedicine.
This post, Keeping Telemedicine HIPAA Compliant, first appeared on http://hitconsultant.net/.