As the healthcare industry transitioned from paper to electronic health records (EHRs), a bevy of patient protected health information (PHI) security issues emerged. The safe storage, access, and transfer of electronic PHI or “ePHI” became new concerns that continue to evolve as new technologies, such as video-based telehealth, are introduced.
Web conferencing for telehealth, however, has been successfully used across the world for many years, but is only now becoming more widely adopted, especially with the service available on mobile devices. Due to this trend, healthcare organizations offering telehealth services are mitigating their ePHI breach liability risk. One way is signing a business associate agreement (BAA) with the telehealth technology vendor, just as they would with any other company that touches their patients’ data.
A BAA is essential, but healthcare provider organizations also need to explore the security features of any potential telehealth platform. These features include data encryption, private cloud options, and password protection capabilities. Protecting patient data applies to virtual visits, but also video consultations, meetings, and even training that may disclose PHI.
Why the BAA is Important
Most healthcare organizations are accustomed to signing BAAs—and for good reason. In 2016, nearly one-third of the 450 PHI breaches reported to the U.S. Department of Health and Human Services, the media or other sources involved a business associate or third party and affected more than 17.1 million patient records.1
Signing a BAA with the organization’s telehealth platform partner is increasingly important as more consumers gravitate toward web-based care. Survey results from June of this year show that 54% of patients report their telehealth encounter with their physician was superior to a regular office visit, and 59% report they plan to increase telehealth encounters in 2017.2
Another noteworthy finding in this survey is that patients report they are more than twice as likely to have a telehealth visit with their own provider, rather than use a telemedicine service. That means organizations considering telehealth services could have an advantage in their market over the national telehealth companies, even though those competitors may have first-mover status and strong brand association. Local providers have a trust level and familiarity that the national brands cannot match.
Private cloud and encryption essential
The trust built between the local patients and providers, however, can be instantly shattered if a patient’s PHI is breached, either by accident or through cyberattack. According to the cybersecurity report, 36% of business-associate breaches in 2016 were the result of some sort of hacking attempt while 24% were due to insider error.3
Protecting your organization on both fronts can begin with exploring both premise- and cloud-based hosting options for the telehealth platform. Many organizations are opting for the cloud-based systems due to lower overhead costs, as well as security features. A private cloud option, in particular, offers enhanced protection because all information is stored behind the provider organization’s firewall. Due to HIPAA regulations, a private-cloud platform is recommended for patient care, meetings, or consultations.
Another essential security feature, and one that is effectively required by the HIPAA Security Rule, is using an encrypted connection for telehealth encounters. The industry-standard TLS protocol using the Advanced Encryption Standard (AES) 256 is advisable for telehealth care delivery. This level is the same standard used across the country to protect financial and government information, as well.
If a secure, encrypted connection cannot be established, a telehealth platform that automatically prevents the unsecured encounter from occurring is a safer option. This can be an advantage over traditional, hardware-based video conferencing installations that could be accessed remotely by configuration error and cyberattack.
Simple operation minimizes error risk
Another feature that can minimize errors is the ability to offer meeting passwords that expire after a telehealth session ends. This is especially important with group consultations or meetings where several clinicians use the same password for a particular event. Likewise, an automatic lockout option is an additional safeguard that prevents accidental entry by an unrelated individual without the host being notified and granting permission. Organizations that have implemented single sign on across communications applications may further minimize errors related to password administration.
Whether mobile or desktop, telehealth is emerging as a cost-effective method of expanding patient access and holding group consultations and training. Due to the increasing adoption level, numerous platforms are available to connect individuals across the web. Before a BAA is signed with a telehealth technology vendor, however, organizations need to explore platforms that offer built-in security to guard against cyberattack, as well as features to minimize user error. With secure footing, organizations can begin their telehealth journey with trust and confidence.