The expression “desperate times call for desperate measures” aptly explains developments in the field of telehealth during the COVID-19 pandemic. In order to serve those forced to stay in place by the pandemic, healthcare regulators made a number of concessions that loosened controls related to patient privacy and data security in an effort to boost accessibility. In essence, telehealth practices that were a concern prior to Covid were, for the sake of serving patients, deemed acceptable.
As the world slowly moves past the pandemic, regulatory agencies are beginning to signal that those prior, desperate measures have served their purpose and will soon need to be upgraded. For providers and patients alike, it appears that the time has come to place a priority back on privacy and security.
Expect an end to ‘enforcement discretion
The Health Insurance Portability and Accountability Act (HIPAA) requires that the healthcare industry safeguard certain patient information. The rules related to this “protected health information” (PHI) seek to create a balance in which information can be secure, but also accessible to the degree needed to provide effective healthcare.
The list of items considered PHI is long, and includes factors such as a patient’s name, phone number, and social security number, as well as web URLs, IP address numbers, and biometric identifiers like voice recognition or fingerprints. Keeping this information secure goes beyond how it is stored to also include how it is collected. To address this, HIPPA rules demand that secure channels of communication be used when telehealth patients meet with healthcare providers.
As healthcare providers sought to meet the increased demand for telehealth resulting from the pandemic, securing communication platforms that were HIPAA compliant was a top challenge. To help with this challenge, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) announced in April 2020 that it would not be quick to issue penalties to those providers making good faith efforts to make telehealth available. Information provided on the HHS website explained that OCR would be “exercising its enforcement discretion to not impose penalties for noncompliance with the HIPPA Rules in connection with good faith provisions of telehealth…during the COVID-19 nationwide public health emergency.”
In June 2022, HHS issued new guidance on certain aspects of telehealth that seemed to hint the period of “enforcement discretion” would be coming to an end. The guidance — aimed at “improving public confidence” that telehealth is being conducted in a way that safeguards information — specifically states that it is applicable now and after the OCR’s enforcement discretion period is no longer in effect. To some degree, the guidance puts telehealth providers on alert that it is time to begin strengthening their systems.
Seek out systems that combine security and ease of use
During the pandemic, healthcare providers were permitted by the HHS to use platforms like Apple FaceTime, Facebook Messenger, Zoom, and Skype for telehealth. However, they were required to inform their patients that such third-party applications “potentially introduce privacy risks.”
Moving forward, healthcare providers face the expectation from regulators and patients to provide platforms designed to provide a higher level of security and privacy. Basically, it is time to shift from makeshift platforms to those that are HIPPA compliant.
MediGuru provides an example of the type of platform that will be expected moving forward. Unlike generic communications platforms such as Zoom or Skype, MediGuru was purpose-built with input from healthcare providers to not only be HIPPA compliant, but also provide a solution that serves both patients and providers.
Providers seeking to implement telehealth platforms should expect HIPAA compliance at a minimum. Beyond that, the most effective systems will integrate into a practice’s existing systems to allow telehealth patients to receive the same quality of care extended to in-office patients.
MediGuru, for example, welcomes remote patients into a virtual waiting room where they utilize AI-driven intake forms and an e-triage symptom checker. When it is time for their appointment, they are greeted by a medical assistant via high-quality video. For the provider, the platform provides tools that can be used to access important information as well as record and transcribe conversations for accurate charting.
Increasing ease of use is another important factor for telehealth moving forward. “Telemedicine unreadiness” was an issue reportedly experienced by patients during the pandemic. This resulted from a lack of familiarity with the technology that was relied upon for telehealth, especially among older patients. MediGuru provides the patient with a simple meeting link that takes them to the platform. This type of technology not only simplifies the process, but also enhances the security by making the link auto-expiring.
Guide patients on their role in security
Should engagement with telehealth continue to increase, as some experts are predicting, providers will also face the ongoing challenge of training their patients on the role they must play in keeping their health information private and secure. The technology they are using and the setting they choose for their appointment are both factors that relate to security.
Guidance provided by HHS for patients outlines some of the steps that patients should be taking. These include selecting a private location — such as a private room, a car, or an outdoor space away from people — to occupy during the appointment. It advises patients who cannot find a private place to inform their healthcare provider, who can “help you to reschedule or suggest a better location for the visit.”
When it comes to technology, HHS reminds patients that keeping telehealth private and secure “is the responsibility of patients and providers.” It warns against using devices without updated virus protection, devices that are shared with other people, and devices utilizing public Wi-Fi access.
Clearly, the Covid pandemic resulted in increased acceptance of telehealth. Now, providers face the challenge of ensuring that telehealth services are not just convenient, but also secure. Accomplishing that will go beyond simply obtaining platforms to playing a lead role in helping patients understand the new world of telehealth.
Editor’s Note: Dr. Mark Kestner serves as the Chief Innovation Officer for MediGuru. He received his medical degree from the University of Michigan and completed his general surgery residency in Ann Arbor. He began as a general surgeon in the US Army and while in the Army completed his critical-care and trauma surgery fellowships at Jackson Memorial Hospital at the University of Miami. Since 1990, Dr. Kestner has had leadership roles in the military, university systems, integrated delivery systems as well as extensive experience in community-based healthcare systems. He has served in many roles to include Trauma Medical Director, Chief of Surgery, Surgical Residency Director, Chief Quality Officer and Chief Medical Officer.