As patient care becomes more decentralized and distributed, healthcare providers and their patients are now, more than ever, in need of telehealth solutions. The OCR has responded to risks of in-person visits in the midst of the coronavirus (COVID-19) by relaxing its enforcement of HIPAA safeguards related to the use of video conferencing tools like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. It is important to realize that, although practitioners won’t be penalized during the coronavirus pandemic, OCR is not approving these technologies as secure modes of communication. Hackers are still crafting cyber attacks keeping current vulnerabilities in mind. For the safety of the patients’ information, it is therefore essential to still leverage as many security best practices as possible. Listed below are a few tips to keep in mind as healthcare professionals move to telehealth for patient care.
- Use Private Networks instead of public wifi. You should be at home, but if you are not, you should not use any public or open wifi networks. Use either a personal hotspot from a device you own or a VPN solution for your phone, tablet, or laptop. There is too much risk of a hacker attacking you on the public network and possibly getting access to your private communication.
- Be careful how you share meeting links. The FBI reported last week that hackers are hijacking meetings held by Zoom, a virtual conference provider. As you create virtual meeting invitations, the connection information (links) should never be sent to a public-facing site. Links should be sent directly to the patient – not a group! It is also important to use the latest version of the teleconference software for any security updates.
- Review Security Awareness. Refresh safe internet use training for you and your staff. User mistakes or negligence account for most security breaches. Ensuring that your team is aware of these security practices will help save you and your patients a lot of grief.
- Review Privacy Practices. Ensure your staff understands what relaxed HIPAA enforcement means: you are not able to share patient data just because of the pandemic!
- Use encrypted messaging and webforms. Tools that cost less than you think (under $100) are available that can be integrated into your current email provider and add encryption. Web forms that encrypt the input data can be easily added to your website. This can support a virtual intake process and the patient’s review of privacy notifications.
Even though the OCR will not be penalizing you for the use of remote services, you will still run the risk of ransomware, civil lawsuits for privacy negligence, or poor online reviews that can impact your reputation. With the unknowns created with COVID-19, hiring a security consultant may not be feasible. Companies like Posture can help guide practitioners through these regulatory changes while helping to improve their security and privacy program. With reasonable rates of $99 per month, it’s a brilliant and simple way to handle your HIPAA Compliance Program as you move into Telehealth.