May 21 2020

How States Can Secure Public Health Telehealth Deployments

Ensuring telehealth solutions are HIPAA-compliant remains critical, even amid relaxed rules.

At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.

The Health Resources and Services Administration at the U.S. Department of Health and Human Service defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications. 

In March, the HHS Office of Civil Rights relaxed its rules on telehealth to increase its usage. The office said it would use discretion when enforcing HIPAA compliance for telehealth communications tools.

HHS said it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.

“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the pandemic “can use any non-public facing remote communication product that is available to communicate with patients.” 

Still, it is critically important for public health departments and the healthcare providers they work with to provide as much security for telehealth solutions as possible. Such security technologies, including multifactor authentication, help ensure that patient data remains confidential and that patients have confidence in using such tools to get care. 

Expanded Use of Telehealth Solutions

The Illinois Department of Healthcare and Family Services has seen telehealth utilization grow during the pandemic, says Jon Hoffman, director of communications and public affairs for the IDHFS.

“For example, during March and April, provided telehealth services increased tenfold over the same time period last year, to $1.5 million,” he says. “However, it should be noted that it is too early in the billing process to thoroughly capture and quantify any utilization changes throughout the Medicaid program.”

The department does not directly provide telehealth solutions, Hoffman notes, but did issue emergency rules allowing Medicaid providers to expand the types of services and the ways in which services can be delivered to its members via telemedicine. 

“All providers are required to follow HIPAA standards, including the use of HIPAA-compliant equipment and software when delivering services via telehealth,” he says.

As The Wall Street Journal  reports, the goal of expanded telehealth solutions “is to keep people with symptoms at home and to practice social distancing if their condition doesn’t warrant more intensive hospital care.” The newspaper notes that almost 80 percent of hospitals in the U.S. have some sort of telehealth service.

HHS says its exercise of discretion in enforcing HIPAA compliance for telehealth “applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”

READ MORE: Find out more about how telehealth helps rural residents get access to care. 

HIPAA-Compliant Technology

As HIPAA Journal notes, HIPAA-compliant solutions need to ensure that electronic protected health information (e-PHI), whether at rest or in transit, is “encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.”

HIPAA’s Security Rule is “shorthand for the Protection of Electronic Protected Health Information,” telemedicine company Chiron Health notes. “It sets the standards for securing patient data that is stored or transferred by electronic methods. It outlines three areas of protection required for compliance; administrative, physical, and technical. The rule establishes security standards for each.”

The technical safeguards, according to HHS, include several elements. One is access control, meaning that healthcare providers must “implement technical policies and procedures that allow only authorized persons to access electronic protected health information.”

Another is audit controls, in which providers must “implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”

Integrity controls are designed to “ensure that e-PHI is not improperly altered or destroyed,” and “electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”

Another critical element is transmission security, requiring “technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.”

HIPAA Compliant Telehealth Vendors

According to HHS, there are several vendors that “represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement.” They include:

HHS says it has “has not reviewed the BAAs [business associate agreements] offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products.”

“There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity,” HHS states. “Further, OCR does not endorse any of the applications that allow for video chats listed above.”

How to Ensure Secure Telehealth Solutions

To effectively safeguard a telehealth solution, the entire process must be securely managed, says Kathryn Howe, Americas healthcare lead at Cisco. That includes contact centers that connect patients to doctors and help triage requests for telehealth appointments, as well as a healthcare portal that connects doctors and patients.

“We can be as secure as we are with end-to-end encryption,” Howe says. “If somebody implements it wrong or a user sends access to the wrong person, we could all get in trouble. Ultimately, it is the responsibility of the provider to ensure their users are following the right business protocols to ensure they are HIPAA-compliant.”

Part of the issue involves making sure the professionals who are operating the telehealth tools “have good visibility into who is compliant and who is not,” says Wolf Goerlich, advisory CISO at Cisco’s Duo Security. “A good deal of time and attention is spent on that.”

The actual appointment itself presents challenges, Wolf notes, because doctors and patients may all have different devices, different network settings and conditions, and varying bandwidth constraints.

Throughout this process, there are a number of security systems at work, says Goerlich. There is a need to confirm the clinician is who they say they are. The clinician and patient devices need to be certified as healthy and free of malware or are not going back to a command-and-control site. 

“From a technical perspective, it comes down to really good authentication, access controls, adaptive access policies, device health and the integrations that happen along the way,” Goerlich says.

MORE FROM STATETECH: See how Houston’s mobile telehealth service helps first responders streamline care.

Setting Up Telehealth Multifactor Authentication

One proven method of ensuring telehealth solutions are as secure as possible is through the use of multifactor authentication. MFA is predominantly used on the healthcare provider side, but there can be mutual means of MFA, Goerlich says. It is especially useful for clinicians who have regular standing appointments with patients via telehealth.

“On the clinician side, we want multifactor authentication that is seamless and quick,” Goerlich says.

On a computer or mobile device, a doctor would log in to a patient’s records. At that point, a second identification request is sent to the doctor’s smartphone. That can take the form of a push notification, a phone call or the entry of a one-time passcode.

Cisco has also co-engineered a security solution with Apple to ensure that its iOS devices, which are extremely popular in telehealth settings, are secured, up to date on patches and have not been jailbroken.

Cisco also helps by sharing threat intelligence with healthcare providers and helping providers maintain HIPAA compliance.

“We’re all in the whitewater rapids, and everybody has a boat on the river,” Howe says. “Where we are with Cisco is, we’re managing the water.”

cyano66/Getty Images