Mysteries Solved: Telehealth, Data Security and Privacy | Healthcare IT Today

The following is a guest article by Gerry Blass, President and CEO at ComplyAssistant and Donna Grindle, Founder and CEO at Kardon. Even prior to the COVID-19 outbreak


Even prior to the COVID-19 pandemic, the use of telehealth applications and services was on the rise. A January 2020 survey by the American College of Physicians (ACP) showed an increase in usage of telehealth technology for remote care management, patient monitoring, e-consults and video visits. The survey results indicated that video visits saw the largest year-over-year increase in usage, from 3 percent in 2019 to 10 percent in 2020. When asked about barriers to using telehealth technologies, respondents cited their top five:

They were more comfortable examining patients in person and communicating face-to-face.
They had challenges integrating virtual care into an already established workflow.
They did not have the staff to set up and run the technologies.
They were concerned about potential medical errors.
Their patients did not have access to technology to support virtual care.
If we fast-forward from January 2020 to April 2020, we saw that a vast number of physicians went from little or no usage of telehealth, to an astounding increase in the rate of usage. A physician survey from Merritt Hawkins conducted in April 2020 showed that nearly 50 percent of physicians have embraced telehealth, up from only 18 percent in 2018.

The good news is the use of telehealth technologies and services is on the rise. Nearly every type of provider is using telehealth technology. Despite the previous barriers to acceptance, physicians and patients love it. We won’t go back now.

The bad news? The sheer need to act quickly during a crisis, the desire for physician practices to do whatever possible to care for their patients and keep their businesses viable, and the temporary HIPAA waivers by the Office for Civil Rights (OCR) all meant that technologies were often not vetted or implemented properly to comply with HIPAA privacy and security regulations.

If we compare this to Meaningful Use (now known as Promoting Interoperability) and the Affordable Care Act, providers had years to implement usage of electronic health record (EHR) systems. Even with years to plan and implement, data security was not a priority, which is partially why we started to see an uptick in cyberattacks around 2015. With COVID-19, implementation of new telehealth technologies occurred so quickly that proper vetting and security protocols simply fell to the wayside.

In addition, when small practices began to roll out telehealth technologies, they quickly realized that the technologies may not work as well in practice. Performance and quality issues and the inability of providers to use such products as indicated led providers to the path of least resistance—video chat, email and SMS texting—none of which is secure or meet HIPAA regulation standards.

Providers’ top three questions answered

In our daily interactions with providers, we understand very clearly that patient care always comes first. Always. We agree, but also want providers to understand that HIPAA still applies, even during a crisis, and providers still need to maintain security of data and patient privacy.

And, since we are all moving at such a fast pace, there is no single point of real, accurate information. To that end, here are the top three questions from providers regarding the use of telehealth and ensuring data privacy and security.

Has HIPAA gone away?
This is arguably the most common question we receive from providers. The answer is a resounding no! Though the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR) issued emergency waivers to provide flexibility during the pandemic and to grant payment parity between telehealth and in-person clinical care, the HIPAA Rules still apply.
How does enforcement discretion apply to me?
The Office for Civil Rights (OCR) in March issued a Notification of Enforcement Discretion, which essentially says that covered entities (CEs) will not be subject to penalties for HIPAA breaches related to telehealth during the pandemic, assuming the CE made a good faith effort to protect the data. The OCR will use “enforcement discretion” to determine good faith or negligence. We’ve seen, however, that there are physician practices that intentionally decided to use a non-secure telehealth technology even when they had secure options already available and in use. This leaves them open for OCR to make the determination whether or not they acted in good faith and could be found negligent.
Do patients still have a right to privacy given the circumstances?
Yes, yes and always yes. Patients have not given up their right to privacy because of COVID-19 or any other crisis. Unfortunately, there is a lack of true understanding—even among individuals—of what we can and cannot say. In working with providers, we often hear stories of COVID-19 diagnoses shared with parties who should not be privy to that information. In one example, we learned that a small town’s post office decided not to deliver mail to a particular person due to a rumor that the mail recipient had been diagnosed with COVID-19. Regardless of the time, the diagnosis, crisis or not, patients still have a right to privacy.

You may have access to multiple providers is availability is an issue. telehealth-based specialty programs are helping to balance and redistribute patient flow in a newly-efficient way. Rather than pitting facilities and providers against one another, these efforts allow patients to access available capacity in a manner that wouldn’t have been possible when virtual care efforts were one-off propositions.

In this case, I found a program whose location I could conceivably visit in a pinch. This seemed to offer social workers, discharge planners and the like a feeling of security, particularly given that they might very well have had face-to-face contact with staffers there before.

That being said, getting patients the specialized care and support they need will be more important than referring them to programs with which they have had long-term contact.
If your provider is unavailable there are a multitude of telehealth providers avaialble such as 

Mysteries Solved: Telehealth, Data Security and Privacy |