COVID-19 Puts Telehealth and Security in the Spotlight

The Office for Civil Rights (OCR) announced that it is relaxing enforcement on the use of certain telehealth solutions during the COVID-19 response in order to protect patients and providers from unnecessary exposure. Using telehealth during a public health emergency enables healthcare professionals to continue to provide routine care for patients like medication checks and also conduct pre-visit evaluations of patients who might be experiencing COVID-19 symptoms.

Telehealth can be provided via audio, text message, or video conferencing.

This relaxed enforcement means that some popular means of communication that do not necessarily meet HIPAA privacy and security requirements can be used for a limited time. The OCR listed Zoom, FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype as examples of what is permitted but still advises that providers seriously consider using a solution that meets HIPAA requirements especially if they wish to continue to provide telehealth after the enforcement exception is over. The examples listed above do not meet HIPAA security requirements and those vendors do not sign business associate agreements with providers.

Patients should be notified in advance, verbally that these applications could have potential privacy risks. Ideally, a patient should sign a telehealth consent form, Security settings should be set to the highest option in these applications. Telehealth visits should be conducted in private just like any other patient encounter. Refer to your patient’s payer for requirements about billing and visit documentation.

Message and video applications like Facebook Live, Slack, Tik Tok, and Twitch should never be used because they are not a direct one on one communication and can be accessed by the public.

Your EHR or practice management vendor may have available options for telehealth that already meet HIPAA requirements. You can also visit TMC’s COVID-19 Resource page for more information that can help you navigate continued care for your patients during this time.

Unfortunately, some of these security vulnerabilities have been taken advantage of by cyber criminals. In addition, COVID-19 themed fraud and other schemes have skyrocketed.

To keep yourself and your patient’s information safe, remember to check links, attachments, and email addresses before you click on them or reply with sensitive information. Some meeting website addresses have been spoofed so that when a victim clicks on the link to join, malware is installed or the criminal gains access to the victim’s data.

Fake emails with malicious attachments pretending to be invoices or FAQ documents about COVID-19 have been circulating and fraudulent emails containing links to order PPE or to solicit charitable donations for COVID-19 research have impacted thousands.

Stress levels are high, and it can be easier than usual to get distracted while keeping up with increased personal and professional activity and by the high volume of information coming from so many angles. Let’s help each other stay a little safer. Think before you click and remember your trusted sources.