A common misconception of telehealth and security may be this: using HIPAA-compliant telehealth software will protect you from HIPAA violations. Of course, using telehealth software that adheres to the clear technical and physical safeguards laid out in HIPAA is a key part of building a HIPAA-compliant telehealth care program. But it’s only one piece of the larger puzzle in maintaining the security of your protected health information (PHI).
According to Telemedicine Magazine, here are a few of the most common ways your telehealth program may not be aligned with HIPAA best practices:
1. PHI is being downloaded or stored on unsecured mobile devices: Using a telehealth mobile app can be incredibly convenient. But healthcare providers need to be cautious with any PHI that’s stored on their mobile device. Consider instituting a few extra precautions, such as password-protecting the device and installing remote wipe software to erase PHI if the mobile device is lost or stolen.
2. Logins to your telehealth software are shared: Each user needs to have his or her own login credentials and should keep those private.
3. You have no systematic HIPAA staff training in place for telehealth: Adding telehealth services to your practice creates new workflows and new challenges for maintaining HIPAA-compliance. Staff will need training in order to maintain patient security and privacy protocols.
5. You’re messaging patients outside a secure portal: Telehealth can make connecting with patients as easy as clicking a few buttons on your smartphone. This shift may tempt you to reach out to patients via text or email to follow-up to a visit. But doing so, and potentially sharing PHI in an unsecured manner, is a clear HIPAA violation. Any specific identifiable health information needs to be protected with encryption and shouldn’t be sent outside of secure telemedicine apps or tools.
6. You haven’t entered into a business associate agreement (BAA) with all interests involved: Do you know all the companies involved in storing, transmitting, and handling your PHI? Beyond signing a BAA with your telehealth vendor, you should know about any third-parties who manage your PHI. Your BAA should specify how the company will ensure the security of your patient data, encryption methods, documentation on their security practices and emergency protocols.
For more information on HIPAA safeguards for your medical practice, contact HIPAAcraticRx.