Telehealth Visits with Your Doctor Expanded Rapidly During COVID… And the Hackers are Right on Their Heels
By Haala Rokadia MD, Stephanie Zawada MS, Ben Rosner MD PhD, Anna Andoni MD, Shayann Ramedani
In March 2020, the federal government took multiple steps to relax regulations for telehealth, enabling physicians to use consumer platforms such as FaceTime, Zoom, and Skype to perform telehealth visits as part of the response to the coronavirus pandemic. To support widespread adoption of telehealth during the pandemic, the Secretary of Health and Human Services also issued a limited waiver of Health Insurance Portability and Accountability Act (HIPAA) sanctions and penalties for the duration of the COVID-19 Public Health Emergency. The uptick in telehealth visits, shifting from in-person appointments, was unprecedented, and accomplished more in a matter of weeks than over a decade of telehealth lobbying; however, the sudden transition to such platforms, some of which are not inherently secure, and others of which do not have privacy protections adherent to HIPAA, has created a healthcare landscape rife with opportunity for breaches in patient privacy.
Introduced in the U.S. Senate in June, the Equal Access to Care Act would enable healthcare providers licensed in one state to practice telehealth in any other state. In mid-July, the bipartisan House Telehealth Caucus introduced the Protecting Access to Post-COVID-19 Telehealth Act which maintains and expands telehealth access in a post-COVID era and protects patients from figuratively “falling off the cliff” of virtual healthcare access when the public health crisis is behind us. The expiration date for telehealth regulatory relief is unknown, but, on July 23, 2020, the Secretary of Health and Human Services renewed the COVID-19 Public Health Emergency Declaration through at least October 23, 2020.
As telehealth settles in as a permanent fixture in the healthcare ecosystem, considerations about access and technologies will have to be balanced with increasing and maintaining security of electronic protected health information (ePHI) in this format. Natali Tshuva, CEO of the Internet of Things (IoT) security company Sternum, put it well in an interview when she said “PHI is only as secure as the weakest device, and the fast growth in medical IoT is only increasing the risks.”
Currently, HIPAA regulations specify that 1) PHI be encrypted upon collecting, storing and transmitting ePHI and accessible only to authorized individuals, and 2) accessing ePHI be via secure communication systems that can be monitored and remotely deleted of ePHI. These regulations only apply to “covered entities” including health care providers and insurers, but not to patients. As this applies to telehealth, where a promising feature is the accessibility a patient has from their home, there is inherent risk to ePHI in communicating over a patient’s potentially insecure device. Moreover, for non-HIPAA-compliant platforms being utilized to offer telehealth, it is unclear which file formats containing patient data are protected under HIPAA. Currently, most patient-facing telehealth interfaces prioritize usability and ease for patients across all ages and technology fluencies, which may compromise security and authentication.
Further, the Food and Drug Administration (FDA) has regulatory control over medical devices but does not regulate consumer-facing devices and apps that do not include an explicit clinical function. As these direct-to-consumer, remote patient monitoring (RPM) devices become mainstream, they will increasingly become paired as telehealth accessories. However, under their current framework, they are not restricted in collecting or sharing patient data (health, location, or home data) and are able to operate with long and loose privacy policies that require consumers to accept risks to their ePHI.
To know more information Click Here
About NODE Health Foundation
NODE.Health Foundation is a 501(c)(3) non-profit organization dedicated to education, validation and dissemination of evidence based digital medicine. As the largest professional association in digital medicine, NODE.Health empowers societies, executives and NODES from health systems, payers, life sciences, venture capital, startups and the public sector involved in healthcare digital transformation. NODE.Health builds on and explores the knowledge base now required to lead global healthcare systems and industry into the value-based era of digital transformation in health. You can find out more information about NODE.Health here.