Security & Privacy Risks Associated with COVID-19 & Telehealth
Due to the increasing demand for remote services and safety concerns related to the SARS-CoV-2 virus and the incidence of COVID-19, the Office for Civil Rights (OCR) issued a bulletin on March 17, 2020, noting that it will exercise its enforcement discretion to waive penalties for HIPAA violations against covered healthcare providers using communications in good faith for telehealth or diagnostic purposes during the COVID-19 nationwide public health emergency. This is regardless of whether the telehealth service is directly related to COVID-19.1
The OCR at the U.S. Department of Health & Human Services (HHS) is responsible for enforcing specific regulations for the security of protected health information (PHI), including electronic protected health information (ePHI). These standards are issued under HIPAA and amended by the Health Information Technology for Economic and Clinical Health Act of 2009. From these standards came the HIPAA Privacy, Security and Breach Notification Rules (HIPAA Rules).
When HIPAA was first introduced, the term “telehealth” did not exist. Telehealth is “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”2
Under normal circumstances, telehealth is covered under the HIPAA Rules in that covered entities and business associates (BA) should have processes in place to ensure compliance with applicable security safeguards. For example, when deploying telehealth initiatives, organizations should assess their compliance according to the below items (not a complete listing):
- 4.9 Business Associate Contracts & Other Arrangements – A covered entity, in accordance with Section 164.306, may permit a BA to create, receive, maintain or transmit ePHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances, in accordance with §164.314(a), that the BA will appropriately safeguard the information.
- 4.13 Device & Media Controls – Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, as well as the movement of these items within the facility.
- 4.14 Access Control – Implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights as specified in §164.308(a)(4).
- 4.16 Integrity – Implement policies and procedures to protect ePHI from improper alteration or destruction.
- 4.18 Transmission Security – Implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network.
While the OCR is exercising this discretion, it is important to note the bulletin does not apply to health insurance companies, as insurance companies are not engaged in the provision of healthcare when they pay for telehealth services. Furthermore, the OCR provided some clarifications and caveats regarding its enforcement’s discretion during COVID-19. These include:
- This notice of discretion is for a limited period, and organizations should be planning for HIPAA-compliant solutions in the long term.
- Use of public-facing remote communication products, e.g., Facebook Live, Twitch, TikTok, etc., should not be used in the provision of telehealth.
- Where and when possible, organizations should make a good faith effort to use HIPAA-compliant video communications products and obtain the required HIPAA business associate agreements.
- Behaviors such as selling or using ePHI for marketing without authorization or conducting fraudulent business processes will not be tolerated.
Telehealth has privacy implications as well. In February 2020, the OCR issued a bulletin to help ensure that HIPAA-covered entities and their BAs understand the ways that patient information can be shared under the HIPAA Privacy Rule during an outbreak of infectious disease or other emergency situations. The OCR, in effect, provided guidance that the HIPAA Privacy Rule is suspended under these scenarios:
- PHI about the patient as necessary to treat the patient or to treat a different patient
- Sharing PHI with a patient’s family members, relatives, friends or other persons identified by the patient as involved in the patient’s care
- Healthcare providers sharing patient information with anyone necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
Based on these suspensions of the rules for the greater good, it is important to remember that adequate safeguards are still expected per the OCR bulletin; therefore, patient privacy should always be maintained for healthcare providers of telehealth. Also, information sharing by nonhealthcare providers in the vicinity of a telehealth session is prohibited. In addition, healthcare providers are required to disclose the minimum necessary amount of information to accomplish the mandates as required during an outbreak of infectious disease or other emergency situations. Failure to do so may subject the healthcare provider to fines and additional oversight from the HHS.
The current outbreak allows healthcare providers to share information with other facilities, healthcare workers and patients’ families without the need for patient authorization. It is essential to remember that these temporary relaxations of the rules do not become part of a healthcare provider’s environment. Per the OCR, the rules will revert to normal at the end of the emergency period.
While the OCR will use reasonable discretion in applying the HIPAA Rules to telehealth, healthcare providers need to maintain, or even increase, their vigilance regarding cybersecurity during this pandemic. With increased telehealth use, remote working arrangements and general anxiety surrounding COVID-19, healthcare providers and BAs need to be aware of potential increased cybersecurity risks associated with:
- Social engineering attacks against employees, vendors and patients through methods such as email (phishing), text messaging, phone calls (vishing) or fake COVID-19 websites
- Inappropriate or unauthorized access to secured networks
- Information system availability or capacity issues
- Network attacks and other malware incidents
- Use of unsecured or unencrypted personal devices, including mobile devices
- Use of unsecured wireless networks
- Lack of physical security and privacy controls in work-from-home environments
To address these and other changing cybersecurity and privacy risks, information technology security management should leverage a risk-based assessment methodology. This approach should be based on an accepted standard, such as the International Organization for Standardization/International Electrotechnical Commission 27005, National Institute of Standards and Technology Cybersecurity Framework or other recognized standards. Regardless of the framework chosen, the main goal of risk assessments is to provide cybersecurity professionals with a method to manage their program and prioritize and manage security activities.
As with most topics related to COVID-19, changes are being made rapidly. Please note that this information is current as of the date of publication. For more information, contact your BKD Trusted Advisor™ or use the Contact Us form below.
1 HHS Press Release, March 17, 2020: https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-enforcement-discretion-for-telehealth-remote-communications-during-the-covid-19.html ↩
2 HealthIT.gov website: https://www.healthit.gov/topic/health-it-initiatives/telemedicine-and-telehealth ↩