Telehealth After COVID-19: Privacy, Security ConsiderationsCongress, Others Examine Long-Term Telemedicine Issues
If the lifting of certain telehealth restrictions during the COVID-19 pandemic becomes permanent through new legislation or changes in government policies, what would be the potential impact on patient data privacy and security?
Legislators and healthcare sector stakeholders are considering that question now that the use of telehealth has exploded in recent months during the national public health emergency.
While the declaration of a public health emergency related to COVID-19 was set to expire on July 25, HHS plans to renew the public emergency status, a Department of Health and Human Services spokesperson tells Information Security Media Group.
The public health emergency, first declared by HHS secretary Alex Azar on Jan. 31, was already renewed once in April, HHS notes.
The federal government has made about 31 policy changes in recent months aimed at better facilitating patient care during the pandemic, and three of those changes have had the biggest impact on fueling the expanded use of telehealth, noted Sen. Lamar Alexander, R-Tenn. chair of the Senate committee on Health Education Labor and Pension, at a June 17 hearing on telehealth during the COVID-19 crisis.
"Because of COVID-19, the healthcare sector and government was forced to cram 10 years of telehealth experience into just three months."
—Sen. Lamar Alexander, Senate HELP Committee Chair
Those three most significant - but temporary - policy changes include the easing of "originating site" regulations that generally restricted telehealth services to certain patients, such as those based in rural communities; the expansion of payment for telehealth services by the Centers for Medicare and Medicaid Services; and the relaxation by the HHS Office for Civil Rights of certain HIPAA requirements related to telehealth technologies providers can use, Alexander notes.
States and private health insurers have also made a variety of moves during the pandemic that have fueled expanded use of telehealth, he said.
"Because of COVID-19, the healthcare sector and government was forced to cram 10 years of telehealth experience into just three months," Alexander said.
It's critical for the government to take action for continued telehealth support, he said. "It's important to write the rules of the road while the experience is still fresh," Alexander said.
Joseph Kvedar, M.D. of Boston-based Mass General Brigham - formerly Partners HealthCare - and president of the American Telemedicine Association, said in his written testimony: "Telehealth will not and should not entirely replace in-person care post-pandemic. It should, however, be an option. Given the patient and provider satisfaction we have seen, I believe many, if not most, providers and patients will want to continue to use telehealth in some way indefinitely."
Moving forward, if Congress considers new telehealth legislation, privacy and cybersecurity need to be included among top principles, Kvedar said.
In March, OCR, which enforces HIPAA, announced it would not impose penalties for noncompliance in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
For instance, OCR said a covered healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 pandemic can use any nonpublic facing remote communication product to communicate with patients.
Under that notice, OCR said covered healthcare providers "may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency."
Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications, OCR added.
Although OCR's action helped to enable providers to rapidly adopt telemedicine, "as a matter of policy, with the increasing availability of free and/or low-cost HIPAA-compliant solutions, and to ensure protection of personal health information, non-HIPAA compliant solutions should only be used in good faith in an emergency," said Karen Rheuban, M.D., professor of pediatrics and director of the University of Virginia Center for Telehealth, told the Senate panel in her written testimony.
"Telehealth providers should work now to execute business associate agreements and ensure that whenever possible, telehealth services are delivered via HIPAA-compliant electronic communication systems," she added.
Other privacy and security experts, commenting about the topics discussed at the hearing, say that if Congress or federal regulators make moves to help support expanded use of telehealth beyond the COVID-19 public health emergency, privacy and security issues must be carefully considered.
For instance, technology attorney Stephen Wu of Silicon Valley Law Group says telehealth should be "consumer driven," so that patients can continue to readily use technologies that they prefer, rather than being pressured to use special telemedicine tools chosen by healthcare providers.
To help ensure that consumer-driven telehealth tools are private and secure, however, he suggests that the healthcare and technology sectors consider developing a "certification service" that can help validate the security of the services - such as whether transmitted data is encrypted - or that endpoint devices meet a certain level of security standards.
If the expanded use of telehealth becomes permanent, "it will be important for CISOs to consider the risks in periodic, enterprisewide information security risk analyses, including the risks of misconfigurations and the risks that workforce members will use unapproved platforms," notes privacy attorney Adam Greene of the law firm David Wright Tremaine.
Privacy attorney Kirk Nahra of the law firm WilmerHale says it's important to remember that HHS OCR's telehealth HIPAA waiver allowed discretion of enforcement of the security rule related to telehealth during the COVID-19 crisis.
"It didn't say that telehealth violated the security rule, it just said that there wouldn't be enforcement of the security rule related to telehealth," he says. "It was a confidence-building exercise to let providers know that the security rule need not stand in the way of telehealth."
Nahra says he would like to see some kind of ongoing guidance about telehealth.
"I don't think a permanent waiver of enforcement is appropriate - telehealth can still be done in sloppy and irresponsible ways," he says. "But I do think the message should be sent that telehealth can be done in a manner that is consistent with the security rule. Healthcare providers should treat telehealth like other aspects of their operations: Think about the process, and implement reasonable safeguards."
If Congress moves forward with legislation to expand the use of telehealth post-COVID-19, "a huge issue to be addressed is if there will be privacy and security standards for video conferencing and messaging apps when used for telehealth," says privacy attorney David Holtzman of the security and privacy consultancy CynergisTek.
In its recently issued interoperability regulation, CMS did not set privacy and security standards for health IT apps, Holtzman says. "Instead, there are voluntary guidelines allowing healthcare providers to ask app vendors about their privacy policies and how they share them with consumers," he notes.
Business associate requirements in the area of telehealth also should be examined, Holtzman adds.
For example, it likely is possible to ensure the privacy and security of PHI transmitted through video conferencing platforms without the full documentation requirements of the [HIPAA] Security Rule. The security rule was designed largely with healthcare providers in mind, and some of it is not as relevant to a video conferencing platform. A more focused approach for such vendors could be helpful."
Privacy attorney Iliana Peters of the law firm Polsinelli offers a similar assessment. "I think that it will be important for HHS OCR to clarify after the COVID-19 public health emergency is over that HIPAA covered entities should, in all cases, have HIPAA business associate agreements with all of their telehealth application vendors, not only to comply with the requirements of the HIPAA Rules, but also to ensure that such vendors appropriately protect health information as required by HIPAA," she says.
"Beyond that, I think that entities of all types and in all sectors should follow the guidance for data security offered by HHS, the FBI, National Institute of Standards and Technology, the Federal Trade Commission, the Federal Communications Commission, and others with regard to VTC applications."