Law360 (July 2, 2020, 4:11 PM EDT) --
Many health care providers have found themselves scrambling to procure and deploy telemedicine technology and develop appropriate policies and procedures as demand has skyrocketed rapidly and unexpectedly.
Those providers now understand that they were underprepared for the boom and, as a result, have had to shortcut technology procurement in ways that are ultimately very risky from a data privacy perspective. As we face our continuously changing world, health care providers must now reassess their data privacy practices to securely provide the critical health care services patients need.
Through its notification of enforcement discretion for telehealth remote communications during COVID-19 nationwide public health emergency, the U.S. Department of Health and Human Services notified health care providers that it would exercise its enforcement discretion by not imposing penalties on health care providers for noncompliance with the Health Insurance Portability and Accountability Act and other privacy regulations governing telehealth, as long as the telehealth communications are carried out in good faith.
HHS also indicated that even telehealth not related to COVID-19 would be subject to relaxed standards so that providers and patients can comply with social distancing mandates. The HHS even went so far as to provide a list of remote conferencing vendors that appear to provide HIPAA-compliant products (Skype, Zoom for Healthcare, Amazon Chime and GoToMeeting, among others), while also noting that public-facing conferencing technology like Facebook Live, Instagram Live, Twitch, TikTok should not be used.
There is no doubt that the risks associated with a nationwide health care emergency outweigh personal privacy, but that does not mean that health care providers should eschew common sense when it comes to protecting their customers and patients.
To be sure, the HHS notification does nothing to suggest that health care providers are shielded from civil liability for privacy breaches simply because enforcement standards were relaxed.
While the relaxed standards could be indicative of the standard of ordinary care that must be employed in providing telehealth services during a pandemic, health care providers would fare much better by complying with and maintaining pre-COVID-19 data privacy standards to avoid a potentially serious and costly data breach.
However, pre-COVID-19 systems, policies and procedures may be inadequate to plug the obvious security holes that will open as a result of the massive uptick in telehealth and telemedicine.
Providers that have not previously offered telehealth, or have done so on a limited basis, need to carefully examine their current information technology systems and policies and make appropriate changes. This means vetting video communication products to assure compatibility with existing systems and compliance with HIPAA and other data privacy mandates.
The larger remote conferencing vendors, while likely more expensive, have more robust cybersecurity systems and privacy practices, and will typically offer a HIPAA business associate agreement as part of their onboarding. Some may even go so far as to offer indemnification for certain types of data security incidents, provided specific prerequisites are met.
Providers should also have an in-house counsel or experienced outside counsel review and update applicable privacy policies and patient acknowledgments to assure such policies meet the practical and legal needs of an emerging telehealth practice.
This requires critical analysis and education to develop an in-depth understanding of current and proposed state, federal, and international data privacy mandates. Cybersecurity insurance policies should be procured or updated to meet the greater potential exposure caused by the increased demand for telehealth.
Information technology departments now need more time, more personnel, and a larger equipment and software budget to implement necessary changes to accommodate the increased telehealth traffic.
If telehealth sessions are recorded and stored for future review or archival, advanced firewall and encryption technology become an absolute must. Incident response plans will need to be reviewed and updated to provide specific guidelines on how to respond to breaches that could occur during (or ancillary to) telehealth sessions.
After changes and upgrades are implemented, providers should engage third-party cybersecurity companies to run independent cybersecurity audits and penetration testing so that weakness can be exposed before an actual security incident occur. Insurance companies may require such testing or offer premium discounts if testing meets certain standards.
From a practical perspective, health care providers will need to train and regularly retrain their employees on best practices for offering telehealth. This means both technical training to understand how to securely use new systems and compliance training to understand where data and/or privacy breaches can occur and how to spot and redress potential security breaches.
For example, doctors and nurses should be trained to avoid using FaceTime or Google Meet on their smartphones simply because it is more convenient, or the requested sessions are after hours.
Scheduling and calendaring are particularly vulnerable areas — where double-booked virtual meetings or incorrect meeting credentials could have disastrous results — imagine another patient accidentally logging into your surgical follow-up appointment or therapy session!
Encryption, passwords, two-factor authentication and other fail-safes must be implemented to provide patients with peace of mind.
While the costs of compliance and information technology will increase, the benefits of telehealth for both the provider and the patient has not gone unnoticed. In many ways, our new normal has provided exactly the kick in the pants that many health care providers needed to dive headfirst into telehealth.
Patients, physicians and nurses are learning quickly that many routine appointments do not have to be held in person, and, in many ways, telehealth is a safe and much more efficient means of providing health care services, particularly for routine appointments and the mental health field.
However, privacy remains of utmost importance for all parties involved, and health care providers should not be lulled into complacency simply because the HHS has relaxed its standards for the course of the unexpected pandemic that has affected the entire world.
In many cases, HIPAA compliance should be considered the floor, not the ceiling, of the regulations when it comes to data privacy compliance. Health care providers should level the highest cybersecurity technology and standards to assure peace of mind for patients and the business.
Geoffrey Lottenberg is a partner at Berger Singerman LLP.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.
For a reprint of this article, please contact firstname.lastname@example.org.