Telemedicine Is Growing, But HIPAA Concerns Remain
When telemedicine first debuted, its primary goal was to reach patients in rural areas suffering from doctor shortages. Doctors could use Skype or another online video program to meet with patients, observe them, and make recommendations. Telemedicine was also thought to provide a good option for patients who needed specialist care located far from home. This would limit unnecessary travel while increasing access to medical care.
Now, however, the attitude around telemedicine is changing and practices are working to keep up. More patients are seeking telemedicine simply because they prefer it, particularly for specialist treatment. Patients who ask for treatment via such platforms typically pay out of pocket for the experience, as insurance doesn’t yet reimburse telemedicine when there is the option of seeing a live doctor, but those with the financial means are willing to pay for the service.
With telemedicine in high demand, doctors and their practices are working to handle HIPAA concerns raised by the format. The unseen viewer, poor encryption practices, and app design and regulation all stand in the way of a fully compliant practice.
Eyes On The Patient
One of the primary concerns raised by telemedicine is the concept of the unseen viewer. When a patient is speaking to their doctor via digital portal or other online program, is someone else standing in the room observing, off camera? Before even considering the digital network concerns of telemedicine, such as cloud security and data encryption, we have to consider these simple logistical problems.
Of course, all doctors are aware that it’s unethical to observe or allow someone to observe a medical appointment or access medical records without the express permission of the patient. It’s also illegal under HIPAA. But under traditional exam circumstances, patients are clear about who is present in the room. Video-based exams undercut this older structure and doctors need to be upfront about who is present and careful to perform these exams in a private environment, just as they would a traditional exam.
One of the primary problems with the adoption of telemedicine is the development of proper safeguards to prevent improper individuals from accessing conversations. Hacking and data theft is on the rise, and most associate this practice exclusively with stored data or email – stable situations in which the hacker enters an improperly secured network to steal information or damage code. However, hacking can take place at many levels, and telemedicine remains vulnerable.
On its own, encryption – or lack thereof – causes many problems for medical practices. If content isn’t protected by end-to-end encryption, but only server-based encryption, it’s very easy for hackers to obtain private information, such as medical information transmitted by email.
When using telemedicine - a format that typically requires more cloud storage, and therefore more cloud security - handling encryption becomes even more delicate. Records and communications need to be encrypted, but so does the connection that facilitates videoconferences. Often, the only way to maintain this level of encryption is by using an app, as traditional video chat formats like Skype aren’t secure.
The App Trap
Many medical practices now use apps to communicate with patients, particularly since EHR systems are now mandated. But not all apps are in compliance with HIPAA and for some time, app developers seemed to be outside of the law, existing as neither covered entities nor business associates, the two major groupings that bind companies like Google under HIPAA.
In 2015, however, California took steps to change the rules, requiring that apps uphold the same standards of confidentiality and encryption that healthcare providers are held to. And California isn’t the only state to enact such laws. With more states pushing app producers to uphold patient privacy, any app developer hoping to expand their reach across state lines must consider these standards when building their programs.
When choosing an app for their telemedicine practice, doctors must make sure that apps meet state requirements for privacy, but they should also be sure that these programs meet HIPAA regulations – even if their particular state law doesn’t require it. This will prevent practices from unnecessarily transitioning between multiple programs if the laws change and prevents doctors from being held liable for any privacy infringement.
Telemedicine is becoming more popular, even when it isn’t technically necessary, but doctors should consider the privacy implications. Unless practices can ensure that HIPAA standards are being met, telemedicine won’t be a viable option – and for those living in areas without specialist access or facing a doctor shortage, this could prove tragic.