top of page

Special Edition: Privacy & Compliance in Telehealth

  • David Larsen
  • Jul 7, 2024
  • 7 min read

Vol 1, No. S     |     July 7, 2024     |     By Dave Larsen, Väsentlig Consulting LLC


Maintaining Privacy and Compliance in Telehealth

A Wake-Up Call for Mental Health Professionals


Dear Valued Readers,

Recent events have highlighted the urgent need to address privacy concerns in telehealth practices, particularly for solo mental health professionals working from home.


The Incident: Telehealth Session on an Airplane

I recently learned of a troubling incident where a mental health provider conducted a telehealth session while on a commercial flight from Denver to Minneapolis.

This situation raises significant concerns about patient privacy, confidentiality, and compliance with federal regulations!

As your trusted technology partner, I feel compelled to address this issue and provide guidance to ensure that you maintain the highest standards of care and compliance in your practice.

Understanding HIPAA and HITECH Regulations

Before delving into the specifics of the incident, let's refresh our understanding of the key regulations governing telehealth practices in the United States.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 are the primary federal regulations that protect patient health information and promote the adoption of health information technology.

HIPAA's Privacy Rule establishes national standards for the protection of individuals' medical records and other personal health information. It requires appropriate safeguards to protect the privacy of personal health information and sets limits and conditions on the uses and disclosures of such information without patient authorization.

The HITECH Act expanded and strengthened HIPAA regulations, particularly in the areas of electronic health records (EHRs) and health information exchange. It introduced more stringent breach notification requirements and increased penalties for HIPAA violations.

Both acts require covered entities, including mental health professionals, to implement physical, administrative, and technical safeguards to ensure the confidentiality, integrity, and availability of protected health information (PHI).

The Role of FIPS in Telehealth Security

In addition to HIPAA and HITECH, mental health professionals should be aware of the Federal Information Processing Standards (FIPS), particularly FIPS 140-2. This standard, developed by the National Institute of Standards and Technology (NIST), specifies security requirements for cryptographic modules used in computer and telecommunication systems to protect sensitive information.

While FIPS compliance is mandatory for federal agencies, it's highly recommended for healthcare providers, especially those dealing with electronic protected health information (ePHI). In the context of telehealth, using FIPS 140-2 validated encryption for data in transit and at rest adds an extra layer of security.

This is particularly relevant when considering the risks associated with conducting telehealth sessions in public spaces or over unsecured networks, such as on an airplane. FIPS-compliant solutions ensure that even if data is intercepted, it remains unreadable and protected.

Therefore, when selecting telehealth platforms and devices, prioritizing those with FIPS 140-2 validation can significantly enhance your practice's security posture and demonstrate a commitment to maintaining the highest standards of data protection.

Violations and Risks Associated with the Incident

Conducting a telehealth session on an airplane violates several key principles of HIPAA, HITECH, and FIPS:

  • Lack of Privacy: An airplane is a public space where conversations can be easily overheard, and screens can be viewed by nearby passengers. This environment fails to provide the necessary privacy for a confidential mental health session.

  • Unsecured Network: In-flight Wi-Fi networks are often unsecured or have weak security measures, making them vulnerable to interception and hacking. Transmitting sensitive patient information over such networks poses a significant risk to data security.

  • Potential for Unauthorized Access: In a crowded airplane, there's an increased risk of unauthorized individuals viewing or accessing patient information on the provider's device.

  • Lack of Physical Safeguards: The confined space of an airplane seat doesn't allow for proper implementation of physical safeguards to protect patient information from prying eyes.

  • Compromised Quality of Care: The noisy and unpredictable environment of an airplane can significantly impact the quality of care provided, potentially leading to misunderstandings or incomplete treatment.

Best Practices for Maintaining Privacy in Telehealth

To avoid similar violations and ensure compliance with HIPAA and HITECH regulations, mental health professionals should adhere to the following best practices:

  • Secure Environment: Always conduct telehealth sessions from a private, secure location where patient confidentiality can be maintained. This typically means a home office or professional workspace with closed doors and sound insulation.

  • Use Encrypted Connections: Ensure that all telehealth sessions are conducted over encrypted, secure networks. Avoid public Wi-Fi networks or use a reliable Virtual Private Network (VPN) when absolutely necessary.

  • Implement Strong Authentication: Use multi-factor authentication for all devices and applications used in telehealth sessions to prevent unauthorized access.

  • Regular Security Audits: Conduct regular security risk assessments of your telehealth setup to identify and address potential vulnerabilities.

  • Patient Education: Inform patients about the importance of their own environment during telehealth sessions and guide them on how to maintain privacy on their end.

Technology Solutions for Secure Telehealth Sessions

As a technology consultant, I recommend the following solutions to enhance the security and privacy of your telehealth practice:

  • HIPAA-Compliant Video Conferencing Platforms: Utilize platforms specifically designed for healthcare, such as Zoom for Healthcare, Doxy.me, or VSee. These platforms offer end-to-end encryption and other security features that comply with HIPAA regulations.

  • Secure Messaging Systems: Implement encrypted messaging systems for communicating with patients outside of video sessions. Platforms like Hushmail or OhMD provide HIPAA-compliant messaging solutions.

  • Electronic Health Record (EHR) Systems: Use HIPAA-compliant EHR systems to securely store and manage patient information. Options like TherapyNotes or SimplePractice are tailored for mental health professionals.

  • Mobile Device Management (MDM) Solutions: If you use mobile devices for telehealth, consider implementing an MDM solution to enforce security policies and remotely wipe data if a device is lost or stolen.

  • Hardware Security: Invest in privacy screens for your devices to prevent visual hacking in public spaces, and use cable locks to secure your equipment when necessary.

Legal and Ethical Implications

The incident of conducting a telehealth session on an airplane not only violates HIPAA and HITECH regulations but also raises serious ethical concerns.

As mental health professionals, there is the duty to protect our patients' privacy and maintain the highest standards of care.

Legal Consequences:

HIPAA violations can result in significant fines, ranging from $100 to $50,000 per violation, with a maximum penalty of $1.5 million per year for repeated violations.

The Office for Civil Rights (OCR) may conduct investigations and audits, leading to corrective action plans or even criminal charges in severe cases.

Patients may file lawsuits for breach of confidentiality, potentially resulting in substantial damages and harm to professional reputation.

Ethical Considerations:

The American Psychological Association's (APA) Ethical Principles of Psychologists and Code of Conduct emphasizes the importance of maintaining confidentiality and protecting the privacy of individuals with whom psychologists work.

Conducting sessions in public spaces like airplanes violates the ethical principle of respect for people's rights and dignity, as it fails to protect the confidentiality of the therapeutic relationship.

Such actions can erode patient trust and damage the integrity of the mental health profession as a whole.

Steps to Take if a Violation Occurs

If you find yourself in a situation where a potential privacy violation has occurred, take the following steps:

  • Immediately Terminate the Session: If you realize you're in an unsuitable environment for a telehealth session, apologize to the patient and end the session immediately.

  • Document the Incident: Record all details of the incident, including date, time, duration, and potential exposure.

  • Assess the Breach: Determine the extent of the potential breach and what information may have been compromised.

  • Notify Relevant Parties: Inform your patient about the incident and potential privacy breach. Depending on the severity, you may need to notify the U.S. Department of Health and Human Services (HHS) and, in some cases, the media.

  • Implement Corrective Measures: Develop and implement a plan to prevent similar incidents in the future. This may include additional training, updating policies, or investing in new security measures.

  • Seek Legal Counsel: Consult with a healthcare attorney to understand your obligations and potential liabilities.

  • Review and Update Policies: Use this incident as an opportunity to review and strengthen your telehealth policies and procedures.

Conclusion

The incident of a mental health professional conducting a telehealth session on an airplane serves as a crucial reminder of the importance of maintaining privacy and compliance in our increasingly digital healthcare landscape.

  • As solo practitioners working from home, it's essential to remain vigilant about creating and maintaining a secure environment for telehealth sessions.

By adhering to HIPAA, HITECH, and FIPS regulations, implementing robust security measures, and maintaining ethical standards, we can ensure that our patients receive the confidential, high-quality care they deserve.

  • Remember, the trust our patients place in us is paramount, and it's our responsibility to protect their privacy in every aspect of our practice.

Stay informed, stay compliant, and never hesitate to seek guidance when you're unsure about the appropriateness of a telehealth setting.

Your commitment to privacy and security not only protects your patients but also safeguards your practice and the integrity of your profession. Thank you for your dedication to maintaining the highest standards of care in telehealth.

If you have any questions or concerns about implementing secure telehealth practices, please don't hesitate to contact Väsentlig Consulting for help.

Stay safe and secure in your telehealth journey!

Best regards-

Dave

References

Bates, D. W., Landman, A., & Levine, D. M. (2021). Health Apps and Health Policy: What Is Needed? JAMA, 325(21), 2165–2166. https://doi.org/10.1001/jama.2021.5945

Jalali, M. S., Landman, A., & Gordon, W. J. (2021). Telemedicine, privacy, and information security in the age of COVID-19. Journal of the American Medical Informatics Association, 28(3), 671–672. https://doi.org/10.1093/jamia/ocaa310

Lenert, L., & McSwain, B. Y. (2020). Balancing health privacy, health information exchange, and research in the context of the COVID-19 pandemic. Journal of the American Medical Informatics Association, 27(6), 963–966https://doi.org/10.1093/jamia/ocaa039

National Institute of Standards and Technology. (2021). FIPS 140-3 Security Requirements for Cryptographic Modules. U.S. Department of Commerce. https://doi.org/10.6028/NIST.FIPS.140-3

Pratt, M. K. (2020). How FIPS 140-2 encryption strengthens security. TechTarget. https://www.techtarget.com/searchsecurity/feature/How-FIPS-140-2-encryption-strengthens-security

Torous, J., Jän Myrick, K., Rauseo-Ricupero, N., & Firth, J. (2020). Digital Mental Health and COVID-19: Using Technology Today to Accelerate the Curve on Access and Quality Tomorrow. JMIR Mental Health, 7(3), e18848. https://doi.org/10.2196/18848

Zhou, L., Thieret, R., Watzlaf, V., Dealmeida, D., & Parmanto, B. (2019). A Telehealth Privacy and Security Self-Assessment Questionnaire for Telehealth Providers: Development and Validation. International Journal of Telerehabilitation, 11(1), 3–14. https://doi.org/10.5195/ijt.2019.6276


 
 
 

Comentários

© 2021 Väsentlig Consulting. All Rights Reserved.

  • LinkedIn
bottom of page