Guest Post: 5 Legal Considerations for Maximizing Telehealth Security

Telehealth is one of the fastest growing and developing areas of healthcare today. With this rapid growth come many questions and concerns that arise when legal and regulatory schemes are not able to keep up with the pace of development. One such concern is the legal and regulatory issues relating to the privacy and security of telehealth services. Telehealth services can be provided securely, but specific attention must be paid to information and application security in order to protect patient privacy and comply with laws such as the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").

Healthcare provider executives who currently offer, or are considering offering, telehealth services to their patients should give attention and appropriate resources to the following areas in order to maximize the organization's security posture and operational efficiencies.

Arrangement Structure

One of the primary decisions for a healthcare provider organization to make with any telehealth arrangement is whether the organization will provide the telehealth services itself or in collaboration with a third party. Many considerations will be part of this decision, but information privacy and security should be one of them. An organization should only consider providing telehealth services on its own if it can dedicate sufficient resources and personnel to establishing and maintaining the secure transmission and storage of patient information. Only an organization with a competent and established information technology staff should consider providing telehealth services in this manner.

If an organization chooses instead to collaborate with a third party to provide telehealth services, there are several third parties with whom the organization can collaborate to provide those services securely. Those third parties can provide anything from equipment only to a full range of services, including digital infrastructure and professional physician services. When a third party is involved, the organization must also consider how to structure the arrangement for purposes of HIPAA, including determining whether the third party will be a business associate of the organization or whether the organization and the third party will function as a single Organized Health Care Arrangement ("OHCA") under HIPAA. These decisions will impact how information flows between the parties and who is responsible for securing that information.

Contractual Protections

Responsibility for securing information where the provider organization collaborates with a third party will be governed by the operative agreements between the parties, including the Business Associate Agreement, where applicable. Provider organizations should be sure that the agreements detail the third party's security-related obligations and establish the third party's responsibility for failing to meet those obligations. The operative agreements also should contain sufficient representations and warranties of the third party's security posture, including the technical specifications that the third party will implement in order to safeguard patient information. Equally important is making sure that the operative agreements include sufficient assurances that patient information will be accessible to the appropriate healthcare provider.

Technical Specifications

Telehealth arrangements will differ in the precise technical specifications that the parties implement to safeguard patient information. However, certain technical specifications are broadly applicable and can significantly reduce security risks. One example of such a specification is the use of encryption technology. Encrypting patient information, both while stored on computer systems and during transmission between systems, is an effective means of safeguarding the information from unauthorized third parties and preventing breaches from occurring. Another such specification is authentication of the participants in a telehealth encounter, the clinicians and patients themselves. It is important that technological measures are implemented to ensure the identity of both the clinicians and patients so that all parties can have confidence that the individuals involved in the encounter are actually who they appear to be. Provider organizations should strongly consider implementing such technologies in any telehealth services arrangement.

Security Awareness

Even the best technical safeguards can be compromised by human error, so it is imperative that effective security awareness training be provided both to workforce members as well as patients. Workforce members who participate in telehealth services arrangements must be made aware of their obligations to protect the privacy and security of patient information under their organization's policies and procedures and be sanctioned when a violation occurs. Likewise, patients should be provided with information about the security risks present in telehealth arrangements and advised of the steps they can take to mitigate those risks.

Security Risk Analysis

Provider organizations are required under HIPAA to periodically perform an enterprise-wide security risk analysis and to take steps to remediate any risks that are identified. The failure to do so can result in substantial fines and penalties to a provider organization. An enterprise-wide risk analysis considers not only the electronic health record but also any system or equipment that contains electronic patient information, which would include equipment and systems utilized in providing telehealth services. Accordingly, provider organizations should be sure to include telehealth systems in their risk analysis, including those utilized by a third party service and to address any identified risks and vulnerabilities in a timely fashion.

This article is educational in nature and is not intended as legal advice. Always consult your legal counsel with specific legal matters. If you have any questions or would like additional information about this topic, please contact Ammon Fillmore at (317) 977-1492 or afillmore@hallrender.com or Mark Swearingen at (317) 977-1458 or mswearingen@hallrender.com.

About the Authors: Ammon Fillmore and Mark Swearingen are attorneys with Hall, Render, Killian, Heath & Lyman, P.C., the largest healthcare-focused law firm in the country. Please visit the Hall Render Blog for more information on topics related to healthcare law.

---

HIN Disclaimer: The opinions, representations and statements made within this guest article are those of the author and not of the Healthcare Intelligence Network as a whole. Any copyright remains with the author and any liability with regard to infringement of intellectual property rights remain with them. The company accepts no liability for any errors, omissions or representations.