Telehealth and privacy in the time of COVID-19

僅提供英文版本

With hundreds of thousands of confirmed COVID-19 cases, it's important that people who show symptoms have access to care without potentially spreading the virus. Telehealth is key. The question is: Given this pandemic, is it ok to relax privacy and security requirements when it comes to telehealth?

As cases of COVID-19 increase exponentially in the U.S., healthcare organisations are struggling to provide care for so many affected patients. These medical organisations, as well as the government, are turning to telehealth as a viable option for remote healthcare.

The value of telehealth has never been more clear than during a major medical crisis. However, as healthcare providers are scrambling to provide remote care, are they overlooking privacy and security? While there are credible, HIPAA compliant telehealth platforms out there, some providers are using platforms that are not HIPAA-covered entities.

The question is: Given this pandemic, is it ok to relax privacy and security requirements when it comes to telehealth?

Telehealth privacy and security concerns

"As restrictions around virtual care in light of COVID-19 become more relaxed and the need for telehealth services grows, we fear that some organisations may deprioritise privacy and security as they try to adapt to demand," Mike Baird, President of Customer Solutions at Amwell, a telemedicine company based in Boston, Mass., said.

Baird gave the example of how some healthcare organisations are opting to use free, web-based communications platforms to provide telehealth sessions to patients. These free, web-based communication platforms are not covered by HIPAA.

"By choosing a platform that is not HIPAA-compliant or HITRUST-certified, healthcare organisations run the risk that it will not be compliant when this emergency is over and HIPAA regulations are reinstated," Baird said.

Furthermore, patient visits could potentially be unsafe and unsecure with the use of communication platforms not covered by HIPAA. In fact, there is the risk that another individual could accidentally join the visit unannounced, Baird pointed out, or that the visit could be recorded.

Weighing the risks

Healthcare organisations will need to assess how much risk they are willing to take on. Michael Zurcher, Global Privacy Officer and Senior Director at Iron Mountain, said it's important to consider what could go wrong and how the healthcare organisation would handle it.

Furthermore, physicians who are working from home and connecting with patients via telehealth technologies or online communication platforms should be aware of who can hear them during patient meetings and who could potentially see their computer screen. Zurcher encourages healthcare professionals to challenge themselves to figure out what could go wrong and take steps to prevent it, if possible.

Baird said that quality patient care goes hand-in-hand with privacy and security: "Patient care should always be our number one priority, and I would argue that privacy and security are critical for providing optimal patient care."

He added that HIPAA-compliant virtual care platforms have experience with ensuring privacy and security under HIPAA. Therefore, healthcare organisations that use these HIPAA-compliant platforms don't need to spend time and energy worrying about privacy and security, and can instead focus on patients.

When is it ok to sacrifice privacy to provide care?

Given the hundreds of thousands of confirmed COVID-19 cases, it's important that people who show symptoms have access to care without potentially spreading the virus.

Providing telehealth to hundreds of thousands of people -- and potentially more -- is key.

But, given how fast everything is moving with the COVID-19 pandemic and the need to provide care fast and virtually, is it ok to sacrifice privacy and security in a crisis like this?

The Office for Civil Rights (OCR) has already relaxed penalties under HIPAA if a healthcare provider doesn't use a secure telehealth product or if information is intercepted during a telehealth session.

Zurcher believes it would not be good if, because of privacy, the proper care can't be provided to patients. Patients should not be put in harm's way at the expense of privacy.

However, both Baird and Zurcher agree that if there is a way to provide care in a safe and secure way, then do it.