Virtual Healthcare and HIPAA Compliance

COVID-19 has taken the world by storm, and society as we know it is changing rapidly. From how we interact with each other socially, to our ability to freely go shopping and eat at restaurants, changes are being initiated across the board. Industries all across the world have been affected and with such a great impact comes change. More individuals are choosing telemedicine clinics and other virtual healthcare options either by necessity or in fear of going to a local clinic and exposing themselves. With this comes new opportunities for unauthorized access to personal data. What should virtual healthcare platforms and telemedicine clinics be doing to assure their patients’ data is secure? Before diving into that topic, it is important to understand what HIPAA is and why it was enacted.

The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to provide the ability to transfer health insurance coverage for millions of American workers when they change or lose their jobs. It was designed to reduce healthcare fraud and abuse by mandating industry-wide standards to protect healthcare information. There are two main facets to HIPAA: the privacy rule and the security rule. The privacy rule defines and governs the use and disclosure of protected health information. The security rule sets the standards for securing patient data.

Though organizations may not physically be seeing patients in their office, if they are collecting patient data online or over the phone they are still held to the exact same standards. Organizations must secure the data they are collecting from patients in a HIPAA compliant manner. How are the virtual clinics and practices collecting information? Is that information encrypted at rest and in motion? Can a hacker easily gain access and compromise patient data?

There are two main areas organizations should focus on when they are performing virtual healthcare operations for their patients with HIPAA in mind. The first is encryption for data transmission. Data that patients are sending to a clinic or healthcare practice must be sent securely. There is software that can be used but regardless of what solution your organization goes with, there must be a way to transmit data back and forth with patients in an encrypted manner. This includes video conferencing with patients and general calls. Applications like Skype, Zoom, and Facetime do not support HIPAA compliant transmission of data. Encryption of data transmission is of the utmost importance. The second area to focus on is the storage of data. Choosing what data your organization will store and how long it will be stored for is crucial. Knowing where that data is stored on your system and who from your organization has access to it is very important. Access should be limited to only those individuals who have a business need. This should be documented in the policies of the organization.

Being in violation of HIPAA can be extremely costly through penalties to your organization and damage to the reputation of your organization. As times change and we see more healthcare exchanges happening virtually, it is vital that we make sure we are still being secure about how we are handling confidential patient data. The two areas outlined above are key areas to consider and a great place to start, but all HIPAA controls should be taken into consideration when developing virtual healthcare procedures. It is recommended that organizations perform a HIPAA risk assessment to see where they have control weaknesses. Contact us today for further guidance on achieving and maintaining HIPAA compliance!