Sustainable Telehealth: Security Risk Analysis

By Jim Tate, EMR Advocate
Twitter: @jimtate, eMail: jimtate@emradvocate.com
Host of The Tate Chronicles#TateDispatches

Whether you are a solo practice or a large hospital system, the requirement to protect electronic health information is mandated. HIPAA regulations tell us that “all e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule”. Due to the COVID-19 pandemic the Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion effective March 17, 2020 and remains in effect “until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared health emergency, including any extensions, whichever occurs first.”

The Notification of Enforcement Discretion by HHS states it will: “exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

The widespread emergency adoption and use of telehealth technology is now in a period of transition. Providers who had never entertained the concept of hosting virtual encounters with patients are now realizing it will be another option in how they will deliver healthcare. This movement, to sustainable telehealth, requires the understanding of the potential risks involved and potential disclosure of protected health information.

HIPAA “requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI.” The use of telehealth technology brings numerous instances of potential risk to the disclosure of protected information. It is required that a provider perform, and keep updated, their Security Risk Analysis (SRA) process and document the findings and subsequent plans for mitigation. If you started using telehealth during the COVID-19 pandemic, and intend to continue to use it, you need to update your SRA considering telehealth. It is a simple as that. This is one of the steps to #sustainabletelehealth. HHS has provided more information by publishing FAQs related to HIPAA and telehealth during the COVID-19 nationwide public health emergency.

This article was originally published on Medivisum and is republished here with permission.