At PCIHIPAA, we’ve been receiving questions regarding Telehealth and Working from Home (WFH) during the COVID – 19 emergency. The following will provide some guidance.
During the COVID-19 national emergency, health care providers subject to the HIPAA Rules may communicate with patients, and provide telehealth services, through remote communication technologies. Some of these applications may not be 100% compliant with HIPAA Rules. The Office for Civil Rights (OCR) will not impose penalties for noncompliance during the COVID-19 emergency relating to telehealth.
During this time, a health care provider that wants to use audio or video communication technology to provide telehealth to patients can use any non-public facing remote communication product that is available. OCR is exercising its enforcement discretion, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Therefore, practices can use telehealth for non-related COVID -19 conditions.
Health care providers may use video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. However, Facebook Live, Twitch, TikTok, and similar video communication applications that are public facing, should not be used.
Covered health care providers that seek additional privacy protections for telehealth should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. These vendors include Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google G Suite Hangouts Meet.
Work from Home (WFH)
Unlike Telehealth, where OCR has announced softening of the HIPAA Rules, when working from home, healthcare providers face cyber-security and HIPAA challenges. Below are tips to consider to help keep patient data private and secure while working from home.
- Review your Company’s Workstation Use Policy, specifically as it relates to remote use. If you don’t have one, establish guidelines.
- Determine if employees will use their own device or company devices.
- Document and inventory all employee devices and their access rights to sensitive information.
- Establish a daily communication plan between managers and staff.
- Do your HIPAA training and review what constitutes a data breach.
- Use encrypted e-mail and review all data backup procedures.
- Review with staff phishing email examples, and specifically Coronavirus examples.
- Don’t share hardware or software login and passwords.
- Use a Virtual Private Network (VPN) when accessing the company network remotely.
- For home wi-fi make sure manufacturer passwords are changed and firewalls are installed.
- Don’t use a public wi-fi from a laptop to access company information.
- Don’t save information on thumb drives or public Google Drives.
- Update all home computer software, operating systems, and anti-virus software.
- Establish IT escalation paths to assist employees and discuss home use of devices.
- Disallow printing of patient records at home. If absolutely necessary, obtain a HIPAA compliant shredder.
- Track all company mobile devices and enable wiping in case they are lost.
It’s critical when employees work from home that they understand the inherent risks and rules. You can also have everyone review PCIHIPAA’s Fight Ransomware Page.
COVID-19 is forcing everyone to slow the curve. Telehealth and working from home will become the norm over the next 30/60/90 days if it has not already. Now is not the time to take cyber-security lightly. Make sure you have all of your safeguards in place and educate employees so they can help keep your practice safe and secure.
To obtain a free network security scan, go to https://calendly.com/pcihipaa/covid-19-network-scan
To learn more about PCIHIPAA’s OfficeSafe Program, please visit https://pcihipaa.com/healthcare-compliance-solutions/