To quote Becker’s Hospital Review: “Telehealth is one of the fastest growing solutions implemented across major health systems today. Healthcare providers face considerable challenges in care delivery and will require targeted strategies and solutions to extend care access, improve quality, and lower costs.” Becker’s further notes statistics from one single telehealth provider, Teladoc in Lewisville, Texas: “In 2016, Teladoc shared insights gained from facilitating their first 1 million telehealth visits. Since then, Teladoc has now facilitated over 3 million telehealth visits….” Evan Sweeney in FierceHealthcare, cites a report from the Center for Connected Health Policy noting that 48 states and Washington, D.C. reimburse for live telehealth video visits and 15 allow payments for store-and-forward technology.
What great opportunities to reach people in need and provide access to quality care while containing costs! What mind-bending chances for gaps in security and privacy! Ashley Blume in HealthIT Security notes that: “… even though telemedicine has much to offer healthcare providers, they must think carefully when making the decision to incorporate it into their practices because there are security risks… Healthcare providers need to ensure that their patients’ ePHI is secure and encrypted to prevent a data breach or cyberattack.”
At the organizational level, Alan Hille of Ultra Risk Advisors offers five tips for reducing cyber security risk in telemedicine:
- Appoint a HIPAA security officer and conduct a data security self-assessment.
- Develop and implement action plans for gaps identified in the self-assessment.
- Implement safeguards across the continuum.
- Audit contracted teleradiology providers.
- Establish policies and procedures related to data security.
Michael T. Blatt and Elizabeth Callahan-Morris offer considerations and recommendations on “Pitfalls and Benefits of Telehealth and Cybersecurity in the Digital Age.” The general areas of risk that Blatt and Callahan-Morris identify include electronic medical records, mobile devices, medical devices, and web-based applications. Blatt and Callahan-Morris get down to security fundamentals with risk analysis; policies and procedures; training; sanctions; and documentation. In regard to telehealth specifically, they note legal considerations such as HIPAA, credentialing, licensing, and medical professional liability, among others.
Then there are the elements of the clinician-patient relationship and the standard of care. These include patient identification, clinician identification (MD, PA, APP), informed consent, a thorough assessment to facilitate diagnosis and the development of a treatment plan, and follow-up care. Documentation is, as always, the key to communication among members of the healthcare team from the patient and family to the treating clinician to the referring clinician to the pharmacy to the billing entity to the payer and to medical-legal challenges.
Simple arithmetic doesn’t capture the numbers of prospects for trouble as patient encounters, devices, clinicians, employees, and cyber attackers multiply – they are exponential. However, the areas of risk are familiar and may be addressed with attention to, and focus on, equally familiar strategies. We can mobilize security tools to help manage these areas of risk, but our investment will always encounter what The Joint Commission calls the “human factor.”
As we implement and increasingly use telehealth capabilities, we must commit to acknowledging the implications of this approach to patient care. The foundation of success with telehealth is rigorous documentation standards. We must commit to monitoring risky behavior; consistently applying policies and procedures for appropriate use; staying up-to-date with hardware and software iterations; and to insisting on appropriate clinician and staff behavior. Our understanding of the risks associated with telehealth is the vital first step in creating cyber security and mitigating cyber risk.
Carole A. Lambert is CAP’s Vice President, Practice Optimization. Questions or comments related to this article
may be sent to clambert@CAPphysicians.com.