Industry Voices—Telemedicine and long-term implications for HIPAA compliance

Tools and technologies that help expedite, streamline and operationalize healthcare practices and organizations during the pandemic are experiencing record-level demand.

Telehealth services, in particular, have gone from being a long-term road map item to an immediate priority almost overnight. 

Nearly 50% of doctors are now using telehealth to treat patients as the COVID-19 pandemic continues to change how physicians deliver care. And analyst firm Frost & Sullivan predicts a 64.3% nationwide uptick in demand for telehealth this year due to the health crisis.

Looking ahead, the firm believes that the U.S. telehealth market will see sevenfold growth by 2025, resulting in a five-year compound annual growth rate of more than 38%. 

With essentially no time to prepare, healthcare organizations across the country had to act extremely fast to figure out how to offer telemedicine. Rushing to adopt any new technology brings the potential for issues and challenges. And when people’s health and personal data are involved, the stakes are high for getting it right. 

RELATED: Tech experts: Widespread adoption of telemedicine, remote monitoring 'here to stay'

For providers now offering telemedicine, making sure their IT infrastructure will safeguard personal health information and protect them from potential penalties or malpractice claims down the road is critical. Healthcare compliance mandates that were relaxed in the rush to enable the rollout will need to be prioritized going forward. 

IT departments implementing telehealth solutions shouldn’t assume that they are covered, even if they are working with software and infrastructure providers that offer security and compliance. It is critical to understand the specific responsibilities of each partner involved in delivering the solution.

Steps healthcare IT departments can take to ensure data protection and full regulatory compliance of new solutions include:

Engage trusted vendors. Don’t go it alone.

The IT staff doesn’t have to do all the heavy lifting. Work with trusted software vendors, hosting providers and, if possible, engage a third-party security testing firm to conduct penetration testing to assess the security strength of your environment inside and out. A detailed penetration testing report identifies any vulnerabilities and how to fix them and can provide the foundation for a road map to a more secure and compliant solution. 

Create a data flow diagram. Look at it from all angles.

At this point, all the elements needed to create a data flow diagram are in place. The diagram will illustrate where data are coming from, who is doing what with the information and where is it headed. It is a comprehensive visual reference of how data is flowing through the organization. Look at this from a patient, facility, and vendor perspective to provide insights into the various elements that need to be addressed (and aren’t being addressed).

Study the security responsibilities matrix. Know where the line is drawn.

With the data flow diagram mapped out, it becomes clear what needs to be done from the data security and compliance perspective. Request security documentation and a responsibilities matrix from your vendors to understand what areas they cover specifically. Just because a solution is being hosted by a secure and compliant provider doesn’t mean that it is fully protected. (You may be surprised to see just how little is covered.)

The hosting provider may ensure security and compliance of the underlying infrastructure, but what about the technology solutions and processes on top? A combination of your IT team and trusted vendors will likely be responsible for patches, upgrades and specific solution level protection. Review the matrix for current applicable vendor certifications such as HIPAA, PCI and/or SOC 2 as they will help ensure the right coverage, depending on where responsibilities lie. 

Manage certifications at the line item level. Track each requirement separately.

Organizing the processes that support compliance standards is especially important. There are often many layers of requirements needed for each certification. Tracking these requirements at the line-item level will eliminate any surprise gaps and help ensure full compliance.

For example, HIPAA compliance includes requirements needed to cover administrative, technical and physical safeguards that must be addressed. You’ll need to get into the details of the various requirements for each realm to determine how to appropriately address each area and who is responsible. 

RELATED: The COVID-19 pandemic will have a long-term impact on healthcare. Here are 4 changes to expect

When it comes to making sure telehealth offerings are compliant and secure, the devil is in the details.

Achieving regulatory compliance in the healthcare industry is a multifaceted process in increasingly complex IT environments. By investing the time and energy to do assessments upfront, map out data flow and track requirements down to the individual line item level, IT teams will build a stronger relationship with their vendors and, ultimately, a safer environment for the long term.  

This investment will also enable the healthcare provider to shift into ongoing maintenance of their compliant environment with confidence.

Adam Goslin is compliance officer for Otava, a provider of secure and compliant cloud solutions.