How to Stay HIPAA Compliant when Using Telemedicine

HIPAA Compliant

Telehealth got a major boost when the U.S. Department of Health and Human Services (HHS) expanded the number and types of interventions that can be provided remotely during the COVID-19 public health emergency. According to a HIT consultant report, many health systems report that more than 50% of primary care visits are now being performed via telemedicine. US based medical transcription companies have stepped up their efforts to meet providers’ EHR documentation requirements. However, as the access to telemedicine services was broadened, it has triggered security concerns. Remote electronic communication must not compromise the safety of protected health information (PHI). Though the Office for Civil Rights (OCR) has lifted penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 crisis, staying HIPAA compliant is critical to ward off cybersecurity attacks.

Partnering with a HIPAA compliant medical transcription company is necessary when it comes to documenting telehealth consultations, as PHI includes transcribed documents. Additionally, experts recommend the following strategies to remain HIPAA compliant while providing telemedicine services:

  • Utilize enterprise virtual private network (VPN): Successful implementation of telemedicine depends on ensuring the secure transit of virtual consultations and related communications. The channel of communication that is used for communicating ePHI is critical. Experts consider enterprise VPNs a must-have for telemedicine. A Health IT Security article notes: “Enterprise VPNs are the mainstay for protected communications for about 95 percent of organizations, including those in the healthcare sector, as a best practice for remote access security and compliance”. VPNs ensure that data is encrypted and sent to the right person. However, it’s important for providers to ascertain that the VPN software is up to date and current to rule out potential VPN vulnerabilities, Pulse Secure’s CMO Scott Gordon told HealthITSecurity.com.
  • Desktop-as-a-service: (DaaS) to reduce surface attack risks: DaaS is a desktop virtualization solution that securely delivers virtual apps and desktops from the cloud to any device or location. It is an ideal option for accessing PHI via the cloud without revealing connections or records. A DaaS is generally deployed using secure encryption keys and as all user data is stored on the cloud, the risk surface area attacks are reduced (www.hitconsultant.net).
  • Use automation in remediation: “Automate everything that can be automated”, says Gerry Miller, Founder & CEO at Cloudticity (www.hitconsultant.com). Remediating potential compliance problems manually can consume a lot of time and resources. By integrating AI and operational intelligence, cloud-based services can recommend the best approach in a given situation.
  • Continuous identity authentication: Experts recommend multi-factor authentication (MFA) to prevent automated cyberattacks. The National Institute of Standards and Technology (NIST) considers MFA the preferable authentications method for strong authentication. MFA remembers a device. Continuous identity authentication should aim to verify usernames and passwords with a security question as well as another factor, such as using a key code for verification after the initial login request (www.healthitsecurity.com).
  • Continuous endpoint authentication and compliance: Endpoint posture checking will ensure that remote users have access to minimum resources for as little time as needed so as to minimize risk and maximize security. Users privileges can be marked. Experts recommend continuous endpoint posture checking using cloud applications to quickly organize telemedicine support and engaging with patients both virtually and on premises. Applications should be accessible to healthcare providers regardless of their location and allow running of antivirus software, a personal firewall, and anti-phishing software.
  • Encryption of data storage: When PHI and other critical information are encrypted, hackers will not be able to access them. Best practice is to ensure that all web and application servers running on cloud are encrypted using a custom master key from a key management service.
  • Secure operating systems: Microsoft Windows and Linux are popular operating systems (OS) for telemedicine, but they have many vulnerabilities. The HIT Consultant report explains that criminal access to OS can be prevented by using hardened images of Windows Server and Linux virtual machines (VMs) with default configurations recommended by the Center for Internet Security (CIS).

HIPAA compliant medical transcription is essential to ensure the security and confidentiality of PHI created when providing telemedicine services. US based medical transcription service providers have all the necessary measures in place to ensure the protection of the data they handle, including provisions for regular auditing for HIPAA compliance.

Infographics