HIPAA-Compliant Workforces Using Zoom & Video Chat
When it comes to remote work, which, let's face it, is the "new normal" we have to acknowledge that COVID has changed the way many of us work. In order to attract and compete with other employers, healthcare organizations have had to accommodate their workforce by allowing them to work from home or remotely. When it comes to using Zoom or video chat, what are the HIPAA-compliant considerations?
When do remote worker connections need to be HIPAA-compliant when patient health information, or PHI is involved? When workers meet to discuss policies and procedures or just an Agile scrum meeting do they need to be HIPAA compliant?
Zoom, Skype and video chat have become ubiquitous and are the go-to tools for most people working from home so they can communicate with patients and coworkers. A recent study performed by FICO concluded that approximately 80% of the world wants to use mobile technology to communicate with healthcare professionals. Most video conferencing tools are not HIPAA compliant. If they are used and PHI is disclosed, this will be a HIPAA violation. In order to be HIPAA compliant, conferencing software and the infrastructure it is hosted on must have strong security and privacy standards.
The communication of protected health information (PHI) can include any of the following patient information:
Name and social security number
Home or business address
Patient appointment dates
Telephone number or email address
Patient Medical record number including any information in the actual medical record
Health plan or insurance number
Responsible financial person
Patient Payment information
Biometric identifiers (fingerprint, retina scan or voice recording)
Patient Photographic images or video material
The following are some of the security issues that must be addressed:
One of the key security considerations when using video conferencing with PHI is to make sure the vendor is using end-to-end encryption. This encryption is exactly as it sounds; an encrypted tunnel between two or more people is set up and all the communication goes through that tunnel. This is important so malicious third parties cannot hack into a conference call and either listen or record. There also may be new PHI information generated from the call as well that must be protected.
Business Associate Agreements (BAA)
To be HIPAA compliant a healthcare organization must have a business associate agreement signed with all of their vendors. This agreement documents roles and responsibilities, security precautions, breach notification timelines, remedies, and other legal matters.
Vendor Access and Auditing
Video conferencing software vendors should have comprehensive auditing and logging processes in place, so it is possible to determine who has accessed stored PHI. Can vendor's workers or contractors access critical systems where PHI is stored? This access should be limited only to a very small number of people. All people who have access to PHI should be required to have strong passwords and use two factor authentication (2FA) to log in to applications. Of course, the software application itself should have all the same security requirements. All information should be protected by specialized hardware-based firewalls. The video conferencing vendor should conduct penetration and intrusion detection testing on an ongoing basis to make sure their systems are secure.
The video conferencing vendor should also provide an SSAE 18 SCO 2 Type 2 audit which is the gold standard for service organizations. SSAE 18 is the current auditing standard for service companies. It is used primarily for reporting on organizational controls and processes. An SSAE 18 SOC 2 Type 2 audit will evaluate and report on the information and systems used to support the comprehensive set of criteria known as five Trust Services Principles:
Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information and damage to systems that could compromise the availability, integrity, confidentiality and privacy of information or systems and impact the organization's ability to meet its objectives.
Availability: Information and systems are available for operation and use to meet the organization's objectives.
Processing Integrity: System processing is complete, valid, accurate, timely and authorized to meet the organization's objectives.
Confidentiality: Information designated as confidential is protected to meet the organization's objectives.
Privacy: All information is collected, used, retained, disclosed and disposed of to meet the organization's objectives.
Type 2 audits report on how effectively the organization is maintaining all the above. This audit is typically performed on a recurring annual basis in which data policies, processes and technologies are reviewed in depth. An organization's commitment to security and privacy is well documented by an SSAE 18 SOC 2 Type 2 report.
Accidental violations are possible because healthcare organizations may turn off certain video conferencing features and then feel that they are HIPAA compliant. PHI may be inadvertently stored in the conferencing system. Meeting invitations may have been sent through non-encrypted email. It's important to rely on a HIPAA compliant video conferencing vendor to guide your organization on best practices and HIPAA rules.
HIPAA Work From Home Requirements
With the advent of COVID-19 many white-collar workers are now working from home. New technology is making it very easy as well. Faster Internet access, high quality video conferencing, and collaboration tools like Microsoft Teams and Slack enable remote workers to collaborate and be highly productive with coworkers.
There are many advantages of having employees working remotely. However, for healthcare organizations that are regulated by HIPAA rules there is a minefield of potential problems. They need to ensure that protected health information (PHI) is kept private and confidential.
HIPAA Accidents Resulting in PHI Disclosures
The loss of an employee's laptop with 50,000 PHI records on it cost the Cancer Care Group a financial penalty of $750,000. They failed to conduct a risk assessment when the loss occurred, and they also did not have a written policy about mobile devices used outside of the office. Lincare, a respiratory medical group, incurred a $240,000 penalty for the breach of 278 patient records. The court found that despite most of their workers routinely working in patients' homes there were not adequate mobile device security policies and procedures in place to protect PHI.
Protecting PHI While Working Remotely
Specify brands, models and versions of devices approved by IT for remote use:
Encrypt wireless routers using WPA2-AES for the best security.
Strong passwords for wireless routers so they are difficult to hack.
IT professionals with security experience should configure all devices connected to the network: encrypt disk drives, two factor authentication, and antivirus and antimalware to protect all devices.
Require employees to use a VPN to access company resources and even when just using the Internet for additional security.
Encrypt all PHI before sending.
Use an encrypted email program.
IT professionals should configure all personal devices before allowing access to the company network.
No devices should be used by coworkers, friends, family, etc. if they contain PHI.
Execute a confidentiality agreement with employees to emphasize the critical nature of PHI.
Communicate and audit a "Bring Your Own Device" (BYOD) with do's and don'ts rules.
Store hard copy PHI in a locked file cabinet.
Mandate the use of shredders to dispose of paper-based PHI.
Mandate a Media Sanitization Policy for devices storing PHI.
Prohibit the copying of Phi to external media such as flash drives and hard drives.
Log all remote access activity and automatically scan for patterns and potential issues.
Human Resources professionals should emphasize the seriousness of HIPAA violations which could include civil and criminal penalties.
HIPAA and Telemedicine
It is important to understand the HIPAA rules surrounding telehealth video platforms. Although Giva does not have a product in this market space it is important that our customers understand the rules and to prepare. Giva is in the business of HIPAA-compliant IT help desk and customer service software that can be used in conjunction with telehealth video platforms.
Guidelines for a HIPAA-Compliant Video Platform for Telehealth
For the last decade industry prognosticators have been predicting that "next year" will be the year of explosive growth for telemedicine. Although, telehealth hardware and the software has been making impressive feature improvements, these forecasts have never come true until The start of COVID-19 in 2020. The HIPAA rules on telemedicine have important and wide reaching impact on clinical healthcare professionals and the patients they serve remotely or in community settings. Even though direct communication is between a healthcare professional and a patient In order to be HIPAA compliant the communication channel has to also be HIPAA compliant.
Telemedicine HIPAA guidelines mandate that:
Access to PHI should only be by those authorized.
Using encrypted communication channels to protect PHI.
Logging and monitoring to reduce the risk of breaches.
HIPAA rules state that "reasonable and appropriate safeguards" should be implemented safeguard PHI from accidental breaches. SMS, Skype, and email are insecure and should not be used. The HIPAA guidelines on telemedicine mandate that systems must have a way of monitoring and deleting information remotely, if necessary. Automatic log-off capabilities should also be a feature of the system.
Telemedicine and SMS, Skype or Gmail
If PHI is created by a healthcare organization (covered entity) and stored by a third party (business associate), then there must be a business associate agreement (BAA) in place to assure the protection and privacy of the data. These third parties are responsible for ensuring data privacy and confidentiality. They must also allow the covered entity to periodically audit the business associate for data security.
SMS, Skype or Gmail communications will always have a copy on vendor's servers. If any communications contain PHI, then the covered entity needs to have a BAA with Verizon, Skype/Microsoft or Google in order to be HIPAA compliant. Currently, these vendors will not sign BAAs with covered entities, so entities are liable for any fines should PHI be disclosure.
HIPAA-Compliant Telehealth at a Cost
For solo physicians who want to offer HIPAA compliant telehealth services to patients there are some complicated and expensive option. Microsoft will sign a BAA with physicians for HIPAA-compliant Skype for Business video. Unfortunately, patients must also have an Office365 account linked to the cloud-based Skype for Business service and so for most environments this is not practical or cost effective.
Better Telehealth Solutions for PHI Using Secure SMS Messaging
Secure SMS messaging (texting) offers healthcare organizations compliance with HIPAA guidelines on telemedicine. Texting is a simple application that is ubiquitous and most clinical professionals and patients know how to use texting. All the information is encrypted meaning that it is unreadable and unusable, if accessed by an unauthorized party. Secure SMS messaging is offered in cloud-based application platforms, so it is a closed private network. Patients can quickly download the application onto their smartphones. There are many excellent use cases for secure SMS messaging such as in community medical centers or home healthcare when nurses want to quickly escalate a patient situation. Secure SMS messaging solutions also have the added benefits of better workflows reducing costs and improving patient outcomes.
The benefits of using secure SMS messaging:
Unrestricted sending and receiving PHI securely while outside of a hospital or healthcare office.
Images and videos attached to messages can provide better health outcomes in the form of accelerated diagnoses and fast collaboration on appropriate treatments.
Accelerated ER intake and patient discharges and reduced waiting. Moving patients more quickly through a hospital or healthcare system also minimizes the spreading of contagious diseases.
Automated notifications and read receipts reduce telephone tag and accountability.
Audit and logging reports make it easy to monitor and perform risk management.
Integration with ehealthrecords allows for Stage 2 Meaningful Use incentive programs.