Enhancing telemedicine privacy and security with HIPAA

Enhancing telemedicine privacy and security with HIPAA

Telemedicine is not an entirely new concept. The idea of remote doctor consultations through telephone has been around even before the invention of television. Transmission of radiologic images via telephone has been done as early as 1948, while video has been used for medical purposes since the 1960s. By then, paramedics were already transmitting cardiac rhythms and ECGs to hospitals. NASA was also known to have developed satellite-based communications for astronauts’ medical needs in the 1980s.

Telemedicine and HIPAA Compliance

One may think that simply calling your doctor is telemedicine. However, that is not the case. Telemedicine products and services, just like those in other healthcare areas, must comply with certain standards and guidelines, which typically vary from state to state. But there are common guidelines that telemedicine providers should comply with under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. [1] HIPAA includes two rules, the Privacy Rule and the Security Rule. [2]

Privacy and Security

The Privacy Rule governs who is covered, what information is protected, and how electronic protected health information (ePHI) can be used and disclosed. [3] The Security Rule, on the other hand, sets the standards for the secure transfer and storage of ePHI. [4] Under these rules, communicating with your doctor via SMS, email, or even Skype is not considered telemedicine. In fact, telemedicine providers who use these unsecured platforms are subject to fines and civil actions. There are many ways a telemedicine provider can do to comply with HIPAA guidelines. [5] Complying with these guidelines is a priority among telemedicine providers. In our preliminary research at Parola Analytics, we found that about 32% of telemedicine-related patents filed in the US from 2007-2016 relate to security and privacy.

Telemedicine providers are also required to have a Business Associate Agreement (BAA) with third-party information communication technology (ICT) providers that store ePHI made and transferred during telemedicine sessions. For example, consider the case in which an email with an attached ePHI is sent between telemedicine providers using Google Mail, and the email is stored in a Google’s server. If there’s a data breach in Google Mail, and the telemedicine providers don’t have a BAA with Google, Google would not be liable to HIPAA. A BAA extends the responsibility for complying with HIPAA rules to the third-party ICT provider.

Compliance with these rules is very important not just for the telemedicine industry but also for the entire US healthcare industry. According to the Identity Theft Resource Center, the healthcare industry accounted for 377 incidents, or 34.5 percent of the data breaches, in 2016. [6] This figure is the second highest number of data breaches among various industries. In 2014, an estimated number of 2.32 million Americans were victims of medical identity theft. [7] This resulted in an average loss of $13,453.38 for each victim. It’s not just patient information and money that are at risk in healthcare privacy and security breaches, but more importantly, the patients’ health. For example, medical devices such as insulin pumps have been vulnerable to hacking. [8] Such incidents could prove fatal to insulin pump users.

Another example highlighting the scale of security risk involving the healthcare sector is the May 2017 incident in which the notorious WannaCrypt ransomware virus attacked computers in 16 institutions of the National Health Service across UK. The computer files were locked by the virus and could only be accessed by paying $300 per computer. The virus affected x-ray imaging systems, pathology test results, phone systems, and patient administration systems. The attack crippled the hospitals systems to such an extent that patients were advised to seek hospital care only in emergency cases. [9]

Privacy and security are just some of the major challenges that slow down widespread telemedicine adoption. Companies need to build more powerful, reliable, and effective solutions to address these challenges and comply with HIPAA rules. New advancements in cybersecurity, such as private blockchain, may help party address this need.


References
[1] “HIPAA Guidelines on Telemedicine,” HIPAA Journal, Web. 02 Jun 2017.
[2] Hall et al., “For Telehealth To Succeed, Privacy And Security Risks Must Be Identified And Addressed,” Health Affairs, Feb 2014. Web. 02 Jun 2017.
[3] “Summary of the HIPAA Privacy Rule,” HHS.gov, Web. 02 Jun 2017.
[4] “Summary of the HIPAA Security Rule,” HHS.gov, Web. 02 Jun 2017.
[5] Smith, Andrea, “Top 5 Requirements for Secure Telemedicine,” Chiron Health, 10 Mar 2016. Web. 02 Jun 2017.
[6] “Data Breaches Increase 40 Percent in 2016, Finds New Report from Identity Theft Resource Center and CyberScout,” Identity Theft Resource Center, 19 Jan 2017. Web. 06 Jun 2017.
[7] “Fifth Annual Study on Medical Identity Theft,” Ponemon Institute, Feb 2015. Web. 06 Jun 2017.
[8] Finkle, Jim, “J&J warns diabetic patients: Insulin pump vulnerable to hacking,” Reuters, 04 Oct 2016. Web. 06 Jun 2017.
[9] “’Major disruption’ as UK hospitals hit by cyber attack,” Aljazeera, 13 May 2017. Web. 13 Jun 2017.

Authors:

Parola Analytics
Parola Analytics
jsaulon@parolaanalytics.com