Thursday, 4 June 2020

Telehealth and HIPAA Compliance in the COVID-19 Crisis and Beyond

A prophetic vision for the future of teledentistry was cast over twenty years ago. “Teledentistry is a rapidly forming subset of telehealth, a field that already has a considerable impact on the healthcare industry. Recent advances have created new opportunities for teledentistry, and changes in diverse technologies have created new tools for the practitioner. Technologies currently available are beginning to change the dynamics of dental care delivery. As teledentistry evolves, it will offer new opportunities to improve the level of patient care and reshape current business models.”

managed it services

While advances have been made in the area of telehealth in general, stringent HIPAA regulations have slowed or halted the technology’s advancement until the advent of COVID-19. In anticipation of a massive pandemic that would cause patients to flood the health care system, HIPAA relaxed some of the more restrictive regulations that made little sense in the age of VoIP, Zoom, cybersecurity, and the VPN.

Dental practices are utilizing telehealth technology solutions to address patient concerns, but HIPAA compliance, patient confidentiality, and cybersecurity issues must be addressed. In light of the current COVID-19 situation, the American Dental Association has released video teleconferencing guidelines to protect patient privacy while at the same time providing a friendly and caring patient experience.

The ADA Addresses Telehealth and HIPAA Compliance Issues

Are dental practices legally vulnerable when using teleconferencing technology to see patients? The American Dental Association is offering recommendations for best practices to address the issue of HIPAA compliance as it relates to telehealth. “The Office for Civil Rights (OCR) may waive penalties for dentists who fail to fully comply with HIPAA requirements when communicating with patients via video-teleconferencing during the pandemic providing they act in good faith and do not use public-facing video communication applications.”

Dentists who use video-teleconferencing to see patients during the COVID-19 pandemic “will not be subject to penalties for HIPAA violations by the Office for Civil Rights (OCR) even if the communications do not fully comply with HIPAA requirements, provided the dentists act in good faith and do not use public-facing video communication applications. See COVID-19 Interim Coding and Billing Interim Guidance. State law restrictions may continue to apply.”

Some important observations from the ADA statement can be summed up as follows:

  1. In good faith, make every effort to be HIPAA compliant. Intentionality has a bearing on the matter.
  2. Mistakes will be made, but good faith mistakes may not be penalized during a crisis.
  3. Public-facing applications are not acceptable under any circumstances. Dentists should exercise due diligence in discovering and implementing secure teleconferencing technology.

Outsourcing IT management, including telehealth technology, to a highly competent firm is a requisite for doing business in this new environment. Failure to manage IT cyber vulnerability is no excuse for HIPAA non-compliance or errors. Although some guidelines have been broadened, dentists should strive to stay clearly within the new boundaries. Seeking outsourced IT management for teledentistry activities constitutes legitimate effort on the part of the dentist to be HIPAA compliant.

The ADA Offers Guidance on Video Teleconferencing Cybersecurity

The ADA statement also provided specific guidance on using Zoom, which appears to be the most favored teleconferencing tool emerging from the COVID-19 shakeup. On April 4, OCR shared an update from the Cybersecurity and Infrastructure Security Agency (CISA) advising dentists to take these steps to improve video teleconferencing cybersecurity.

First, meeting privacy is to be ensured by either requiring a password for entry or controlling guest access from a waiting room. Second, when selecting vendors, dentists should consider security requirements.  For example, if end-to-end encryption is necessary, the dentist should ask if the vendor offers it. Failure to have this cybersecurity measure in place could be a reason to refuse the vendor or to terminate the vendor relationship until sufficient cybersecurity measures are in place. Third, dentists (and all healthcare providers who must be HIPAA compliant) should have video teleconferencing software that is up to date. The ADA statement advises dentists to review Understanding Patches and Software Updates.

OCR also shared an FBI warning concerning hijacking that may occur when using video-teleconferencing platforms. One such example is Zoombombing. The ADA statement communicated the FBI warning, which included five steps to help reduce teleconference hijacking threats.

  1. Meetings or classrooms should not be made public. Zoom provides two options to make a meeting private. The host can either use a meeting password or use the waiting room feature to control the admittance of guests.
  2. Do not share a link to a teleconference or classroom on a social media post that is unrestricted and publicly available. Provide the link directly to specific people.
  3. Manage screen sharing options carefully. In Zoom, change screen sharing to “Host Only.”
  4. Make sure the updated version of remote access/meeting applications is being used. In January 2020, Zoom updated its software and added passwords by default for meetings. The update also disabled the ability to randomly scan for meetings to join. This blocking feature reduces the likelihood of unwanted guests in a Zoom meeting.
  5. An organization’s telework policy or guide must address requirements for physical and information security.

managed it services

Conclusion

These recommendations should be reviewed carefully, fully understood, and taken seriously. Honest mistakes will not be ignored entirely; the consequences may only be less punitive. Blatant neglect and malfeasance will be held accountable. Embracing managed IT services that include VoIP, a teleconferencing application, a robust cybersecurity protocol, and other IT solutions and services makes sense for all healthcare providers, especially dentists.

For more information about HIPAA compliance, telehealth, and overcoming the IT challenges of the COVID-19 crisis, visit the Mobile Computer Services, Inc. of Wake Forest website at ncmobilecomputerservices.com/locations/wake-forest. To speak with an IT services professional in Wake Forest, call (919) 230-2900.

The next blog post was originally published to Telehealth and HIPAA Compliance in the COVID-19 Crisis and Beyond and is republished from Mobile Computer Services, Inc. See more on: The Mobile Computer Services, Inc. Blog in North Carolina