Telemedicine and Cyber Security
The Health Information Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of your personal health information (PHI). HIPAA includes several rules and provisions that set guidelines and requirements for the administration and enforcement of HIPAA. The relevant ones for the exchange of PHI in the digital cyberspace are the Privacy Rule1, the Security Rule2, and the aptly named Health Information Technology for Economic and Clinical Health (HITECH) Act3.
Telemedicine is a burgeoning field of medicine that incorporates digital technology such as electronic health records (EHR), information sharing, and videoconferencing to enhance the interaction between physicians and their patients, and ultimately, improve the delivery of healthcare. Having been a plastic surgeon for several years now, I’m all too familiar with meeting people at social events, and immediately getting bombarded with intrusive and unusual questions and requests as soon as my chosen profession is ousted. Sure, it’s unlikely that a woman will disrobe and expose herself in front of me and my wife at a friend’s dinner party, but get us into an online “private” videoconference call, and who knows what body parts will make an abrupt entrance into the conversation. Physicians must approach with caution, says American Academy of Facial Plastic and Reconstructive Surgery (AAFPRS) President Stephen S. Park, M.D. in a recent article4. But, for me and most physicians I know, I feel like the cat is already out of the bag. Considering the amount of texts, emails, online chats, phone conversations over internet and satellite lines, and selfies of both pre- and post-op patients I’ve been privy to, I’m sure I’ve already broken too many laws, and completely disregarded the good doctor’s advice. The truth is, though, that we’ve only begun to scratch the surface.
Telemedicine may involve the electronic exchange of PHI which is protected under HIPAA law. Security considerations with telemedicine involve making sure unauthorized third parties cannot eavesdrop on or record a videoconferencing session where sensitive PHI is transmitted seamlessly, and unfortunately, innocently. Recently, a monumental data breach at one of the nation’s largest insurance providers has spurred a bipartisan political effort to reexamine HIPAA as it relates to telemedicine, possibly adding costly and cumbersome requirements to encrypt EHR data5. Additionally, a recent report done by BitSight Technologies, a cyber security risk analysis and management firm, found that healthcare and pharmaceutical companies ranked the lowest among the four industry categories studied6. Suffice it to say, people are taking heed of this emerging new threat.
The aforementioned laws, rules, and regulations guide the generation, maintenance, and implementation of telemedicine HIPAA compliance. We must be cautioned, though, that HIPAA compliance does not necessarily equate to actual cyber security, and that simply meeting standards set forth in these regulations may not be enough. As more public attention and scrutiny rise to the forefront of media exposure, look for the healthcare industry to take the cyber security threat much more seriously.
Daniel Kaufman, MD
Discreet Plastic Surgery