Skip to Content
Coronavirus Updates

Knowledge

As Telehealth Services Expand, Beware of Data Protection and Cybersecurity Challenges

March 17, 2020

The COVID-19 (coronavirus) pandemic will unquestionably reshape how the world responds to disease outbreaks. Even before the spread of coronavirus, the shortage of qualified healthcare professions, particularly in combination with the world’s aging population, was a chilling challenge requiring novel solutions.

Both medical professionals and politicians are now looking to telehealth as a potential means of reprieve, and the concept’s popularity is likely to rise in the wake of the world’s experience battling coronavirus.

Telehealth connects patients to vital health care services through videoconferencing, remote monitoring, electronic consults and wireless communications. While it can help provide much-needed care to vulnerable and hard-to-reach populations, telehealth also presents unique legal and regulatory compliance challenges, particularly with the data protection and cybersecurity realm.

HIPAA

Telemedicine must meet all the Health Insurance Portability and Accountability Act’s (HIPAA) requirements, and the recently passed Coronavirus Preparedness and Response Supplemental Appropriations Act does not relieve organizations of this responsibility.

In order to comply with HIPAA’s privacy and confidentiality requirements, providers must only use fully encrypted data transmission and secure connections. This rules out SMS, unencrypted email and popular consumer videoconferencing tools.

It also raises unique concerns for patients using internet-connected devices to store and transmit information to their providers.

When medical professionals or healthcare organizations (covered entities) store electronic personal health information (ePHI) with a third party, the covered entity must have a Business Associate Agreement (BAA) with the party storing the data.

This agreement must include the methods the third party uses to ensure protection of ePHI and provide for the regular auditing of the data’s security. Big names in electronic service providers often will not enter into BAAs, so the covered entity would be liable for any fines or civil actions resulting from a data breach. The covered entity would also likely fail any HIPAA data security audit.

Data breaches and cyber scams

With the rise of telehealth also comes the rise of data breaches and cyber scams. As more communications are handled electronically, bad actors are able to trick victims into downloading malware, revealing sensitive information or misdirecting funds via phishing attacks.

The U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) has seen an uptick in cyber scams in the wake of the coronavirus outbreak.

Internet-connected devices present additional concerns, as the software and devices themselves may be vulnerable to malware and other attacks. If something is considered a medical device, it is also regulated by the Food and Drug Administration (FDA), which has issued broad guidance on the use of wireless technologies and certain mobile medical apps.

GDPR and CCPA

Companies should also reevaluate whether a novel use, processing, or storage of ePHI triggers or alters their obligations under certain data security laws, such as the EU Global Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

For example, how one handles ePHI in providing telehealth services could change a company’s categorization under the CCPA as either a “business” or “service provider,” resulting in changed legal obligations.

Key takeaways

  • Develop, update, and implement internal policies and procedures to ensure secure transmissions of ePHI and related data
  • Update data maps to reflect new telemedicine practices to evaluate applicability of the GDPR, CCPA and other data protection laws
  • Implement and/or update BAAs with any technology vendors with which ePHI is shared
  • Reevaluate risk allocation in software as service agreements and in contracts governing the use of internet-connected devices
  • Remind staff and consumers of data security best practices to reduce the risk of phishing and ransomware attacks

Our team will continue to share the latest developments and provide insights on the spread of coronavirus and its impact across sectors.