Privacy and Security concerns in Telehealth
Telehealth is a speedily progressing aspect of healthcare, which involves the use of technology in advancing patient care. Telehealth can be defined as an electronic application that uses telecommunication and information technologies in the sustenance of distant patient care. It also plays a crucial role in specialized health-associated education, health administration, and public health, which includes the use of interactive and specialized equipment aiming at health promotion, prevention of disease, consultation, diagnosis, and therapy (Cason & Brannon, 2011). It, however, does not include passive or interactive communications over media such as the internet, fax lines, or email for communicating broad-based issues in nutrition, which does not involve recommendations or interventions for personalized nutrition. However, people’s trust in Telehealth may be unfavorably affected by concerns about its privacy and safety as well as threatening the capability of these systems to advance the convenience, quality, and efficiency of health care. To ensure reliable safety and privacy protections, more broad principles and regulations are needed for Telehealth and electronic consumer information.
The primary aim of Telehealth is to make patient care as effective and efficient as possible. Several scores have been achieved by incorporating technology into healthcare, and these are improving every day with different innovations coming up. The scope of Telehealth ranges from the hospitals, doctor’s office, and patient homes adjusted to patient privacy concerns. Some of the applicable devices enabling Telehealth today include videophones, telephones, computers, among other monitoring devices and equipment (Holt et al., 2012). Through such technology, patients are now able to enjoy different aspects of medical care at the comfort and convenience of their homes. Nurses as well are able to monitor the patient under home-based care with high levels of efficacy. In essence, it is an evolving area in health care provision, which, to an extent, poses significant challenges, among them privacy and security concerns.
Telehealth seeks to promote the management of patients and the patient’s data. Research studies outline that patients who have been diagnosed with heart failures tend to experience weight gain or, in some cases, increased blood pressure (Fischer, Clark, Askings & Lehman, 2017). Further, these patients are most likely to involve in other negative medical outcomes, which translates to more expensive hospitalization at later stages. However, if the presenting symptoms of these patients are carefully monitored based on a daily program, the diseases presenting can be diagnosed at their early stages, thus preventing the expensive hospital visitation and, to an extent, the patients’ lives can be saved.
However, there could be a great challenge in the accomplishment of the Telehealth objectives if severe security and privacy issues are not looked into. For instance, the devices that are positioned in patient’s residents or the interface that are in the patient’s body are supposed to perceive security concerns and medical crises but could unconsciously convey delicate information about the activities being carried out in the households. Likewise, continuous transmission of data form an application or health device, a good example of being an insulin pump, can be used by third-party publicists. Devoid of enough safety and safeguarding the secrecy of the telehealth info and systems, benefactors and patients will have no trust in the usage of Telehealth. Despite Telehealth having established national guidelines for its privacy and security, many shortcomings still exist. Currently, there is no national organization empowered to endorse confidentiality and safety necessities to protect the Telehealth network.
Privacy is normally the laws of the land of the operating guidelines that execute Fair Information Practice Principles (FIPPs). FIPPs are broadly acknowledged as observes that include the liability to acquire an individual’s health data and appeal for rectifications; restrictions on the gathering of information, usage and revelation; and workable chances to make choices about an individual’s health data (Hale & Kvedar, 2014). Giving persons the choice of data sharing is among the FIPPs, reinforced by other FIPPs that require the owners of the data to start in addition to abiding by the contextually apt limits of information access, use, and release.
The Health Insurance Portability and Accountability Act (HIPAA) is among the federal laws aimed at implementing the above principles (HIPAA Journal, 2018). However, it should be noted that existing regulations do not satisfactorily cover the telehealth setting. As a result, there is no guaranteed right for individuals in addition to the little capability to demand prints of data collected by applications or home checking devices. The use of information, as well as revelation, is mostly determined by technology firms with limited legal restrictions or important opportunities for folks to control the flow of information.
Possible Privacy Risks
Some of the Telehealth privacy threats are; absence of control or confines on the assemblage, usage, and disclosure of information that is personally sensitive. Similarly, there could be an accidental collection of information about events in households by the sensors in the home or by the device found in the patient’s body. Additionally, the data transmitted regularly from the health device may be accessed by the device builder apart from the health caregivers. There is a risk of the health app being financed by third-party advertisers who have targeted ads to patients who use the app (Dorsey & Topol, 2016). They could have access too, to possibly crucial data of patients. These could be far from what the patients expect concerning the collection, usage, and disclosure of their information. It is patients’ permission to have a medical device embedded or sensors fixed or for the use of a health app. However, there could be overreliance that, in most cases, would result in compromising privacy securities. Obviously, patients rarely read and understand policies concerning privacy. The liability of privacy protection is transferred to the patient by consent. The patients may not be in a position to make significant privacy choices.
For an archetypal telehealth structure where a healthcare benefactor links with patient, pertinent risks include; breach of privacy, especially during a gathering of sensitive information or during communication to a system of the provider and illegal access to the functionality of supportive devices together with information stored in them. The relevant threat also includes an illegal supply of hardware and software to the patient. There are cases where illegal software that includes file-sharing software installed by the workers in the health care system leads to the breach of health info and may lead to theft of medical identity.
Existing technical controls have the potential of protecting against the above security risks. For instance, data encryption, whereby data/information is locked electronically using intricate mathematics as well as encryption “keys” can be used to warrant that incase an invader accesses the information; the raw data is futile. There exist numerous practical data encryption types. They include when information is at rest, which is when it is being stored when the data is on transit, and from end to end, whereby the state of the data does not influence the encryption. In-transit, as well as at-rest encryption, normally depend on encryption approaches offered by browsers and operational systems. These approaches are typically outside the Telehealth software. With end-to-end encryption, it is possible to directly incorporate the encryption to the Telehealth application.
On the other hand, encryption of data at rest guarantees that in cases where an invader dodges access control, the information loses its meaning—encryption of data in transfer warranties that data have no meaning if the communication is interrupted. In end-to-end encryption, the unencrypted data is available at the endpoints only and not in between.
It is worth noting that, with encryption, any person with the right key has the ability to retrieve important facts. Admission to the primary info system can also be measured by the use of verification and the access control mechanisms that limit entry to data based on the individual accessing the information within a firm. Moreover, medical as well as buyer devices which patients normally use for Telehealth requests can cause severe threats since the strategies comprise several security faults that are continually threatened to be attacked by, for example, malware. Mobile platforms play a role in controlling this by prohibiting the connection of software that is yet to be scrutinized and accepted.
Another safe mechanism for Telehealth software, together with the devices that are used, includes giving the devices to patients in a face-to-face position. This is important now, enabling the provider towards establishing the patient’s identity then authenticate the device he/she is consuming. By so doing, providers develops an understanding that they are by no means presenting security threats by accepting information from a possibly insecure patient’s device, since a safe position, and patients have reassurance the hardware and software are of good quality since they interrelate with a qualified provider to acquire, connect and configure the device.
HIPAA Guiding Principle on Telehealth
Communicating ePHI at Distance
The HIPAA strategies on Telehealth have an impact on the health expert or healthcare group that offers distant services to patients in their households or their communities. Wrongly, many people have a belief that passing information on ePHI at a distance is suitable when the communiqué is between the patient and the doctor (Luxton, Kayl & Mishkind, 2012). Apparently, this s the same thing HIPAA Privacy Rule would suggest.
Nonetheless, the medium of passing information that is used for sharing ePHI remotely is similarly very vital as long as the health experts and healthcare providers would meet the terms of the HIPAA procedures on Telehealth.
This section of the HIPAA procedures on Telemedicine is included in the HIPAA Security Rules.
Only users who have been authorized should have the right to ePHI. In this case, realistic and suitable measures should be used to deter ePHI from being revealed to any party that is not authorized.
A model that secures communication should be put in place in order to safeguard the integrity of ePHI. This would mean that some means of passing information, such as email, Skype, and SMS, should cease from being used for communicating ePHI at a distance.
Lastly, model checking communications containing ePHI also need to be effected to avert unintentional or malevolent breaches. There should be a mechanism in place in every system communicating ePHI to monitor and, if necessary, remotely erase the communications.
Why you should not use SMS, Skype or Email for Telemedicine
When a medical profession or a healthcare provider, which can be referred to as a covered entity, create an ePHI and third party stores it, the covered entity is supposed to hold a Business Associate Agreement with that party that is storing the data. Means of ensuring protection and consistency auditing should be included in the agreement for data security (Yang & Silverman, 2014). This would also ensure that Telehealth is compliant with the HIPAA procedures on Telemedicine. In cases where the covered entities will not be in agreement with the communication service providers, they will be responsible for any breach of ePHI in case it occurs due to non-compliance.
HIPAA Compliant Telehealth
There exist some choices for the healthcare providers who would wish to offer HIPAA compliant Telehealth services for patients. However, the options tend to be complex and costly. For instance, Microsoft can provide the physician with an Agreement of Business Associate in case they would want to use Skype, which is HIPAA compliant for the service of video. Nonetheless, the patient is needed to have an account that is connected to cloud-based Skype for this service.
The cost associated with the service is quite high and may discourage many patents from wanting to use a HIPAA compliant Telehealth. There are, though, some cheaper options, but they provide inadequate quality for accuracy in diagnosing patients’ complaints.
Better Solutions for communicating ePHI at Distance
A good number of health care providers have opted to utilize a safe messaging solution in order to ensure compliance with the HIPAA procedures on Telehealth. Safe and sound messaging solutions provide similar promptness and expediency as Email, Skype, and SMS, but more preferable because it complies with the Security Rule by only giving the right to authorized users to access ePHI (Dorsey & Topol, 2016). It also implements a safe means of communication, as well as monitoring activities on this channel.
These solutions for communicating ePHI remotely operate through easy-to-operate apps, which are the alike interface to other commercial messaging apps (Luxton, Kayl & Mishkind, 2012). Healthcare professional will be therefore quite familiar with. Every single approved user logs into their specific app through a username that is centrally issued and a secret word. Communication can be done with other official users that are within the covered organization message system.
All information that includes images, documents, and videos are encrypted to ensure that they cannot be read or used in case any message is interrupted through a public Wi-Fi. Safe measures are implemented, preventing ePHI from being leaked out of the covered organization’s private network either by accident or with a wrong motive. To ensure that messaging policies or observed, all activities are monitored all through a cloud-based policy.
Communicating with patients using secure messaging
To communicate with patients, healthcare providers have a choice of making patients authorized users by giving them access to the network through a secure messaging app (Baker & Bufka, 2011). Workers at the health centers and community doctors can use secure messaging apps to communicate vital patients’ information and escalate patients’ worries privately, adhering to the HIPAA guidelines.
Advantages of using secure messaging solutions
EPHI can be sent and received securely at a go by a medical professional in the community using secure messaging.
Attachment of images to the secure message can be done, which can make diagnosis and treatment more effective.
A lot of time is saved, especially in emergency cases and patients’ discharge.
Accountability is increased due to automatic notifications delivery and read receipts.
Risk management is made easier as a result of access reports.
Communication of ePHI remotely using protected messaging guarantees that communications are sent to the right recipients, reducing time lost when conveying information and waiting for a response. It also safeguards the reliability of ePHI and complying with the HIPAA requirements on Telehealth.
In most cases, the health information systems and their evaluation are referred to as the most challenging activities in health care and provision due to privacy and security concerns they outline in general. So far, there is no agreed basis on the most appropriate ways of evaluating or what and how to evaluate this information (Tuckson, Edmunds & Hodgkins, 2017). Additionally, there are no tangible paradigms within which to proceed or who to involve. As a result, Telehealth presents unique challenges in care provision. Several technologies involved in Telehealth as well are yet to mature, and a good number are at the prototype stage. Therefore, clinical care and other aspects of medical care involving the use of technology must be approached with care not to violate the security as well as privacy concerns of both the patients and care providers.
Advantages and Disadvantages of Telehealth
Despite the security and privacy concerns, Telehealth has promoted an effective and efficient information distribution between health care providers and patients who, in most cases, are not within reach. The involvement and utilization of these technological developments have indicated cost-efficacy and the provision of better health outcomes, especially for chronically ill patients (Yang & Silverman, 2014). Additionally, Telehealth has been at the center of increasing care delivery in remote areas where access to health care is quite a milestone. Contextually, Telehealth has acted as a bridge between the health providers and patients, thereby increasing care delivery. Besides, it is a form of extension of basic health care in that access between care providers and patients is increased.
In as much as Telehealth might spark some optimism, several players in the industry still outline significant concerns, which are, to some extent, quite realistic. The contemporary aspect of Telemedicine for that matter has come a long way, but it has flaws. Additionally, the regulatory landscape has been struggling to keep up with the rapidly growing field of telehealth technology. Amidst all the associated challenges, the continuous developments in Telehealth require the continued necessity for streamlined and clearer standards as well as policies to govern practice in Telehealth and to allow efficient implementation for the stakeholders, including doctors.
First, it should be noted that several states in the United States of America do not allow qualified physicians to practice in other states without acquiring a license first. Such challenges are classified under regulatory and industry barriers. The variations of regulations in the field of Telehealth from state to state are a challenge to decipher for practitioners planning to move from one state to the other. It becomes harder because several physicians do not see the need to figure out the requirements of telemedicine guidelines in their area and how they can meet the same. Besides, many telemedicine equipment and facilitators tend to fall in the grey area as far as security is concerned, and this might pose risks to patent privacy if not adequately protected (Balestra, 2018). Telehealth is further affected by the fact that there exist problems such as lack of interoperability in electronic health records. As a result, most practitioners indicate reluctance in Telehealth though it is an industry that is constantly in flux.
It is a fact that Telehealth promotes the provision of health care in remote areas. Therefore, it is an advantage, especially in monitoring chronic patients, following up on therapy appointments, and in offering post-operative care. These services are based on software and hardware, which are costly. Besides, the use of these advancing technologies requires further training for the medical practitioners and, in some cases, presents the need for acquiring additional staff. Another disadvantage evident in Telehealth is that most technological equipment is prone to technical glitches, which can halt communication. Other glitches associated might, to an extent, paralyze service delivery in health completely, resulting in negative patient outcomes. As a result, the risks involved might prompt several physicians to steer clear of telehealth platforms.
In conclusion, Telehealth is a swiftly developing and rich area of mobile computing and networking that is quite promising in the improvement of health care. However, some risks concerning privacy and security are likely to undermine this potential. To address these privacy and security concerns, it is imperative for Congress to authorize federal telehealth privacy (FTC) and security protections. This will play a great role in helping avoid conflicting state-based regulations in addition to assuring the realization of the benefits that come with Telehealth.
Originally, secure messaging solutions were established to enable messaging compliance with HIPAA (Luxton, Kayl & Mishkind, 2012). However, it has resulted in a lot of benefits that have improved the workflow of healthcare providers, reducing the cost of service provision, and improving the quality and standards of care given to patients. It is now easy and pleasant for healthcare organizations to comply with HIPAA guidelines. Through these guidelines, measures have been introduced to secure the reliability of API. In a short period of time, all healthcare organizations offering telemedicine services will be communicating ePHI using secure messaging.
It is postulated that FTC is the state organization that is suitable for managing the industry. FTC needs to expedite the embracing by Telehealth firms of voluntary telehealth security and privacy rules that can be enforced by FTC through the authority that is in existence. The agency should be authorized in such a way that it can advance its guidelines if voluntary efforts become unproductive. In order to realize Telehealth’s full capability, providers, as well as patients, should rely on Telehealth systems keeping individual data private and protected. Therefore, it is important to identify the privacy and security risks of Telehealth systems and offer recommendations that are vital in establishing and maintaining the integrity of Telehealth systems using an all-inclusive guiding framework established and enforced by the Federal Trade Commission (FTC).
Baker, D. C., & Bufka, L. F. (2011). Preparing for the telehealth world: Navigating the legal, regulatory, reimbursement, and ethical issues in an electronic age. Professional Psychology: Research and Practice, 42(6), 405.
Balestra, M. (2018). Telehealth and legal implications for nurse practitioners. The Journal for Nurse Practitioners, 14(1), 33-39.
Cason, J., & Brannon, J. A. (2011). Telehealth regulatory and legal considerations: Frequently asked questions. International Journal of Telerehabilitation, 3(2), 15.
Dorsey, E. R., & Topol, E. J. (2016). The state of Telehealth. New England Journal of Medicine, 375(2), 154-161.
Fischer, A. J., Clark, R., Askings, D., & Lehman, E. (2017). Technology and telehealth applications. In Applied behavior analysis, advanced guidebook (pp. 135-163). Academic Press.
Hale, T. M., & Kvedar, J. C. (2014). Privacy and security concerns in Telehealth. AMA Journal of Ethics, 16(12), 981-985.
HIPAA Journal. (2018). HIPAA Guidelines on Telemedicine. [online] Available at:
Holt, B., Faraklas, I., Theurer, L., Cochran, A., & Saffle, J. R. (2012). Telemedicine use among burn centers in the United States: a survey. Journal of burn care & research, 33(1), 157-162.
Luxton, D. D., Kayl, R. A., & Mishkind, M. C. (2012). mHealth data security: The need for HIPAA-compliant standardization. Telemedicine and e-Health, 18(4), 284-288.
Tuckson, R. V., Edmunds, M., & Hodgkins, M. L. (2017). Telehealth. New England Journal of Medicine, 377(16), 1585-1592.
Yang, Y. T. & Silverman, R. D. (2014). Mobile health applications: the patchwork of legal and liability issues suggests strategies to improve oversight. Health Affairs, 33(2), 222-227.