Would More Telehealth Bring New Privacy, Security Concerns?Expansion of Medicare Payments for Telehealth Services Proposed
As part of a sweeping plan to "modernize" Medicare, federal regulators are proposing to expand reimbursements for telehealth services. But what are the potential privacy and security concerns that healthcare providers need to address if they offer more telehealth services to patients?
The Centers for Medicare and Medicaid Services on Thursday issued a 1,473-page proposed rule aimed at "reducing the burden of paperwork that clinicians face when billing Medicare" and "restoring the doctor-patient relationship."
Besides expanding payments for telehealth, other proposals include streamlining electronic health records documentation required for Medicare billing and "promoting interoperability" to support greater digital record exchange between clinicians and patient access to their health information.
The proposals "deliver on the pledge to put patients over paperwork by enabling doctors to spend more time with their patients," CMS Administrator Seema Verma says.
In terms of "advancing virtual care," CMS is proposing to expand the types of telehealth services that are reimbursable by Medicare. CMS currently reimburses only for certain limited services, including those involving emergency department consultations, end-stage renal care and critical care.
But under its proposal, CMS would expand reimbursable telehealth to include virtual "check-in" visits with patients, clinician evaluation of patient submitted photos and telehealth services for prolonged preventive services.
"CMS is committed to modernizing the Medicare program by leveraging technologies, such as audio/video applications or patient-facing health portals, that will help beneficiaries access high-quality services in a convenient manner," Verma says.
"Getting to the doctor can be a challenge for some beneficiaries, whether they live in rural or urban areas. Innovative technology that enables remote services can expand access to care and create more opportunities for patients to access personalized care management as well as connect with their physicians quickly."
Telehealth services can carry many of the same privacy and security risks, including data breaches, that in-person healthcare services pose. Plus, these online services potentially pose additional risks.
"Telehealth introduces the complexity of multiple entities creating and sharing information about the patient and in different formats," says Mac McMillan, CEO of security consultancy CynergisTek. "Rules and procedures for handling these issues and ensuring the patient's record is complete and secure during and after the encounter will need to be addressed.
"You always have to consider privacy and security when transmitting sensitive data, but the emphasis should be on managing risk and balancing that with the benefit."
Telehealth is critically important, especially in rural areas and those with large populations of the elderly and those with low incomes, McMillan notes. "It's not just a convenience issue; it is also a patient safety issue," he says.
Telehealth presents all of the same security issues as any other online transmission, such as the integrity of the connection and the need for encryption of the data, McMillian notes.
"But probably one of the most important issues will be availability - signal interference, interruption of transmission or outages ... causing a real issue if all of sudden the telehealth link is not there," he says. So denial-of-service outages could present a greater risk to patients who depend on telehealth services, he notes.
MacMillan says telehealth providers should consider taking a number of steps to ensure their patient encounters are private and secure.
Providers should ensure that all transmissions are encrypted and that remote connections have strong - preferably two-factor - authentication, he says. They should also make sure that private rooms are set aside for telehealth sessions and that redundant, multiple paths for connection, power and service are provided, he advises.
Susan Lucci, senior privacy and security consultant at tw-Security, asserts that telehealth services also pose other potential risks for patients.
"From the patient perspective, their own privacy and security practices with their owned systems should be top of mind," she notes.
For instance, are patients carefully managing the security of their own computer? Is the virus protection current? Are patients closely monitoring use of their machine to ensure the sites that are visited on the web are legitimate? These are all important considerations in protecting patient information and privacy, she notes.
"People using a wireless network at home must minimally be using WPA-2 encryption protocol and complex passwords to prevent others from gaining access," she says.
"It is certainly essential that healthcare organizations providing these services do their part, and the patients must remember that vulnerabilities may be present on their home device."
—Susan Lucci, tw-Security
"All of these extra steps should be taken by any individual who intends to have a more secure experience when participating in a telehealth encounter. It is certainly essential that healthcare organizations providing these services do their part, and the patients must remember that vulnerabilities may be present on their home device."
Would expansion of Medicare funding for telehealth services increase the potential risk for billing fraud?
"Telehealth is just another avenue for fraudsters," McMillan says. "Unfortunately, fraud finds everything we try to do positive for the patient. Individuals charging for telephonic visits that did not happen, prescribing drugs without a consult - the [list of possibilities for fraud] is endless, and there are many in the legal field discussing these risks.
"Some say telehealth may make [care] too convenient and therefore promote more fraud. Again it's a risk the industry has to manage and weigh against the good that telehealth can do."