This article addresses how to track telehealth policies while addressing HIPAA compliance and mobile device management as the United States enters a post-pandemic era. The information is an overview and should not be used as legal or consulting advice. Healthcare providers need to look toward long-term telehealth policies, ensure compliance, and realize there is remaining work to be done.
Scroll to the end of this article for "Basic Telehealth Terminology" if you are new to telehealth or if you are a mobile device app developer!
Most Providers Utilize Audio-Only Telehealth
More than two-thirds of providers utilizing telehealth use audio-only, according to a recent Telehealth Survey conducted November 2021 through December 2021 by the American Medical Association (AMA). According to this survey, 85% of physician respondents indicate they currently use telehealth. Those reporting a decrease in use since first offering it, now indicate doing a mix of in-person and virtual care. Of physicians using telehealth, the trend indicates 93% are conducting live, interactive video visits with patients and 69% are doing audio-only visits.
Considering this survey and other reports on audio-video services, concerns seem to focus on potential overutilization, equity, and quality of care.
A concern expressed to AIHC, by our Compliance and HIPAA Officer members, surrounds mobile devices used by providers and practice managers and the organization's responsibility to comply with applicable rules, regulations, and mobile device policies.
How Do Policies Apply?
If your providers use a mobile device to access an organization's internal network or system, the owner of that network or system's policies and procedures apply to your use of the mobile device to gain such access. It is your organization's responsibility to understand and follow the organization's policies and procedures.
If an organization allows providers and professionals to use mobile devices for work, the organization should have reasonable and appropriate mobile device policies and procedures. The policies and procedures should describe any configuration requirements for mobile devices used by providers and professionals for work. It is your responsibility to understand and follow your organization's mobile device policies and procedures.
But, what about using personally owned mobile devices for work?
"Bring Your Own Device" or BYOD refers to using a personally owned mobile device for work. Providers should be reminded to let their organization know when they want to use a personally owned mobile device. Many organizations have centralized security management to make sure mobile devices accessing their internal networks or resources are compliant with their security policies.
Centralized security management includes:
- Configuration requirements, such as installing remote disabling on all mobile devices; and
- Management practices, such as setting policy for individual users or a class of users on specific mobile devices.
It is the provider's responsibility to understand and follow the organization's mobile device policies and procedures. Registering the provider's mobile device with the organization allows the organization to control who has access to its network or system and will keep unauthorized persons from accessing its network or systems.
Registering these mobile devices with your organization may also help the organization or law enforcement find your mobile device if it is lost or stolen. Providers should be directed to contact their organization's Privacy Officer or Security Officer to register their mobile device.
Utilizing Step 4 from ONC's 5-Step Process to Manage Mobile Devices Used by Health Care Providers & Professionals, the list of questions below is a way to take inventory of potential safeguards needed to address risk areas.
Mobile Device Management
- If your organization allows the use of mobile devices, what should the organization do about managing the use of mobile devices?
- Has the organization identified all the mobile devices that are being used in the organization? How is the organization keeping track of them?
- Has the organization assigned responsibility to check all mobile devices used for remote access, to find out if selected security/configuration settings are enabled?
- Should there be a regular review and audit of the mobile devices?
Misuse of Mobile Devices
- Does the organization have written procedures for addressing misuse of mobile devices?
- If so, what are the consequences when a mobile device is misused and the incident poses risk of a data breach?
Should the Organization Allow BYOD?
- Is this a policy already in place, where providers are using their own devices?
- Should the organization let providers and professionals use their personally owned mobile devices within the organization?
- Should providers and professionals be able to connect to the organization's internal network or system with their personally owned mobile devices, either remotely or on site?
Restrictions on Mobile Device Use
- Does the organization restrict how providers and professionals can use mobile devices?
- Can providers and professionals use mobile devices to access internal networks or systems, such as an EHR?
- Are providers and professionals restricted from using mobile devices when they are away from the organization?
- Can providers and professionals take their mobile devices home?
--- Should the organization allow texting or emailing of health information?
--- If so, is there encryption allowing compliant texting and emailing from the mobile device?
Security/Configuration Settings for Mobile Devices
- Will the organization institute standard configuration and technical controls on all mobile devices used to access internal networks or systems, such as an EHR?
- If so, is the organization's current mobile device configuration document, including connections to other systems/applications, inside and outside of the firewall?
Information Storage on Mobile Devices
- Are there restrictions on the type of information providers and professionals can store on mobile devices?
- If so, where and for how long should the data be stored?
- Are providers and professionals allowed to download mobile applications to mobile devices? If so, what type(s) of applications are approved?
Recovery/Deactivation of Mobile Devices
- Does the organization have procedures to wipe or disable a mobile device that is lost or stolen?
- Does the organization have standard procedures to recover mobile devices from providers and professionals when their employment or association with the organization ends?
Mobile Device Training
Training is always a challenge, but if your organization cannot achieve effective training and compliance, you may need to reconsider how telehealth is delivered to your patient population.
- How is the organization training its workforce (management, doctors, nurses, and staff) on policies and procedures?
- How does the organization hold its workforce (management, doctors, nurses, and staff) accountable for non-compliance?
What Additional Information Should I Know for Compliance?
Covered entities must comply with HIPAA Privacy and Security Rules to protect and secure health information, even when using mobile devices as described above. Taking it a step further, healthcare leaders are responsible to ensure that mobile device procedures and policies have been developed and properly implemented to protect the health information that patients entrust to you.
Make Tracking Audio-Only Policy Easy
A great resource is utilizing the National Telehealth Policy Resource Center called "CCHP," short for Center for Connected Health Policy. CCHP has been tracking audio-only policies across the country and offers access to state audio-only policies via CCHP's Policy Finder Tool.
As AIHC advises, another resource is legal advice through your malpractice insurance company. At no additional charge, a risk attorney can be made available to help review which policies impact your type of practice and organization.
Free HIPAA Compliance Resources
Another reliable resource is found at HealthIT.gov, the official website of the Office of the National Coordinator for Health Information Technology, otherwise known as "ONC." ONC offers basic guidance in these five steps: 1) Decide; 2) Assess; 3) Identify; 4) Develop, Document, and Implement; and 5) Train entitled "five steps organizations can take to manage mobile devices used by health care providers and professionals."
Does Your Organization Have a Trained (Certified) HIPAA Privacy/Security Officer?
Your HIPAA Compliance Officer can serve as the best resource to help your organization navigate the telehealth and mobile device compliance issues facing your providers today. AIHC offers an online course covering both privacy and security with the option of certification (proctored and administered online). The cost of certification is covered in the tuition price. Learn more at https://aihc-assn.org/courses/hipaa-compliance-officer/.
It is highly recommended that mobile health app developers and Managed Service Providers (MSPs) have an in-house HIPAA Compliance Officer contributing input to ensure technology is compliant.
Are You a Mobile Health App Developer?
Integrating protections into your technology to create HIPAA compliant products is necessary for your company to succeed. Healthcare providers are subject to the HIPAA rules as covered entities to protect identifiable health information when it is created, received, maintained, and/or transmitted. These protections are required under Federal and State Privacy, Security, and Breach Notification Rules. A few basic resources to reference are:
The Office for Civil Rights (OCR) HIPAA website devotes a webpage under Special Topics entitled "Resources for Mobile Health Apps Developers."
The Federal Trade Commission (FTC) offers a webpage entitled "Mobile Health Apps Interactive Tool" to help you locate federal laws to follow.
For Beginners: Basic Telehealth Concepts
Telehealth is also referred to as Telemedicine. It is the use of telecommunications technology to provide healthcare services to persons who are at some distance from the provider. This type of patient encounter involves a spectrum of technologies.
Coverage and payment for telehealth can include consultation, office visits, individual psychotherapy, pharmacologic management, and other services delivered via an interactive audio and video telecommunications system.
- Providers are located at the distant site; and
- Patients are located at the originating site.
Provider at the distant site - As stated above, providers are at the "distant site," referring to where the provider is at the time of service. The provider can communicate with the patient using an interactive audio and video telecommunication system that permits real-time communication with the beneficiary.
When telehealth is used, it is rendered at the physical location of the patient, and therefore a provider typically needs to be licensed in the patient's state. During the COVID-19 public health emergency (PHE), many states waived this requirement or provided specific exceptions. See https://www.cchpca.org/topic/cross-state-licensing-covid-19/ for more information.
Medicaid programs often restrict the type of providers that can be reimbursed when delivering services via telehealth. During the COVID-19 PHE, the list of providers in Medicare and many state Medicaid programs expanded to include professionals such as occupational and physical therapists and speech-language pathologists. Federally Qualified Healthcare Centers (FQHCs) and Rural Health Clinics (RHCs) were also allowed to provide services in some cases. These policies are temporary, and most will expire at the end of the PHE.
I also recommend utilizing the Telehealth.HHS.gov website for providers: "Getting Started with Telehealth." This webpage provides many additional links to more resources your organization can use to navigate this complex topic.
Temporary telehealth policies during the PHE were implemented to provide improved access to healthcare during the COVID-19 pandemic. The federal government has been encouraging providers to use telehealth to conduct virtual appointments and has made the telehealth "rules" more flexible. For instance, audio-only delivery of care has rarely been reimbursed historically. But due to COVID and the PHE, temporary policies allow this modality to deliver some services.
The PHE is reviewed and potentially extended every 90 days. When the PHE ends, coverage for telehealth may change. Monitor these updates by using the CCPH website referenced earlier in this article found at https://www.cchpca.org/.
Joanne Byron, BS, LPN, CCA, CHA, CHCO, CHBS, CHCM, CIFHA, CMDP, COCAS, CORCM, OHCC, ICDCT-CM/PCS,
is CEO and Board Chair of the American Institute of Healthcare Compliance (AIHC), Joanne brings over 35 years of clinical and executive healthcare experience in areas of compliance, coding, documentation improvement, auditing, privacy, security, consulting, and administration. www.aihc-assn.org