At the beginning of the pandemic, telehealth was new to providers and patients. When the shift to remote care began, there were many ways to provide patient care virtually. Nearly three years later, telehealth is still very much a standard of care. However, the standards around protecting patient information have changed and many providers have not made the shift to providing such care in a secure manner.
Here are some best practices for providers to keep in mind when it comes to telehealth. We are providing this guidance based on the paid version of Zoom specific to health as it utilizes secure technology.
- Do not share login credentials or accounts with anyone. Each staff member utilizing the telehealth solution should have their own login and password. Once you share credentials or accounts, you are no longer in control and have created unnecessary risk.
- Create a unique link for every meeting. If you use the same meeting link over and over, you risk someone sharing the link with unintended guests. Using a unique link each time you set up a meeting or care session is the best way to ensure you only have the required patient(s) in the meeting.
- Require a passcode for every meeting. Meeting passcodes are an added layer of security that ensure only the intended patients have access to your meetings. As a reminder, you should never share passcodes and it is a good idea to remind your patients and staff to do the same.
- Use the ‘waiting room’ feature. This feature allows you to admit patients individually, ensuring they will not be in another patient’s session.
- Set up authentication profiles. Authentication profiles can be configured on the provider side of the application. In addition to allowing you to restrict who can use the application, it also allows you to enforce other security standards as well (such as the waiting room and required passcode to enter)
- Disable participant screen sharing. This is the best way to safeguard PHI from being shared unintentionally. If you are screen sharing, be sure to close out all other applications that display patient or any other sensitive data to ensure a breach does not occur.
- Lock the meeting after you start the session. When you lock the meeting, unwanted attendees will be unable to enter the meeting or even the waiting room.
By implementing these simple controls and policies, you are doing your part to protect patient data. If a breach were to occur, the loss of patient trust is irrevocable. For more information on how you can protect ePHI with a HIPAA security risk assessment, contact us today.