How do we Protect Patient Privacy in the Era of COVID and Telemedicine?

The COVID pandemic has accelerated our use of telemedicine and similar technologies. The healthcare sector has always looked to move forward with technological innovations. Unfortunately, financial challenges, concerns about patient privacy and the handling of health information slowed these advancements. 

However, COVID forced the healthcare industry’s hand. Healthcare systems had to find a new way to care for patients. Telemedicine allowed patients to reach their physicians, without the need for face to face contact but they necessitated the need for more digital systems. Patients could receive the care they needed, and it demonstrated the importance of technology in healthcare.

However, as with any new technology, there are concerns. Patient privacy is the number one priority for the healthcare industry. Apart from the concerns around protecting health information, HIPAA (The Health Insurance Portability Act) mandated that Protected Health Information (PHI) be stored, transferred and used in limited ways. HIPAA compliance and the HIPAA privacy rule had been seen as blockers for digital healthcare software. Digitalization was seen as a risk for medical practices and hospital groups.

However, the rise of telemedicine during the pandemic changed all that and accelerated the shift to the digitalizing of health information and the adoption of new healthcare software.

Telemedicine and Patient Data

When we think of telemedicine, we usually just think of a digital meeting with our doctor. But behind the scenes, there is a lot going on to facilitate that digital conversation. These processes range from encryption, to on the call itself, to backend systems, and to securely storing the patient data from the call.

Video consultations became much more frequent during the pandemic. The technology was particularly useful for ailments that could be assessed without a hospital or physician visit. Patients could be kept safe, but still receive necessary treatment. 

Video conferencing was also particularly useful for check-ins and post-op appointments, where possible. Physicians could make better use of their time, which was key during the pandemic. Simple check-ins consume time, but don’t always require in-depth assessment. Therefore, this was a key time-saving measure.

Health monitoring software and apps are also a type of telemedicine. This is another technology that has boomed in popularity

Prior to the pandemic, the public was beginning to become more interested in managing their own health. Technologies like wearables and wellbeing apps were increasing in popularity. The pandemic only expedited the uptake of this trend.

Sensor-based systems and wearable sensors are also a less common form of telemedicine. For example, blood sugar monitors can share data with an app to monitor the levels of a diabetes patient. However, they can be key in the management of life-long diseases like diabetes

For best functionality, all of the above technologies require some amount of health data. The key is finding the balance between data sharing and the value provided by these technologies. Patient data safety is always the priority, as their trust is easily lost through small errors.

Critical Concerns

As with any health technology, there are concerns about patient privacy, the data and health information that is collected by these innovations. The focus is, of course, the protection of patients and their health information. How is this data kept safe? And, what data can they collect with permission?

The truth is that there is an onus on the digital health software companies to build their tools taking into account compliance regulations like HIPPA and its Privacy Rule. Also, they need to build the software from the ground up with patient privacy and the protection of patient health information at their core.

Access Controls

One of the major concerns for data privacy in healthcare software and video conferencing systems is access. These systems are used to hold health information on a patients illnesses and treatments by their nature. Physicians, pharmacies, and healthcare facilities need to access this information, in order to provide and improve their care. 

This access presents a challenge, relating to the transmission of data. Without proper care, this data could be accessible to anyone within a facility or organization. Access controls are the primary safeguard against access issues and the accidental exposure of sensitive health information. It’s key that security systems have clear distinctions between which security levels can access which data. All of this needs to be documented as well to protect the organization.

Operating System Exposure

App exposure is also a key topic for discussion in the mobile app space, not just digital health apps. Apple and Facebook are two hugely influential parties in the discussion around data privacy, patient privacy, and apps. 

In 2020, Apple released a new operating system update. The update required all apps to across other apps on the platform. Facebook relied on this process in order to improve the advertising experience. The ensuing public argument attracted the attention of the general public. They became more aware of the information that apps store and transfer between each other, as a result. 

This is a key concern for digital health apps. They do not only collect personal data relating to online behaviours, but they collect personal health information, too. Typically, the public is far more protective over their healthcare data, than other personal information.

Put simply, if a digital health app wants a user to allow it to collect data on IOS, it needs to show that it has complied with the HIPAA Privacy Rule, has built-in extensive security, and that the patient will receive a tangible benefit by sharing their data. Patient privacy isn't just about protecting the information, it's about explaining to patients why you need information, how you protect it, and the benefit of sharing.

Interoperability and Connection with Third Parties

These new technologies offer a new way to provide information to third parties, like insurance companies and other healthcare facilities. This information could be critical for treatment. 

For example, wearables that track vital information could impact treatment received. Information from blood sugar monitors can help with the self-management of diseases like diabetes. The specific data might impact treatment programmes or the frequency of check-in appointments. 

Therefore, it is important that this valuable information is able to be securely transferred. However, this information does need to be integrated into current healthcare systems to provide benefit. Insurers, hospitals, and specialists healthcare providers need access to this vital patient information. This transfer of data needs to provably meet strict security measures, to address any concerns. Both ends of the transfer are a potential risk.

The risk to patient privacy here isn't just about the tech. Most software in this space would have end to end encryption. It’s about the process to protect identifiable health information from accidental exposure and ensure compliance with the Privacy Rule.

How to Ensure Patient Privacy

There are a number of safeguards that can help to manage the safety of healthcare data. For telemedicine, safeguards primarily revolve around access and processes.

Access controls are a key safeguard in the era of COVID and telemedicine. They need to be in place at both the customer-facing end, and for those accessing the data in the healthcare industry. Similarly, passwords and authentication processes need to be strong. These ensure that, of those that can access the data, only that party can access the data stores.

End-to-end encryption is also critical. The priority to ensure patient privacy is ensuring that only the patient and the physician can see, store, or amend their data. This is particularly important for video conferencing in telemedicine. All information contained within a virtual consultation is private data. Under HIPAA, this is referred to as PHI (protected health information). End-to-end encryption provides access to only the relevant parties. 

Finally, forms of data breach. Preventing hacks and phishing attacks is a challenge faced by every digital health solution. Firewalls and other protections need to be in place in order to protect data where possible. 

However, another best practice against phishing is to dispose of any data that isn’t needed. Perform regular audits of accessible data, and ensure that you’re only collecting what you need. In doing this, you are reducing the quantity of data, and thereby your vulnerability to phishing. Each deleted piece of data is one less piece that can fall into the wrong hands. 

Finally, the best digital health companies are constantly developing new solutions. It is critical that development protects patient privacy. Therefore, teams need to understand how to anonymize or de-identify patient data, and the risks associated with this process. It’s also critical to limit the number of developers who can access even anonymous data.

Digital health companies are founded with the care of the patient in mind. However, to ensure patient privacy, compliance and the protection of personal information must be baked into all aspects of the software from development through to production and support.

At Vertrical, we understand patient privacy concerns within digital health solutions. We know that the confidentiality of patient health information is paramount. That’s why we have teams of compliance experts on-hand to build your next digital health solution. Get in touch with us today to discuss your compliance needs.