Posted on 11/23/2015
Bloomberg BNA Health IT Law & Industry Report:
Three IT Considerations for Virtual Visit Software Security
by MYidealDOCTOR CTO Sean Middleton
As more patients opt for online consultations versus in-person visits, health care’s chief information officers must explore and understand new telehealth challenges. The overarching goal of virtual visits is to pro- vide the most satisfying experience possible for patients and physicians alike.
Achieving this goal requires a strong technology in- frastructure alongside solid security protections.
This article explores three important technology components for success.
The Value of Virtual Visits
A virtual visit is ideal for non-emergent episodic care including treatment for sore throats, flu, headaches and other cyclical illnesses.
This is especially true during back-to-school season, for example. Parents appreciate the convenience and value of virtual visits.
Employers benefit through less time off for ill employees. And post discharge, hospitals recognize the value of virtual visits to reduce readmission risk.
Virtual visits are a win-win for practically every pa- tient population.
According to research firm Parks Associates, the use of video conferencing to facilitate a visit between a provider and patient is expected to reach 16 million visits in 2015, with more than 130 million visits projected for 2018.
With so many opportunities for data to be captured by unwanted parties, virtual visit software must employ a holistic approach to security and privacy including three best practices to manage health-care data during virtual visits:
- Secure access to the data at logon.
- Secure the data as it is transmitted.
- Secure the data while at rest in storage.
Secure the Logon
Only authorized users should have access to the vir- tual visit software, and access must be secured. Authorized users may include physicians, triage nurses, customer support personnel and operations.
A sufficient number of physicians must be available and logged in to the system, ready to accept patients on most days of the year, with around-the-clock coverage. If staff members do not need patient-specific production data to fulfill daily responsibilities, they should not be granted access.
HIPAA implications are the same for virtual visit soft- ware as for any electronic health record system deployed in a distributed or cloud-based architecture.
To put a provider in the best compliance posture pos- sible, the organization’s staff should be trained on HIPAA rules and regulations for protected health infor- mation. As a business associate, the virtual visit vendor must adhere to HIPAA regulations from both techno- logical and operational perspectives.
The information technology team for a virtual visit system vendor may include developers, testers, database administrators and others. Ultimately it is up to the virtual visit system vendor to make sure the delivery platform and application - mobile, web-delivered or desktop—incorporate HIPAA-compliant security protocols.
Physician licensing over state lines is another system access issue with which IT must contend.
Simply put, physicians must be licensed in the state where the patient is physically located at the time of service. When a provider logs in to the system, you need the ability to match state licenses with the state from which the patient is calling.
There are some initiatives proposed to ease state-to-state physician licensing requirements, such as the In- terstate Medical Licensure Compact, from the Federa- tion of State Medical Boards, and TELE-MED Act, which is being considered in the House. But, these will not eliminate the need to match the patient’s physical location with the territory in which a physician is licensed to practice.
In order to ensure your providers are only virtually meeting with patients in states in which they have valid licenses, their platform needs to account for this auto- matically and not allow a mismatched visit to move for- ward. Relying on manual checks for compliance will fail at some point.
Secure and Reliable Data Transmission
When a patient is sitting in an exam room, emer- gency room or urgent care center, the interaction between patient and physician is contained within that physical space. For a virtual visit, the same interaction will go through routers, load balancers, firewalls and Ethernet networks before ultimately being encrypted and sent back and forth across the Internet between patient and provider.
Patients and providers can be located in any of the 50 states or abroad, with visits initiated 24/7/365.
Because a service needs to reach across vast dis- tances, it is important to ensure that network architecture and platform topology scale to the volume expected. Data transmission must be secure for the entire duration of a virtual visit, whether it’s five minutes or 50 minutes.
Alongside security, high video and audio quality is re- quired to deliver the best patient experience.
Exercise care as you choose network service provid- ers to ensure the quality of service necessary for a successful virtual visit exists and can be maintained under system load.
Virtual visit providers must plan for high call volume, and ensure high-volume periods can be accommodated by the system being built. If not considered ahead of time, high usage volume has the potential to degrade video and audio quality.
In the case of MYidealDOCTOR Telehealth, we see a daily peak in volume between the hours of 7 a.m. and 7 p.m. Annually, we see a spike in volume at the begin- ning of the school year, continuing throughout the fall and winter seasons. When kids return to school the pe- tri dish of germs explodes and also infects unsuspecting parents and caregivers.
By ensuring systems can handle high-volume perods, the low volume periods will take care of themselves. It is best to test functionality by running end-to- end tests during slower periods to ensure no impact the end user’s experience.
Load testing can be accomplished using automated test suites and utilizing virtual users accessing the system. There are several commercial tools like LoadRunner from HP and WebLoad available to run simulations of different load scenarios.
Secure Data Storage
Virtual visit systems store demographic information and diagnostic information, but they must also manage audio and video files. Any data captured during a virtual visit should be treated much the same as EHR data collected during a typical in-person, exam room en- counter.
At MYidealDOCTOR, we have the entire visit audio recorded. That recording can be played over and over again and if it found its way into the wrong hands it could be used against both the patient and the physician.
Data should be kept secure and encrypted for the priod of time mandated by state and federal regulations and requirements. This requirement dictates the retention period — anywhere from seven to ten years or more, with data needing to be archived after a certain period of time.
The American Health Information Management Association (AHIMA) recommends storing adult diagnostic images for five years, health/medical records for ten years, and the master patient/person index permanently.
Redundancy is important for information availability, whether technology is on-premise or in the cloud; it needs to be accessible at all times.
Operational support does not necessarily need to access the most immediate information. Daily reports, periodic audits and month end processing can all be done against copies of the production data. This should be taken into account by the vendor when the platforms are being designed and built. Waiting until redundancy becomes a problem is more costly and much, much harder to remediate.
Electronic Medical Records and Interoperability
Interoperability with electronic medical records is still in the nascent stage.
Telehealth does not introduce totally new challenges to data exchange, but is rather a new piece of the overall interoperability puzzle in health care.
Industry groups, such as the Commonwell Health Al- liance and HIMSS EHR Association, are convening stakeholders to hash out interoperability strategies.
However, as most healthcare CIOs are aware, it will be some time before a standard is established - and even longer before it is widely adopted by the industry.
The ideal situation would be for providers on any platform and in any clinical setting—physical or virtual—to have as much information as possible when caring for a patient. This would include prescription information, laboratory findings and medical history to help diagnose virtual visit patients with a higher degree of accuracy.
Ultimately this data can come from a variety of sources like being captured during patient intake, pulled in from a third party system, pulled from the patient’s wearable(s) and/or other health-care monitoring devices or deduced during the visit itself.
Virtual Visits Present New Care Option
For the IT component of virtual visits, telehealth is simply another means to provide health care for the general public population. Whether the patient walks into a brick-and-mortar physician practice or uses a smartphone to conduct a videoconference, the method must be easy to use, the user experience must be excep- tional and the information shared and stored must be kept private and secure.
The Association of American Medical Colleges (AAMC) predicts that the U.S. will face a shortage of 46,000 to 90,000 physicians by 2025.
In the midst of the doctor shortage, virtual visits will play a significant role in making the most efficient use of a physician’s time while extending the geographic reach of a provider.
Though a virtual visit has much in common with a traditional doctor visit, providers should pay special at- tention to the technology used at all points in the delivery. A three-pronged approach to security supports pa- tient privacy and satisfaction—providing a positive ex- perience for all involved.
Sean Middleton is CTO of MYidealDOCTOR Telehealth, a progressive telehealth company that provides access to US board-certified physicians by interactive audio or video.