Online College Courses for Credit

+
Ethics, Security, and Confidentiality

Ethics, Security, and Confidentiality

Rating:
Rating
(0)
Author: Capella Healthcare
Description:

Ethics, Security, and Confidentiality

(more)
See More
Fast, Free College Credit

Developing Effective Teams

Let's Ride
*No strings attached. This college course is 100% free and is worth 1 semester credit.

37 Sophia partners guarantee credit transfer.

299 Institutions have accepted or given pre-approval for credit transfer.

* The American Council on Education's College Credit Recommendation Service (ACE Credit®) has evaluated and recommended college credit for 32 of Sophia’s online courses. Many different colleges and universities consider ACE CREDIT recommendations in determining the applicability to their course and degree programs.

Tutorial

what's covered
In this lesson, you will learn about the ethics, security, and confidentiality related to telehealth. Specifically, this lesson will cover:
  1. Privacy and Security
  2. Informed Consent
  3. Reflect: HIPAA and Your Telehealth Patient

1. Privacy and Security

HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), and HITECH (Health Information Technology for Economic and Clinical Health) Act requirements all apply to telehealth visits (Balestra, M., 2018). These requirements apply to both in-person visits as well as telehealth visits, but they extend to identifying specific requirements relating to telehealth technology; there is guidance within each which ensure the privacy and security of patients and secure health information (Bhate, C. et al., 2020).

It is important to consider a patient’s personal information, whether it is protected health information (PHI) or electronic protected health information (ePHI). The HIPAA guidelines on telemedicine require that only authorized users should have access to patient ePHI, secure communication must be used (not Facetime or Skype or Facebook, etc.) to protect ePHI, and a method must be available to monitor the communications containing the ePHI for potential breaches of data (American Telemed Association, 2020). In addition, if you are creating ePHI in any form (medical records, images, data from an eHealth app, billing, transcription, legal, etc.) that is stored by a third party, you are required by HIPAA to also have a Business Associate Agreement (BAA) executed with the third party. The BAA must outline how the third party will ensure the protection of the ePHI/data as well as detailed provisions for regular auditing of the data’s security. A business associate is any third party that performs functions or activities on behalf of a covered entity that requires them to have access to or store PHI or ePHI.

hint
Specifics on IT requirements and cybersecurity are covered in another lesson of this course.

The government has provided a HIPAA audit protocol (HHS Secretary-Office of Civil Rights, 2018) that provides details relating to the internal security and privacy protection requirements for health care systems. However, this protocol is complicated and includes extensive details that are not always specific to telehealth. Therefore, interpreting the protocol details is challenging. Zhou et al. (2019) have developed and validated a telehealth privacy and security self-assessment questionnaire for telehealth providers. This is one example of a validated instrument that provides a statistically reliable means for telehealth providers and professionals to self-assess their telehealth systems and programs for HIPAA compliance based on the current security and privacy rules in telehealth practices.

Patient confidentiality and privacy are high on the list of both patient and provider concerns. Protected Health Information breaches are costly mistakes. As reported in the Cost of Data Breach Report 2020 released by IBM Security and the Ponemon Institute, the average global cost of a health data breach was 3.87 million US dollars, with healthcare being the most “at-risk” and “costly” industry (Ponemon Institute & IBM Security, 2020).

terms to know

HIPAA
Health Insurance Portability and Accountability Act of 1996; provides guidance on protecting sensitive patient health information
COPPA
Children’s Online Privacy Protection Act of 1998; provides guidance on protecting what information is collected from young children online
HITECH
Health Information Technology for Economic and Clinical Health of 2009; provides guidance on the use of health information technology
Protected Health Information (PHI)
Any personal information within a medical record that may be used to identify an individual
Electronic Protected Health Information (ePHI)
Any electronic personal information within a medical record that may be used to identify an individual
Business Associate
Any third party that performs functions or activities on behalf of a covered entity that requires them to have access to or store PHI or ePHI
Covered Entity
Anyone who provides treatment, payment, and operations in healthcare

2. Informed Consent

Many states and payers require you obtain patient consent, or informed consent, in order for you to be reimbursed for patient care. Some states require written consent, some verbal, and some none. Some states have specific Medicaid requirements. It is important to understand the regulations in the state where you practice as well as the state where the patient resides (if the two are different).

Even if informed consent is not specifically required in your state, it is best practice. The American Telemedicine Association (2020) suggests the informed consent form should include the following:

  • “Inform patients of their rights when receiving telemedicine, including the right to stop or refuse treatment;
  • Tell patients their own responsibilities when receiving telemedicine treatment;
  • Have a formal complaint or grievance process to resolve any potential ethical concerns or issues that might come up as a result of telemedicine;
  • Describe the potential benefits, constraints, and risks (like privacy and security) of telemedicine;
  • Inform patients of what will happen in the case of technology or equipment failures during telemedicine sessions, and state a contingency plan.”
Best practice is to also outline any telemedicine policies regarding scheduling, access requirements, scheduling, cancellation (including fees), etc. (American Academy of Allergy, Asthma & Immunology, 2020).

Think ahead about how you will be obtaining consent. Traditionally, it was discussed during an in-person office visit and consent was obtained at that time for moving forward. In more recent times, the first time you meet your patient may be via telemedicine. Always be sure to review the informed consent form together with the patient and allow them the opportunity to ask any questions. In the case where your first meeting is virtual, if you are collecting an electronic signature, plan what forms of electronic signature will be accepted. Will you use a service like Docusign, accept an electronic signature on a pdf, or require patients to print out the form for a wet signature and scan it back to you? If obtaining only a verbal consent, will you obtain an audio recording of the consent? Regardless, make sure it is clear how and where you will record this in the patient medical record.

term to know

Informed Consent
The process in healthcare where a patient voluntarily provides permission to undergo care following a full explanation on the risks, benefits, and alternatives

3. Reflect: HIPAA and Your Telehealth Patient

Review this example of an Informed Consent for telehealth and consider the following points:

Per federal regulations, the following are the required elements for documentation of the informed consent discussion:

  1. the nature of the procedure or intervention (in this case telehealth)
  2. the risks and benefits and the procedure or intervention
  3. reasonable alternatives (if applicable)
  4. risks and benefits of those alternatives
  5. assessment of the patient’s understanding of elements 1 through 4.
reflect

  1. Do you feel the informed consent form example addresses each of these aspects? Why or why not?
  2. Is there anything else you think should be included?

Author

Terms to Know
Business Associate

Any third party that performs functions or activities on behalf of a covered entity that requires them to have access to or store PHI or ePHI

COPPA

Children’s Online Privacy Protection Act of 1998; provides guidance on protecting what information is collected from young children online

Covered Entity

Anyone who provides treatment, payment, and operations in healthcare

Electronic Protected Health Information (ePHI)

Any electronic personal information within a medical record that may be used to identify an individual

HIPAA

Health Insurance Portability and Accountability Act of 1996; provides guidance on protecting sensitive patient health information

HITECH

Health Information Technology for Economic and Clinical Health of 2009; provides guidance on the use of health information technology

Informed Consent

The process in healthcare where a patient voluntarily provides permission to undergo care following a full explanation on the risks, benefits, and alternatives.

Protected Health Information (PHI)

Any personal information within a medical record that may be used to identify an individual