Trouble viewing this email? View in Browser

As Telehealth Services Expand,
Beware of Data Protection and Cybersecurity Challenges


The COVID-19 (coronavirus) pandemic will unquestionably reshape how the world responds to disease outbreaks. Even before the spread of coronavirus, the shortage of qualified healthcare professions, particularly in combination with the world’s aging population, was a chilling challenge requiring novel solutions.

Both medical professionals and politicians are now looking to telehealth as a potential means of reprieve, and the concept’s popularity is likely to rise in the wake of the world’s experience battling coronavirus.

Telehealth connects patients to vital health care services through videoconferencing, remote monitoring, electronic consults and wireless communications. While it can help provide much-needed care to vulnerable and hard-to-reach populations, telehealth also presents unique legal and regulatory compliance challenges, particularly with the data protection and cybersecurity realm.

HIPAA

Telemedicine must meet all the Health Insurance Portability and Accountability Act’s (HIPAA) requirements, and the recently passed Coronavirus Preparedness and Response Supplemental Appropriations Act does not relieve organizations of this responsibility.

In order to comply with HIPAA’s privacy and confidentiality requirements, providers must only use fully encrypted data transmission and secure connections. This rules out SMS, unencrypted email and popular consumer videoconferencing tools.

It also raises unique concerns for patients using internet-connected devices to store and transmit information to their providers.

When medical professionals or healthcare organizations (covered entities) store electronic personal health information (ePHI) with a third party, the covered entity must have a Business Associate Agreement (BAA) with the party storing the data.

This agreement must include the methods the third party uses to ensure protection of ePHI and provide for the regular auditing of the data’s security. Big names in electronic service providers often will not enter into BAAs, so the covered entity would be liable for any fines or civil actions resulting from a data breach. The covered entity would also likely fail any HIPAA data security audit.

Data breaches and cyber scams

With the rise of telehealth also comes the rise of data breaches and cyber scams. As more communications are handled electronically, bad actors are able to trick victims into downloading malware, revealing sensitive information or misdirecting funds via phishing attacks.

The U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) has seen an uptick in cyber scams in the wake of the coronavirus outbreak.

Internet-connected devices present additional concerns, as the software and devices themselves may be vulnerable to malware and other attacks. If something is considered a medical device, it is also regulated by the Food and Drug Administration (FDA), which has issued broad guidance on the use of wireless technologies and certain mobile medical apps.

GDPR and CCPA

Companies should also reevaluate whether a novel use, processing, or storage of ePHI triggers or alters their obligations under certain data security laws, such as the EU Global Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

For example, how one handles ePHI in providing telehealth services could change a company’s categorization under the CCPA as either a “business” or “service provider,” resulting in changed legal obligations.

Key takeaways

  • Develop, update, and implement internal policies and procedures to ensure secure transmissions of ePHI and related data
  • Update data maps to reflect new telemedicine practices to evaluate applicability of the GDPR, CCPA and other data protection laws
  • Implement and/or update BAAs with any technology vendors with which ePHI is shared
  • Reevaluate risk allocation in software as service agreements and in contracts governing the use of internet-connected devices
  • Remind staff and consumers of data security best practices to reduce the risk of phishing and ransomware attacks

Our team will continue to share the latest developments and provide insights on the spread of coronavirus and its impact across sectors.

 

Prepared by:
David Katz
Jack Pringle

David F. Katz
david.katz@arlaw.com
Atlanta
P 470.427.3726

Caitlin Amick, CIPP/US
caitlin.amick@arlaw.com
Atlanta
P 470.427.3702

(not licensed to practice law)


BOOM! The Southeastern Commerce Podcast brings together regional business,
government and legal leaders to discuss what's new and what's next for commerce in the Southeast.
Listen now.

Adams and Reese LLP
www.adamsandreese.com

ALABAMA | FLORIDA | GEORGIA | LOUISIANA | MISSISSIPPI | SOUTH CAROLINA | TENNESSEE | TEXAS | WASHINGTON, DC

Like Us on Facebook Follow Us on Twitter Connect With Us on LinkedIn

This is not an advertisement. The information in this newsletter does not constitute legal advice or opinion and should not be viewed as a substitute for legal advice. The information provided is based on laws and regulations in effect at the time of creation and is subject to change. Adams and Reese is a multidisciplinary law firm with approximately 280 lawyers and advisors. The firm has offices in New Orleans, LA; Baton Rouge, LA; Atlanta, GA; Birmingham, AL; Mobile, AL; Montgomery, AL; Columbia, SC; Memphis, TN; Nashville, TN; Houston, TX; Jackson, MS; Jacksonville, FL; Sarasota, FL; St. Petersburg, FL; Tampa, FL; and Washington, DC.

For additional information, please see the firm website at www.adamsandreese.com

Subscribe to Adams and Reese Data Privacy Bulletins.

If you no longer wish to receive this bulletin, click to unsubscribe.

This newsletter is a periodic publication of Adams and Reese LLP and is intended for general purposes only. This newsletter is sent to friends and clients of Adams and Reese LLP. The sending of this newsletter is not a privileged communication and does not create a lawyer/client relationship. No representation is made that the quality of the legal services to be performed is greater than the quality of legal services performed by other lawyers.

FREE BACKGROUND INFORMATION IS AVAILABLE UPON REQUEST.