The COVID-19 pandemic has caused many healthcare organizations to go remote.
There’s a lot to think about when making this shift, such as how to communicate with patients online, protect patient privacy, keep sensitive information secure, stay HIPAA compliant, and more.
We’ve put together a webinar with special guest presenter Dr. Danika Brinda from Planet HIPAA to cover what healthcare organizations need to think about when going remote, real-life use cases of practices that were successful, and more.
P.S. Be sure to learn more about special offers from Jotform and Planet HIPAA:
- Jotform’s free Coronavirus Responder Program
- Planet HIPAA’s 11-question HIPAA Checkup and Autopilot product
Annabel: All right. Hey, everyone. Annabel here from Jotform. Thanks so much for joining our webinar — What healthcare organizations need to think about when going remote. We’re excited to have a special guest today. Dr. Danika Brinda from Planet HIPAA here to provide her expertise and take us through some items remote health care organizations are concerned with, such as communicating with patients online, protecting patient privacy, keeping sensitive information secure, staying HIPAA compliant and more.
Once Dr. Danika finishes her presentation, we’ll jump into a brief overview of Jotform and a special program we’re running called the Coronavirus Responder Program, which offers free unlimited HIPAA-compliant plans to eligible users. After that, we’ll do a brief Q&A session and then conclude for today. If you have any questions or comments during the webinar, please type them into either the chat or the questions tab on your screen. Without further ado, I’m going to pass the mic over to Dr. Danika.
Dr. Danika: Hello everybody, and welcome to the webinar.
Thank you, Annabel, for that great introduction. I am very excited to spend the next hour with you and talk about what you can do as healthcare organizations. As you go remote, as it pertains to the privacy and security and HIPAA compliance when protecting the patient information that your patients share and give to you. My name is Dr. Danika Brinda. And I’m excited to be on this journey with you.
A little bit more about myself. As I said, I am Dr. Danika Brinda and I am the CEO and president of Planet HIPAA. Planet HIPAA is an online software as a solution provider that provides HIPAA compliance to a lot of different organizations throughout the United States. I am a HIPAA SME. I love everything about HIPAA. I know you guys are probably giggling about that, but I do love HIPAA, and I love to help organizations make it work for them. I’m a regional and national speaker on all things HIPAA.
I’ve also had the opportunity to write numerous textbook chapters, as well as author my own book for an exam prep that has to do with HIPAA compliance. I’ve served as a virtual privacy and security officer, and I am the creator of the HIPAA Autopilot product by Planet HIPAA, which we’ll touch on at the end of this presentation. So first and foremost, thank you again for joining us. I know we are in the middle of very unprecedented times, and I just want to let you know that I appreciate your time and I hope that you and your office staff and your family and friends are all healthy during this challenging time.
So let’s just start out. I’d like to know a little bit about who is on the call with me. So the first question to all of you is what type of organization are you?
Go ahead and put it in the chat on the right hand side, and I’ll watch for it and I’ll call out a few. Dermatology office, great. Chiropractic. Awesome. OK. Yeah. Dentist, optometry. Great. So we have a variety of different types of organizations here, and I didn’t even see and say all of them. But thank you. I’d love to keep seeing who’s here. So keep putting it on in the chat so I can know. Thank you all for coming.
Second thing I want to ask you is how are you currently functioning? And what I mean by that is that are you open in normal for regular business? Are you hybrid, which is maybe some time in the office and sometimes working remotely at home? Are you fully remote or are you closed completely? Go ahead and put it in that chat. OK. Open normal, see less patients during the day. Great. OK. Yeah. Hybrid. I’ve seen a lot of hybrids on here. So some people that are doing business both from the office and then at home. OK, great.
Great. Totally at home. Great. Well, thank you for sharing that with me. I think this presentation will really give some valuable information for you to take into that concept as you’re maybe creating these first-time remote home work environments. So we know business right now is far from business as usual. At the beginning of the year, it was normal. We see patients. We do our daily lives. We do our daily work. We go home. We don’t necessarily have to bring our work home with us.
But now in the last four weeks, we have really transitioned to a new world with the COVID-19 pandemic that has hit us. But the reality is we still must protect patient information and protect our patients. We don’t want patients’ information getting out there. Actually, in situations like where we have pandemic, sometimes people feel a little bit more sensitive about their patient information and what can get out there. So we know the world as we live today isn’t what it was.
Hipaa News Releases And Bulletins
Right at the beginning of the year, we had busy offices. We had people close together. We were meeting with our patients one to one in close corridors. And now it looks a little bit like this, right? We’re meeting via Zoom, we’re talking via the telephone. We’re meeting via Microsoft teams. We’re using all these online tools to be able to potentially have an office that’s virtual. I just heard the other day that they are managing the rover on the moon virtually for the first time ever. So kind of some cool things that are coming out of it, too.
And again, we’re meeting with our patients in different ways, right? We’re not necessarily meeting them face to face. We still might be. There’s a little bit of that happening, but we also might be meeting with our patients in different manners, such as virtually. My mom the other day called me, and she knows that I love this kind of stuff. And she said, “I just had my first telehealth visit.” She said, phone visit, I think with my doctor.
And it was just really unusual for me. So not only supporting this is new for us as providers, but this is also new for our patients. And we still want them to feel comfortable receiving care in this manner. On top of all of this that we’re struggling with, we have the Office for Civil Rights, which is OCR. And you see, they’re kind of the enforcement arm of HIPAA under the Department of Health and Human Services.
And they have released different bulletins and different enforcement discretions almost on a weekly basis for the past five or six weeks. And it’s hard to keep up with everything that’s going on. So that’s why Jotform reached out to me and asked me to bring some of these things to you and tell you guys how you can use this time to effectively move into a remote environment that may last for an unknown, unspecified period of time. To understand some of these bulletins that are being enforced and ultimately to understand how you can comply with HIPAA privacy and security as you move into your remote settings.
So the one thing that I can assure you is being in this remote setting and knowing all these discretion bulletins are being posted, it does not mean that HIPAA doesn’t apply in today’s healthcare environment. I follow a lot of, you know, high trending things on social media, and I see people saying that I am so happy I don’t have to comply with HIPAA, or let’s try something new since HIPAA doesn’t apply anymore. That’s not the case. And I want people to know that HIPAA does apply when we get into these emergency situations, such as a pandemic or even natural disasters such as the tornadoes we saw earlier this year, as the hurricanes that we saw last year.
The Office for Civil Rights will create these bulletins or allow these flexibilities to respond to these public health emergencies. The other aspect that we have to think about is sometimes we have state law that also still applies. So it’s kind of managing all of those components and trying to do the best we can and make good faith decisions to protect patient information.
The Remote Work Environment
So I wanted to spend part of this presentation talking about exactly what does it mean to transition to that work environment?
What does it mean? How do you protect the patient’s information? How do you protect the patients? How do you protect your staff and set them up for success? I mean, that’s really part of it, too, is let’s do everything we can. So our staff are successful, which means we are successful, which means our patients are successful. So let’s think about the remote work environment.
It’s employees working from their homes ultimately, because a lot of us are in this shelter in place or if we don’t have shelter in place, the government obviously has 30 days to slow the spread guidelines that they have. So ultimately, the majority of us are in a place where unless you’re essential, which a lot of you are essential, but unless you’re essential employees, they ask you to work remotely. Which could mean no one is coming into the office or coming into the office is very limited compared to what it was.
It also means that information and systems are being accessed through employees’ homes, which you may have never done before. It means protected health information is being looked at, accessed, viewed outside of the walls of the office. And for some, that’s really an uncomfortable setting because you kind of feel like you lose a little bit of control. There might be a lot of other people present. We don’t just live by ourselves in a bubble. Well, most of us I mean, some people might live on their own.
But a lot of times there’s kids, there’s parents, there’s spouses, there’s significant others. There’s people, we might have roommates that may live with us. So more than likely, you’re going to have other people present potentially during the work hours, especially as we see these kids not having to go into the physical schools and doing distance learning.
We have pets. Although we’re not super worried about a pet remembering what you’re telling a patient or seeing what you’re typing on the screen. But they’re joining us. The reality is that distractions exist and things that can happen that we just have to prepare ourselves for and do the best we can.
Considerations In A Remote Work Environment
When we think about sending our workforce home or think about accessing information from home, one of the things that you have to think about is your work-from-home office. So where they’re going home is really an extension of your physical office. And what do I mean by that? I mean that we have to remember basic privacy and security safeguards, and they should apply to that employee’s individual office. No, that doesn’t mean you have to go to every employee’s home and look at where they’re working and check off all these different boxes. That’s not the intent of it. The intent of just making sure that you have some basic safeguards in place to really protect that patient information.
It is your responsibility as the healthcare organization to make sure that privacy and security of protected health information is maintained and provided in these remote work environments. And it’s also the responsibility to properly prepare your staff as the healthcare organization. The one thing I challenge all of you with is these are ever changing.
I mean, if you’re watching, if you work for an organization, sometimes things are changing on an hourly basis, which can bring challenges. As you transition to this remote work environment, as you see things that work and may not be working or may cause some angst — are we properly protecting patient information? — you have to remain agile. You have to remain functional and have the ability to say, “This isn’t right. Let’s change this.”
So that is one of the key things I want you to take out of this presentation is the agility and the need for flexibility during this time is going to be very essential to be successful. So we wanted to go through some basic considerations for the remote work environment. And after we talk through the considerations, I’ll flip it over to some recommendations that I have for you to do as you’re going into this remote environment.
Company-issued workstations vs personal workstations
So the first consideration when you’re sending people to work from home is, are you going to send them home with company-issued laptops or are you going to have them connect to your systems which have patient information via their personal workstations?
And HIPAA by any means doesn’t say you have to do one or you have to do the other. It just says you have to put these safeguards in place. So obviously, if you’re issuing company workstations for people to go home with, sometimes that feels a little easier because you can say I don’t want anybody else to use this workstation but you. But it also creates some other challenges where organizations might not have the funds to provide everybody a workstation at home.
If you are used to using PCs and not laptops or portable devices such as tablets or anything like that, sending a workstation home is a lot more complicated than just sending home someone’s laptop. So by no means do you have to issue workstations. However, the nice thing about issuing company workstations is you have the control over them, right? You have the current controls over what can be uploaded, what can be downloaded, what can be accessed. You manage the antivirus solution so you have control over it that way.
When people are connecting via their personal workstations, there’s a lot of things to consider. So who else is using that workstation? What type of information can they even access? Are they logging in through a secured network or are they just logging in via the internet through a secure portal, maybe that we have to get access to? So lots of things, but this is one thing you will have to decide and kind of take a stance on. And again, both are acceptable as long as you put the right safeguards in place.
Connecting to the internet vs remote access
And kind of continuing that conversation, regardless, if you send home workstations or if people use their own personal workstations, you have to think about how people are going to be connecting to your environments that store and house that protected health information. So connecting to applications, are they going to go directly through the internet? So do I just go to a web page, and I don’t need to be in a specific network? Can I just go to a web page, type in my username and password, and have access to the system? Kind of like a software as a service system if you want to think about it that way.
Or do I have to have some type of remote access, such as a virtual private network or systems out there, such as LogMeIn as just an example of a product where you can actually virtually connect to one of your computers through a secure connection at the office. So it’s like you’re working at that office, you’re just working through a PC at your house. So you really want to think about how people are gaining access to the system.
So you may not be able to access your, let’s say, electronic health record unless you’re on your actual network, which may require people to have a remote access or, you know, in the event that people are connecting via the internet.
What other safeguards do you have to put in? And what I mean by that is, we all work in today’s world with many distractions.
We have kids at home. We have pets that need to go out to the bathroom. We have to answer the front door. So there’s a lot of things happening. So what I mean by having some security in place on these applications is it’s going to be really important if there’s inactivity, that there’s safeguards in place to, after 15 or 20 minutes, if someone’s inactive in the system, that it closes this system and it makes them reauthenticate.
That’s going to be especially important if people are logging in via the internet. And, you know, you don’t want them staying active when they’re not really sitting at that workstation, especially if it’s through a personal computer.
The other thing you want to think about is how people gain access. You know, if it’s just a username and password, that’s great. At least there’s some process. But if it is through the internet, you want to provide guidance that they should not be saving their username and password to ease the authentication in.
Physical remote workspace location
So the next thing I wanted to talk through is a little bit about what that remote physical workstation workplace looks like. So again, it goes back to everybody’s space. Home space is very different. Some people live in a studio apartment, some people live in a multi-bedroom apartment. Some people have a house. Some people have a townhouse. So what the inside of people’s houses look like is very different. And what you want to think about is encouraging your staff to have a dedicated place to work.
So it’s OK if it’s at the kitchen countertop. Right. It’s OK. That happens there. But you want to make sure it’s a safe, dedicated place where if they need to provide confidential information to a patient via a phone or if they need to access patient information, they don’t have all these people standing behind them or with them.
That’s really the important component. It is not a bad idea to ask your staff who are remotely working, where is their dedicated physical remote space? That is an OK thing to ask people. And it doesn’t mean they can’t go sit on the couch for half an hour and do their work. It’s just you want to have them in a dedicated space so you can be assured that, you know, the information that they’re accessing or gaining access to is protected. The next two components that we’re going to talk about kind of go hand in hand, but this is a really important aspect.
Downloading and saving protected health information
One of the things that people don’t even think about when they’re in their physical offices is sometimes when you download something, so let’s say a patient emails you something and you download it. And to look at it, it’s a PDF. Let’s just say that example. Maybe they did a questionnaire and they sent it in to you. A lot of times an image of that download will save within the download folder on the hard drive of that workstation.
And so the challenge with this is, especially from a PC, if people are accessing the system or email and they pull up a file that has patient information in it, such as a PDF for maybe it’s an image of someone sent in a scanned card, that specifically may save in their downloads folder. And then at any point in time, someone can sit down on that computer and access it. So you want to make sure that if people are downloading that they really delete that download folder.
Sometimes it’s good to do it a couple times a day, but at a minimum at the end of the day and then delete the trash on that computer to make sure nothing is saved in there that could potentially have patient information and get leaked. The other aspect is you need to define a policy on when it’s OK to save protected health information, especially when it is a personal device. So I note sometimes there is a workflow where in order to upload it into your electronic documentation system, you have to save it on the hard drive and then upload it.
And then it’s in the system. You upload it as a PDF or whatever it may be. So maybe that question that patient emailed you, you have to put into your electronic health record. And the only way to do that is to save it and then upload it. You have to have a distinct process for that. And what I mean by that is maybe put a folder or have people build a folder on their hard drive that they put those in.
They immediately upload them. And as soon as they upload them, they delete them out of there. Do you delete it off the folder and then delete it out there? That’s gonna be a really important aspect as you define this. The last thing you want is a personal computer sitting with all this patient information on there, because first of all, you can’t control who has access to that personal device.
Printing of protected health information
But second of all, when it’s time to get a new device or destroy it, you don’t know how that’s being done. So that’s going to be a little bit of a concern as well. So this is the other aspect of printing patient information. Now I know in your work environments and offices, it’s probably not unusual to print out something with patient information and work off of it.
So now that we’re remote, what does that look like? How does that happen? Is it still appropriate? So there’s a couple of things you want to think about from a printing perspective. The number one thing to think about is it a nice-to-have or is it a business need? And I know I love my paper, too. I’m a check-off person, so I want to check off my tasks or whatever it is.
So I love having the paper in my hand. But when you’re working in a remote environment, the question is, is it necessary for me to print this, or is it just nice-to-have. And if your answer is yes, there is a true business need to print it, then you have to put additional safeguards in place. And the additional safeguards you want to put in place defines who can print it, where it can be printed.
Make sure that you understand what type of printer your staff has, to make sure there’s no copying or saving on that printer. The second thing you want to think about is the storage of the paper. If I do print paper out, I need to store it securely. So that means I need to potentially have a locked drawer I can store it in or a locked file folder that I can store it in that nobody else can gain access to, and that I keep that in a secure location that only I can have access to. So that’s number two.
The third thing you want to think about is when I no longer need that paper, how do I properly get rid of it? The best thing to do is if you’re going to have employees printing at home, buy them a shredder. And it doesn’t have to be a fancy shredder. It just has to be a shredder. Normally you can get them for $40 or $50. But you have to provide them a safe way to shred that information in their organization.
Now, the one other component that you want to think about from the paper perspective is if you are bringing paper from the office to your home or maybe from your home to the office and you’re bringing it from location to location, it is very important that as you transport that paper, that you also have secure ways of storing it as it goes from point A to point B. So a couple of items that you can use, you can get like a lockable briefcase if that works for you. Sometimes there’s lockable file cabinets you can actually keep in your trunk or whatever it may be, or there’s also lockable CommBank bags that are like eight and half by 11 in.
It can store in eight and a half by 11 in. paper, and it’s a canvas bag that will lock. You can get it at your local stores or an Amazon or wherever you shop for supplies. But those are some ideas as you’re transporting. But again, there has to be a business need to do some of that.
Steps Your Organization Must Take
All right, so these are some steps that I feel that you must take when you’re sending your remote workforce home. So first and foremost, you don’t control their router in their modem at home, right?
That’s something that they have purchased or they have installed through their ISP provider. So the first thing I always recommend people do is to do a home router check, and I’ll make sure this link is actually in the information when it’s sent out. And we’ll put it below in the comments as well on this video. But the one thing to remember is that doing a scan to check just to make sure there’s nothing on it. It provides that security safeguard that they’re connecting via a clean connection.
So if you just take to Google and type in “free home router check,” F-Secure.com is the first thing that comes up, and it’s a super easy tool. You basically just say, check my router, and it’ll come up and say, good. I do recommend that your workforce do a screenshot and send that to use. You can kind of keep that. I also recommend a remote telecommuting policy and procedure that really defines what your expectations are as far as printing protected health information, saving protected health information, destroying protected health information.
Have clear, concise expectations in that policy and procedure, even transporting devices and transporting paper, etc. The other thing you want to define and have a process for is if you do let your staff use personal workstations to connect to your systems that have patient information, make sure that you verify that staff have an up- to-date antivirus solution. So HIPAA doesn’t say what solution you have to use. There’s many of them out there.
A lot of times they’re accessible through an internet service provider or just to download on the internet.
But you want proof that they have an up-to-date antivirus solution and they’re doing regular scans on their PCs. Now, this next bullet point, I’m going to put a little caveat, because I know in today’s world this is really hard, but verify that only staff members have access to the workstation. So if it is a work-issued laptop or workstation, you can say nobody else can access this but me. In this situation where they’re, you know, using their own personal computers, what I would recommend is that you tell them that during business hours when they’re doing work for you, that only they access the workstation.
If there’s other people that have to access it, I know kids are going to school, spouses are both using the same workstation, to try to work that out. Those happen outside of the hours that they’re working for you, and they should verify all systems connected to your business are shut down. You also want to make sure you know what operating system that they work on their workstation. And what I mean by that is we know that Microsoft recently stopped supporting security updates for Windows 7 earlier in 2020.
Well, if your staff are still using Windows 7, that could potentially be an issue as far as it doesn’t have proper security on it. So making sure that they’re on a Windows 10 specific workstation would be important because, you know, it’s been updated and kept up to date.
But also a flip side to that, you want to verify that patches are properly installed.
Obviously, this next bullet point probably doesn’t apply to today’s world. But believe me, I’ve seen it all. I’ve seen people parking outside of coffee shops to access the Internet because they can’t go in. But one of the things I would recommend is you have a process in place where your staff do not access from a public Wi-Fi location, coffee shop, or a restaurant. Part of that is you can’t control the access at that point in time, and you lose a little bit of control over that. And that’s when it gets a little scary.
The other thing you must do, you must educate your employees. It is your job to set your employees up for success in this new environment. Let them know your expectations. If they have to work during business hours, let them know your business hours. And if they need to work outside of that, they should be working with you. Let them know there’s privacy and security expectations and that their home is now an extension of your office. Define printing and saving protected health information. We don’t want someone doing that and then leaving it behind or leaving it in a car and it gets stolen. And then you’re surprised. Remind them that they can only access what they need to do their job for the tasks in your remote world.
And also let them know the cybersecurity threats out there. I think this is a huge issue. And not only, I should say, cybersecurity, right. We obviously have a lot of phishing attempts through email happening, but there’s a lot of what they call vishing, it’s voicemail, phone calls, trying to get information. And there’s also some snail mail attempts also happening where people will send a bill that won’t really be a bill.
The last thing I recommend people do is have staff members sign a remote work environment form. The reason for that is it just sets that assurance that, yes, I as the remote work staff understand this, and I’m going to do the best I can to protect all of this information. But it also allows you to have a commitment and documentation of that commitment. Obviously, we live in health care. If it’s not documented, it’s not done. So it just creates that tool to be able to have it between you and your workforce.
And again, let’s add a little humor, right, when working from home and your boss messages you about a Skype meeting. Oh, my. Throw on some clothes and brush your hair. So I hope you get a little giggle out of this. We’re going to be transitioning topics now. I just want to stop and ask for any questions. OK. Well, I don’t see any but if you do have them, go ahead and put them in the chat or the questions area, and we’ll be happy to answer them along the way or at the end during the question and answer session.
Steps For Organizations With Closed Offices
So other considerations, this is just a really quick update. So if you are closing your office or you’re not going to be in your office on a consistent regular basis, I do recommend also putting some things in place just to verify compliance is happening when nobody’s there to do the checking or to be physically present. So simple steps you can take for your organization when it’s closed, whether it’s a couple days or a couple of weeks or maybe longer. First and foremost, verify that doors are properly locked at all office point locations.
So if you have three doors that allow you to get into your office, make sure all of those are truly locked. If you’re in an office that is a part of a larger office building, one of the things I recommend you doing is just connecting with the building owners to make sure you can still have access to that office in the event that you do need to go in and get access, just verify. And that is an important aspect. If you do have a security system, you want to make sure it’s installed. It’s turned on when no one’s in the office, if there’s internal doors that secure the place. So maybe you have a medical records room or maybe personal offices or your server room, whatever it may be.
If there’s internal office doors that should be locked in, secured, make sure those are locked. Also, that includes any type of drawers where you might have secure information or a safe or whatever it may be.
Define who should be accessing the building. So in an emergency pandemic situation where you might close your office, you may say only the doctors or providers and the office manager can access the office. No other people are allowed to come in. And it is OK to set those guidelines and make sure people know when they can and cannot come into the office. Verify that all your electronic systems are still backing up through your current established process. So if you work with a third-party IT vendor for example, just still make sure they’re doing those daily backups or however frequently you’re doing your backups and that they’re successful and that your workstations are operating and they’re getting their updates.
So, for example, if Microsoft releases an operating system update, you still want to get that in, right? Because you want to be able to protect your systems even if they’re not being used. And I always say do a regular check on the office. And what I mean by that is really spend some time making sure that you just do a quick driveby maybe or just do a regular internal check.
The reason for that is just to make sure that nobody’s trying to break in or nobody gained access when they weren’t supposed to. So just some simple safeguards that you can take to protect the office when you’re not there.
Telemedicine And Hipaa Compliance
The last thing I really wanted to cover was a little bit about what telemedicine and HIPAA compliance looks like. This isn’t the end-all be-all, every in and out of it, but I hope it provides you enough information that if you are electing to do telemedicine or telehealth in this world, you can put some simple safeguards in place to make sure the compliance is there. So first and foremost, this is the definition of telehealth. I’m not going to read it word for word, but the Department of Health and Human Services along with the Health Resource and Service Administration defined telehealth as the use of electronic information and telecommunication technologies to support and promote long distance clinical health care, clinical education, public health, dentistry, whatever it may be, it just allows you to provide it in a distant type of way. So one of the challenges that we faced is, again, some of these discretions continue to come out and before you had to make sure you had the proper telehealth system. And it was really challenging and sometimes expensive for organizations. And the reality of implementing that to provide telehealth in our COVID-19 pandemic is maybe necessary.
So on March 3, 2020, the OCR provided this bulletin, which is a notification of enforcement discretion for telehealth remote communications during the COVID emergency. So basically what these bulletins are saying is that we’re not going to enforce HIPAA on a super strict standpoint if you’re doing the best you can to provide telehealth in this situation that we are in, ultimately. So some key points from the enforcement discretion that was put up for telehealth specifically is that during the COVID-19 nationwide pandemic that is happening, covered entities may communicate with patients and provide telehealth services through remote communication technologies. They must use non-public facing remote communications.
However, if they do not fully comply with HIPAA, it is OK to use them today. You may also use your professional judgment to assess or treat medical conditions. One of the things in the discretion that was published is that the telehealth doesn’t have to be on a COVID patient. It can be on any medical patient, such as, they specifically spell out broken bones or dentistry or doing an exam on a patient. If you feel you can professionally, properly treat that patient remotely, then you’re allowed to and you must provide the use of a non-public facing remote technology.
Non-public facing remote communications
So we’re going to talk a little bit about what that is. And these are not the end-all be-all lists. But what the government is saying is some of these normally in our telehealth world, we would enter in with a business associate agreement and put all these security safeguards in place. But because they want to encourage people to use telehealth in these challenging times to be able to provide care, they’re seeing some of these video chats such as Apple FaceTime, Facebook Messenger, Google Hangouts, Skype, and Zoom. These are OK to use even if you don’t have a business associate agreement with them. So that’s one of the things they’re saying. So when they talk about non-public facing remote communications, they really want people to be able to communicate in a tele electronic world one-to-one, but they want to make sure they’re non-public facing. So that means that someone just can’t find the session on the internet. It’s not available for everybody.
So these are some non-facing public remote communications that they specifically call out at the enforcement discretion. And I won’t read all of them but Skype, Microsoft Teams, Updox, Webex, Amazon Chime, GoTo Meeting. We saw Zoom for Healthcare on the previous ones. The nice thing about this slide is all of these organizations will go into a business associate agreement with you. So just because the discretion is out there that you don’t need to, if you still can, you still should.
So just some more out there. Now, what are public facing remote communications? So public facing remote communications are basically communication tools where someone could just gain access by going into it. So, for example, if you do a Facebook live and you say, come in, I’ll treat you when you have four or five patients on at the same time, that’s not appropriate. So Facebook Live is public facing. Twitch, TikTok, YouTube Live, Twitter Live, Instagram Live.
These are what you cannot use as they’re considered public facing. And they wouldn’t be under the discretion of the bulletin that was put out. So just to kind of wrap up, what does OCR discretion say for telehealth? What does that document say? So basically it says the Office for Civil Rights will not impose penalties for healthcare organizations if they do not have a business associate agreement for using non-public facing video chats that do not fully meet the HIPAA expectations and for violations of the HIPAA privacy, security, and breach notification rules if you use good-faith provisions in using telehealth in your organization during this national pandemic.
So the other question I always get is when is this expiring? At this point in time, we don’t know. It’ll come out when it expires at the point where it expires. But we’re too much in the middle of this pandemic right now to have an expiration date at this point in time. So some other considerations as you implement telehealth. So you should still try to offer your patients a copy of your notice of privacy practices.
It should be available on your website. You can point them there or you also have the ability to put it in the chat. So like the chat function exists, if you’re using a platform that has a chat function, you can go ahead and put it in there and they can review it and sign off before you start your session. It is also a good idea to have the patient provide consent to be able to have the telehealth treatment.
So these are just some examples of what Jotform has as templates out there that you could use and implement in your organization. This is an example of a notice of privacy practices verification where the patient signs on it. And this is a sample of a telehealth consent form template that Jotform has out there.
Now, again, the nice thing about these is these are within their HIPAA compliant manner that they have out there, their product. But also on top of that is you can just take the link for the form and put it in that chat or email it to the patient prior to the visit and they can complete this. So you have this on file. It’s always important that if you can get it, that you still do try to get it.
Some other inside considerations. You really need to provide telehealth services in a secure private setting. And so we talked a little bit about it in the beginning when we talked about where’s that workspace? But if you’re going to be communicating to patients one-on-one and you’re outside of the office, you’re going to want to make sure you have a secure place. So maybe you actually do go lock yourself in a room such as a bedroom or an office where nobody else can hear or come into you at that point in time.
You should also establish a telehealth policy and procedure that really defines your practices to protect and secure your patient information. In the telehealth policy and procedure, you should also define the processes for gaining consent in the notice of privacy practices signature if you have them. Select a video chat platform to use and set minimum security standards. So if you look back at that list that we provided earlier of the non-public facing platforms, setting some minimum security standards are going to be important.
What I mean by that is that I’m just going to take an example of Zoom. You can create your Zoom session, but maybe you have a password set on it where the patient has to put in a four-digit passcode in order to gain access. I’m sure you’ve heard about the Zoombombing, but people can’t get in without having that passcode. Or maybe you put them in a virtual waiting room where you actually have to approve them to come into the session. So those are some minimum security standards.
If you are able to enter into that business associate agreement, do it. It’s in your best interest, and it’s in their best interest. Do not record the sessions unless you have a business need to do so. And the patient has consented to understanding that you will be recording this. And then you have to think about greater things like how do you save it? Where do you save it? How do you store it? And ultimately how do you destroy it? Because once you record it now, it potentially is an extension of the health or the medical records. So really have a solid business need if there is a need.
Define processes for medical record documentation. If you’re going to be doing the telehealth visit, you’re going to have to have documentation that it existed in what happened during it. So, you know, having a telehealth documentation process is going to be important as well.
So that’s kind of the end. I’m going to pause here for just a minute just to make sure I don’t have any telehealth questions. OK. So the one question we have is the non-public facing, so I did list some of the non-public facing remote communications. The one thing you want to make sure is it’s not accessible easily through the internet. People can’t just find and join, right? So that’s why those public facing Facebook, Live, Twitch, TikTok, those don’t work.
You want to make sure they’re non-public facing and that you have the ability to set up that one to one visit. All right, just to kind of wrap up, I wanted to tell you a little bit more about me and my business Planet HIPAA and introduce you to our HIPAA Autopilot products. So I saw a need for a product to help people get into HIPAA compliance and not just help them, but make it a little less painful.
So I would like to just talk briefly about the HIPAA Autopilot product that Planet HIPAA has owned and invented. And what we like to say is HIPAA compliance just got easier. So what’s in the HIPAA autopilot product? So we provide customized annual risk analysis, guided HIPAA risk management processes, customized HIPAA policies and procedures, customized to your organization and your systems that you have. Unlimited online annual staff training that’s refreshed every year, customized business associate agreements, secure online documentation.
HIPAA Autopilot is an online software as a solution that makes HIPAA compliance easy for you to not only attain, but then continue to maintain HIPAA compliance. We do that through monthly tasks, small, teeny, tiny tasks that keep you in compliance that show that good faith judgment that you are working on your compliance on an ongoing basis. We provide monthly staff education that helps staff know what to expect or if there’s a hot topic going on to let them know about it.
And then we provide webinars for you that are managing HIPAA compliance so that you feel more comfortable not only with the product, but with the regulations. One of the things we also take pride in is when there is an emergency or trending issues, we make sure that our product is agile. So we’ve added some COVID-19 HIPAA updates. So we have a HIPAA telehealth policy that’s now available. We have specific HIPAA telehealth training available for your staff.
We’ve expanded the HIPAA use and disclosure policy and procedure. We built a remote work HIPAA policy. We have the remote work attestation form for your organization as well as the HIPAA work training. So a little bit about this product is it’s available software as a service. We don’t store any protected health information in it. It’s truly just your HIPAA compliance functionality and procedural aspects.
This is something that we are offering all to you right now, we know that times are tough, so we wanted to make sure that you took time. You listened to this video that we provide you with the opportunity to get a discounted lifetime rate to this. So we have two payment plans. The first payment plan is a monthly plan. It’s $99 a month, which is a savings of $50. And then we also have an annual plan, which is $1,499 a year.
But we’re offering it to you at $999 a year. Right now we do have a 30-day money back guarantee. So if you get into this and you say this isn’t working for us or this isn’t the right format, no questions asked within 30 days, we’ll give you your money back. So how do you buy it? Just go to this www.planethipaa.com/start and go ahead and select the option you want monthly or annual and use.
If you’re using the monthly one, use the code Jotform99. If you’re using the annual, it’s Jotform999. And those codes will give you that discount for your lifetime. Again, these codes do expire on May 1. So go ahead and take advantage. If you have any other questions regarding this product, I’d be happy to answer them. So now I am going to turn it over quickly to Annabel from Jotform to talk a little bit about their product.
Annabel: Thanks, Danica. Awesome presentation. And the HIPAA Autopilot tool looks really great. Everyone, I just wanted to give a brief overview about how your healthcare organization can use Jotform if you’re not already familiar. So Jotform is a super easy-to-use online form builder that provides HIPAA-compliant forms and business associate agreements for organizations to collect that very sensitive healthcare information. Some of the common use cases are collecting consent via telehealth, so it’s kind of like the one that Danica showed you before and you can use e-signature fields, usually get the signatures right away.
You can also schedule appointments, gather payments, and do a lot more with the forms as well. And I will send you a link to more features that we have with HIPAA compliance. We also have pre-made templates and the ability to integrate with third-party apps so that you can safely store any of the information that you get. Additionally, I mentioned this earlier, but we are also running a very special program focusing on COVID-19.
It’s called the Coronavirus Responder Program. And this is essentially a program to help eligible first responders such as healthcare workers and nonprofits that want to give back to their communities. And it’s as easy as just filling out a short application form, and then our team will review them and get back to you. We’ve approved thousands of applications so far, so it’s a really popular program among a lot of healthcare organizations. And these plans will be free through August of next year.
So I’ll throw that link in the room, and then we can jump into a Q&A session. So if you have any specific questions, please enter them into the questions tab, and we will do our best to answer them.
Questions and answers
Question: How can new patients get us a photo of their driver’s license and insurance card remotely?
Danika: There are a few options for this. One option is to receive it via email or text message. You can use a secure texting platform, such as iMessage. Another other option is to get a Box.com account. And you can also upload an image via Jotform.
Question: What do you mean by “non public facing?”
Danika: What that’s referring to is apps that you can’t go in public and get access to. An example of a “non-public facing option” is Facebook Messenger communication. You have to be connected to two people in order to start a Facebook Messenger video session, so that’s not public facing. Someone couldn’t just go and find it via the internet; someone couldn’t easily gain access. A “public facing option” is going to YouTube Live or Facebook Live. There’s nothing to prevent people from coming in and seeing that.
Dr. Danica: All right. Thank you, everybody, for joining us for this presentation. I had a great time with all of you. And I hope each and every one of you were able to take a few things out of this presentation that you can use in these challenging and unprecedented times that we find ourselves in. My contact information is on this page, so feel free to email me or reach out to me. Again, hit the Autopilot at a discounted rate. It expires on May 1. And if you’re not ready to jump into HIPAA Autopilot, I understand. We do have a free HIPAA check-up and we will put it in the comments below. The link is right there, and you can go ahead. It’s a very quick 11 questions. Takes less than five minutes, and they’ll kind of give you a perspective of where you are with HIPAA compliance. So thank you, and I hope you stay well.
With HIPAA forms, can the client still get a copy of the signed form by PDF via Email? if not what is the best way to share the signed consent form with them?
Wer is the product