It’s no secret that hospitals and health systems around the country quickly pivoted from in-person to virtual care in the early days of the COVID-19 pandemic. But while many organizations focused on video visits, Washington, D.C.-based Unity Health Care turned its attention to audio-only telehealth.
The federally qualified health center (FQHC) sees about 100,000 patients per year, primarily from underserved populations. The organization was founded in 1985 as Health Care for the Homeless Project.
“Access to audio telemedicine has been critical to providing services during the pandemic,” says Dr. Andrew Robie, Unity Health Care’s chief medical information officer and a practicing family physician. “Many of our patients may not have access to a device that supports video, aren’t familiar enough with their device to have a video visit, or lack the bandwidth or data plan for video.”
About two-thirds of Unity Health Care’s telehealth visits during the pandemic were audio-only, according to Robie. For other organizations, such as FQHCs and community health centers in California, audio-only telehealth made up more than 90% of all virtual visits.
Multiple bills introduced in Congress, such as the CONNECT for Health Act of 2021 and the Ensuring Parity in MA and PACE for Audio-Only Telehealth Act of 2021, aim to remove barriers to providing telehealth services and receiving insurance reimbursement at the federal level. In addition, several U.S. states are looking to make permanent the temporary allowances for audio-only telehealth that were enacted during the COVID-19 public health emergency.
A Window into Fraud and Identity Risk
Generally speaking, audio-only telehealth poses a low privacy and security risk to healthcare organizations.
Telephone calls between providers and patients are compliant with HIPAA as long as they meet two conditions: First, the provider cannot allow the phone carrier or internet service provider to access or store protected health information discussed during the call. Second, the provider cannot share PHI that already existed in an electronic form immediately prior to the call (in other words, information unrelated to the specific reason for the call).
What’s more, the Office for Civil Rights within the Department of Health and Human Services has indicated that it will not impose penalties for HIPAA noncompliance “in connection with the good faith provision of telehealth” during the COVID-19 public health emergency.
Common security best practices can be applied to audio-only visits. For example, secure Wi-Fi networks, virtual private networks and Transport Layer Security will keep encrypted call data secure in transit. Disabling features such as automatic voicemail transcription can ensure that electronic PHI is not shared with the wrong person. In addition, any device that stores patient contact information — especially a smartphone — should be secured to prevent the disclosure of electronic PHI in case it is lost or stolen.
While single visits could be subject to targeted social engineering attacks — for example, by someone trying to steal an individual patient’s identity — audio-only visits don’t represent a large-scale threat, according to Jeremy Grant of the Better Identity Coalition.
“In security, we often talk about scalable attacks and isolated attacks,” Grant says. “A password-based attack — when someone breaks into a database — that’s a scalable attack. There’s one vulnerability but lots of data. Audio-only telehealth is only a single discussion between a patient and a physician. The opportunity for scalable attacks just isn’t there.”
Beyond the visit itself, identity management poses the biggest potential risk. Hospitals and health systems must be careful if they use the same identity management product across several patient-facing products, such as appointment booking or electronic health record access through a patient portal. In this way, the audio-only telehealth visit could provide access to an individual patient’s underlying data layer, Grant says. Organizations need to be especially careful now that the 21st Century CARES Act allows patients to request that their data be shared with third parties.
“The concern is when an application requests access to your records. How do you know the app isn’t posing as someone else?” Grant asks. “Passwords aren’t going to be enough. You need to focus on the bigger picture. Organizations need to look at identity more holistically, instead of using point solutions for different applications.”
Grant’s other concern is the potential for fraud. Under the public health emergency, providers can bill for telephone evaluation and management services in increments of 5 to 10 minutes, 11 to 20 minutes or 21 to 30 minutes.
“Organizations need checks in place to ensure that a telehealth visit was truly delivered and a provider isn’t just billing for a visit that never occurred,” Grant says. In addition, claims cannot be submitted if other billing codes apply to the audio-only visit, such as discussing a patient’s care plan or providing chronic care management services. Systems that check against double-billing or coding for a service that bills at a higher rate are key, he says.
READ MORE: How telemedicine requirements and policies will change post-pandemic.