Ready for Telehealth? A Readiness Assessment is a Great Check-Up and Planning Tool
This is part two of a two-part blog series about telehealth and privacy and security assessments. In part one, we looked at the current state of telehealth services, the impact of COVID-19 on telehealth, and what the future may look like. If you haven’t read it yet, check it out here. Here in part two, we’re taking a deeper dive into those assessments, including tips on how to conduct an assessment for your organization.
While in recent years, telehealth has slowly gained popularity among patients and providers, the COVID-19 pandemic has skyrocketed adoption to unprecedented rates.
According to the Center for Medicare and Medicaid Services (CMS), before the coronavirus pandemic, about 14,000 Medicaid/Medicare recipients received their care through a telehealth session each week. From the middle of March to early July 2020, that number increased to 10.1 million.
Telehealth’s increased adoption comes with a number of benefits for both patient and clinician—from better planning and outcomes to reduce costs. But telehealth services also introduce greater risks for organizations, including expanding attack surfaces and greater security risks.
While it’s uncertain if some of the regulatory changes from the Center for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR) that facilitated this innovation will continue post-pandemic, the reality is, as more of us adopt more technologies in our personal and professional lives, it’s likely telehealth will continue to be a valuable resource now and in the future.
So if your organization is considering a move into telehealth—whether that’s offering a supporting service, device, or other product—how do you know if you’re ready for the challenge? How do you know where service gaps exist and where you can make an impact?
In part one of this blog series, we shared the value of both a needs assessment and a readiness assessment. While they work together toward similar outcomes for your organization, they serve two different purposes.
As a recap, a needs assessment evaluates current needs in the marketplace to help you determine which of those needs you can address with your telehealth program. It defines the purpose and value proposition for your new service and outlines how that service addresses specific needs for your target population.
A readiness assessment determines your target market—the patient communities you want to serve. A readiness assessment helps you determine how prepared your organization is to implement the new service, where you may have gaps, and what you’ll need to do to successfully grow and scale those services over time.
Are You Ready for Telehealth?
Once you’ve conducted your needs assessment and outlined the service or product you’re ready to offer, you’ll need to tackle your readiness assessment.
A Telehealth Readiness Assessment (TRA) tool is a great place to start. A TRA will give you guidance as you develop your program and help identify the resources you need to improve readiness in specific areas.
As you begin, here are some core areas to consider:
- People, Tools, and Resources
Knowing which technical resources you’ll need for success is key. As you may be aware, there is a shortage of cybersecurity and other industry professionals, so finding and retaining educated, qualified staff is a challenge.
Before you get your telehealth project underway, you’ll want to ensure you have adequate (and qualified) staff, as well as all the resources you’ll need not to just implement your program, but scale it, too. Also, don’t forget about the staff, tools, and resources needed to ensure your program meets all of your privacy, security, and compliance requirements.
- Budget Accordingly
Innovation, as you know, comes with costs, and to be successful, you’ll need executive support to ensure you have the financial support needed to cover the people, tools, and resources we mentioned. Strong governance and executive support will help you budget accordingly, manage your costs over time, and determine your priorities for implementation and scaling and improving your program.
Whether it’s telehealth or in-person visits, electronic health records (EHRs) are a critical component of the healthcare industry today. That’s why it’s important to also take EHR integrations into consideration when developing your telehealth program. To promote adoption and usage, you’ll want to think about supporting EHR integrations for the most commonly used EHR systems in the industry.
To provide the best plan of care and improve outcomes, providers will need instant, current access to patient records, so these integrations are important. And, when you consider how rapidly providers are adopting and using telehealth services, they’ll likely want to use the EHR systems they already have in place, so you’ll want to ensure you provide the most seamless and simple virtual workflow for them. Think of it like this: when a provider uses your telehealth product or service, it should be as close to an in-person visit as possible.
In our personal and professional lives, smart devices are increasingly common. From smart phones to thermostats, many of us use internet of things (IoT) devices frequently. The same is true for the healthcare industry, where we’re seeing increased usage for IoT medical devices. As telehealth services gain momentum, it’s likely related IoT devices will follow suit.
IoT devices help facilitate patient care as they change settings—for example moving from a hospital to a care facility or home. These IoT devices can improve services and outcomes, and also help healthcare organizations decrease overall service expenses.
As the pandemic keeps more people at home, IoT devices can help providers manage and monitor patient health remotely, but it’s more than that. They can also help providers track and administer an increasing number of services, so it’s important to add IoT devices to your list of considerations as you prep for your readiness assessment.
Conducting a Privacy and Security Self-Assessment
While conducting a privacy and security readiness assessment will take time and resources, it doesn’t have to be an expensive undertaking. Luckily, there are a number of resources online and many of these can easily be adapted to meet your organization’s specific needs and objectives.
For example, researchers with the University of Pittsburgh published a study last year designed to develop and validate a privacy and security self-assessment questionnaire for telehealth providers.
This self-assessment outlines 10 domains with related questions to help you determine your current privacy and security state and identify gaps where you need focus. The 10 domains include:
- Policies: For example, do you have privacy policies, business associate agreements, or similar policies in place?
- Storage: For example, if you’re a telehealth services vendor, will protected health information (PHI) be created, stored, or transmitted within your product? How is that PHI managed and protected?
- Consent: For example, has the patient or patient representative given informed consent before using the telehealth service?
- Transmission accessibility: For example, if an organization with proper authorization needs access to the PHI, is it accessible?
- Encryption: For example, as your telehealth service scales, can you enforce encryption requirements for compliance with HIPAA and other regulations?
- Data backup: For example, if there is a disruption or downtime, do you have a data backup plan? Can you provide continuity of services?
- Training: For example, are you providing education and training about privacy and security for everyone who uses your telehealth services?
- Authentication and access control: For example, does your telehealth service require proper authentication (username, strong passwords, two-factor authentication, etc.) for login and access?
- Authorizations: For example, do you require prior written patient authorization before the PHI in your system is shared to other organizations/providers that request it?
- Secure networks: For example, does your telehealth service only connect through secure network? Do you require a VPN or other security controls?
Analyzing Your Self-Assessment to Improve Your Telehealth Program
Once you’ve completed your self-assessment, don’t just shelve the results. You can facilitate program success—both short and long-term—by communicating your findings with your executive team and key stakeholders. It’s important here to share with them the potential financial impact of any of the gaps your assessment uncovered and outline what you need—remember: people, resources, and tools—to bridge these gaps and improve your program.
Also, you’ll want to continue building executive support as you plan, design, implement, and scale your telehealth program.
If trends remain consistent, telehealth services are likely to be part of the healthcare industry now and in the future. Now is the time to find your place—and set your course—for your organization’s role in virtual medicine. Are you ready?
If you have questions about telehealth compliance or risk management issues, reach out to a Clearwater advisor, and we’ll be happy to discuss how to address those challenges and ensure the successful deployment of new solutions and services.
For further insights on where telehealth is going and what it means for your organization, join our webinar The Rise of Telehealth: Planning for the Future scheduled for October 15th.
- Ready for Telehealth? A Readiness Assessment is a Great Check-Up and Planning Tool - September 28, 2020
- Where Telehealth is Going and What It Means for Cybersecurity - September 14, 2020
- Using Clearwater’s IRM|Analysis® Software to Perform an OCR-Quality® Risk Analysis on Telehealth Systems - June 8, 2020