With HIPAA in Mind, Intermountain, Others Usher in Age of Virtual Hospitals

Nearly three years ago, Utah-based Intermountain Healthcare launched its first “virtual hospital,” which functions as an advanced form of telehealth for underserved communities. The virtual hospital faces all the same HIPAA privacy and security issues that conventional medical centers and offices face, plus the added challenges that come with managing additional—and constantly changing—processes and vendors for remote electronic connectivity.

In fact, “the development of virtual hospitals and the associated technology stretch HIPAA issues probably to their limit,” says attorney Patricia Shea, a partner with K&L Gates LLP in Harrisburg, Pennsylvania.

HIPAA’s security rule requires that covered entities (CEs) and their business associates, plus all downstream sub-BAs, perform risk assessments to identify threats and vulnerabilities, and to update those risk assessments and revise the management plan whenever there’s been a change to the system, Shea tells RPP.

“The biggest pitfall I see is maintaining a current risk assessment and management plan,” Shea says, emphasizing “current.”

Doing so “is a resource-intensive operation,” she says. “To make matters even more critical, OCR [Office for Civil Rights] has repeatedly explained that it views the risk assessment and risk management obligations as extremely important. I advise my clients that this will be, if not the very first thing, at least one of the first things OCR would request during an audit or in response to a ‘bad event.’”

As telehealth becomes more sophisticated and more virtual hospitals open, the risk assessment and management process becomes extremely complicated, Shea says, adding, “the numbers of connections and the people involved grow exponentially. I think this aspect of HIPAA compliance will be challenging for these virtual hospitals because changes happen every day. Changes could be in the form of new functionality, the addition of new sites and personnel, the need for new training. It’s like a spiderweb of connections.”

She adds that “encryption in transit and at rest is a must. This will not eliminate risk, but not doing so in this day and age is likely hard to excuse.”

This document is only available to subscribers. Please log in or purchase access.


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field