Telehealth Security and Workflow Optimization

As the final blog post in our telehealth series, we will highlight security and workflow considerations for providers to enhance their telehealth platform and integrate it better into existing workflows. If you missed the other blog posts in this series, you can find them in the links below. 

Hospitals and provider groups across the country were the first to feel the effects of COVID-19 as they scrambled to adapt to or dramatically increase telehealth visits as stay in place measures took effect. Managing patients remotely through virtual settings at scale became critical. Two major questions bubbled up as providers switched over to this new medium.

1- Platform Security – how do you ensure that a telehealth platform is HIPAA compliant and secure given that most of the audio/video technologies are non-healthcare specific and have been experiencing data breaches and security issues?

2- Workflow Integration – how do you integrate this platform into existing workflows for a seamless experience for physicians and other members of the care team?

Securing your Telehealth Platform

While selecting a telehealth platform, it is vital to ensure that it has a strong security foundation in place. Protecting electronic protected health information (EPHI) involves implementing reasonable and appropriate safeguards that fall into two broad categories. Platform security involves having the right balance of administrative and technical safeguards in place.

Administrative Safeguards

Administrative Safeguards are used to secure electronic protected health information (PHI) and to manage the conduct of the entity’s workforce and to comply with Federal, State, and local laws. Having reliable processes in place to handle sensitive information is critical for telehealth entities. Failure to follow any one of the policies or procedures could result in both criminal and civil penalties.

Notable policies include workforce clearance, training, incident handling and management,  business continuity and disaster recovery, business associate contracting, and procedures to evaluate each policy.

 A well-designed platform is both modular and flexible and will quickly adapt to any changes to laws, security threats, and governance principles.

Technical Safeguards

Organizations contracting with telehealth platforms must ensure that reasonable and appropriate Technical Safeguards are implemented. These are critical when it comes to transmitting, storing, and viewing video and audio content that may contain Protected Health Information (PHI).

Technical implementation must include access controls and identity management, authentication and authorization, encryption and decryption of data, and backup and recovery strategies.

A secure platform is expected to deploy tools, including Security Information and Event Management (SIEM), Web Application Firewalls (WAF), File integrity monitoring (FIM), Intrusion detection systems (IDS) and intrusion prevention systems (IPS) along with Data loss prevention (DLP).

Technology Standards

A good telehealth partner must be able to demonstrate compliance with HIPAA and other regulatory compliance requirements and usually entails certification. 

HITRUST is the gold standard for compliance framework in the healthcare industry. HITRUST CSF requires telehealth platforms subject to HIPAA, along with their 3rd party business associates, to meet HIPAA requirements and offer the proven data and security protection.

ISO 27001 framework is an ISMS (information security management system) to ensure the confidentiality, integrity, and availability of all data.  ISMS also ensures that the security arrangements are tuned to keep pace with changes to the security threats, vulnerabilities, and business impacts.

Look for these seals of excellence on your partner’s portals.

In addition to the safeguards outlined in the sections above, telehealth applications and platforms should be built around 5 security best practices.   

Secure Foundation 

1 – Simplicity- the system is designed as simply as possible to minimize potential errors.

2 – Depth- by layering defense mechanisms, a system can reduce the chance of a successful attack.

3 – Separation- all approved resource access attempts should be granted based on more than one condition.

4 – Psychological Acceptability- security mechanisms should not make resources more difficult to access than if there were no security mechanisms present.

5 – Fail-Safe Defaults- by default, users do not have access to any resources until explicit access has been granted.

Provider Workflow Integration

The millions of new patients participating in telehealth puts pressure on providers to pivot to accommodate the demand. Telecommunication and video conferencing mastery is necessary so providers can stay relevant and reap the cost and efficiency benefits of telehealth. See Telemedicine – Healthcare’s New Differentiator

Integrating telehealth and associated processes into existing workflows will be essential to get physician adoption and buy-in. 

Below are some areas to consider when implementing or scaling telehealth. 

Scheduling and Triaging

Define guidelines and a workflow for telehealth visits versus face-to-face (F2F) visits. Establish a tipping point for an in-person visit versus scheduling a telehealth visit. When the tele-hospitalist asks for a nurse to facilitate an abdominal exam, are they prepared to do so virtually? If an acute stroke is suspected, an established on-call tele-neurologist process to complement your existing care pathways can help.  Having these processes and decision points integrated into your existing workflows and ensure scheduling staff is trained and understands these new processes and guidelines is very important.

Point of Care Integration

It is vital to have the telehealth solution integrated tightly with your EMR and other solutions used by your physicians and care teams. A sound process will help achieve higher levels of physician adoption. Solutions that support single sign-on (SSO) and patient context sharing are very beneficial in reducing the number of clicks and steps involved in physicians being able to reference data in their EHR while at the same time using the telehealth solution. Also, when your physician starts their telehealth visit, the more relevant information you can seamlessly provide, the more effectively she or he will be able to diagnose and treat the patient. Telehealth visits, much like F2F visits, are time constraints and the use of Natural Language Processing (NLP) technologies can serve to act as a ‘virtual assistant’ to the medical provider NLP can analyze all of the patient’s historical data, structured and unstructured, and identify relevant clinical indicators, medications, allergies, and prior conditions/ procedures and deliver considerable time savings and efficiency boost to physicians. Physicians are able to glean insights into the patient’s medical history that they may have otherwise missed, engage with the patient in the telehealth visit to understand their symptoms and concerns and create an optimized care plan that rewards everyone

Clinical Documentation and Path to Payment

Telehealth visits often have different documentation requirements when compared to in-person visits. This has direct implications on provider reimbursement. For instance, when managing Medicare Advantage patients, physicians need to assess and document the patient’s Hierarchical Category Codes (HCCs) in addition to their chief complaint. Not all HCC codes can be assessed and captured in a telehealth visit as in a F2F visit, and so it is critically important for physicians to understand this discrepancy. The use of tightly integrated Risk Adjustment solution workflows can significantly help physicians’ efficiency and reduce an organization’s compliance and audit risk. For more information around Risk Adjustment coding guidelines associated with a telehealth visit, see Telehealth HCC Coding Guidelines – What’s In, What’s Not?

Telehealth Security and Workflow Summary – Iterate, Iterate, Iterate

Telehealth will play a significant role in care delivery going forward. While this isn’t a new concept to most providers, this medium has moved from a nice to have to a must-have patient visit solution. Associated workflow and security challenges described in this blog can be overcome and move what may have been viewed as a communication burden to a strategic advantage. Providers can protect PHI data from outside threats through the adoption of certified standards. The telehealth platform can be seamlessly integrated into the provider’s workflow through a seamless process and technology refinements, updated policy guidelines, and staff training.  Everyone is a winner. 

Telehealth Blog Series Summary

heartbeat heart rate monitor icon

n this blog series on telehealth, we have identified critical considerations and solutions for healthcare organizations ramping up their telemedicine journey. It is by no means an exhaustive list, and requirements and regulations surrounding telehealth will evolve. Iteration is the key to telehealth adoption and growth. Workflow, security, documentation, guidelines, and technology leverage are some of the categories that will be continually improved upon well beyond the current pandemic. Telemedicine has arrived as a valuable value-based care asset in the provider’s arsenal for serving patients. 

Subscribe to the SHIFT blog to read other Risk Adjustment related articles. Read other topics in the telehealth series that include scheduling, documentation, common pitfalls, and telehealth as a differentiator. See the prior telehealth blog post titled Telehealth HCC Coding Guidelines – What’s In, What’s Not?

To learn more about Talix’s Risk Adjustment, NLP, and AI solutions visit

Read all


View Posts