Telemedicine visits are fairly new for many providers and in a way, they’re like the Wild West. No one is 100% sure what processes to use, which regulations are in effect and what technologies they should use. Unfortunately, these uncertainties can lead to unintentional fraud.
For example, some providers may not have a clear procedure for authenticating patient identity before a telehealth visit. As a recent Healthcare Financial Management Association article noted, this could lead to identity theft and medical fraud. Best practices are to require patients to show a photo ID when scheduling a telemedicine appointment or to request that patients show an ID during their visit. Both of these measures should be documented in the patient’s record.
Another risk area for physicians is using consumer-grade video conference software like Zoom, Skype or FaceTime for telehealth consultations. Although these software solutions were permitted by CMS during the COVID-19 public health emergency (PHE), they proved to be very attractive to cybercriminals. Hackers have exploited security holes in consumer-grade software to capture email addresses for phishing attacks and ransomware attacks. To combat this problem, patients need to be educated about safe computer practices. However, that alone is not enough.
Once CMS eliminates the PHE waivers, providers must invest in HIPAA-compliant video-conferencing solutions, if they want to continue to offer telemedicine services. Other short-term recommendations to reduce the risk of cyberattacks include enabling encryption and privacy settings on consumer-grade software.