HIPAA-Compliant Telehealth

This shift is attributed to a trifecta of favorable conditions including consumer adoption, regulatory changes, and providers’ willingness to adopt telehealth. While providers may be willing to adopt new HIPAA-compliant telehealth platforms, choosing the best platform for your private practice requires an understanding of HIPAA, security, privacy, and technology and knowledge of best telehealth session practices. Sound intimidating? Don’t worry. We have you covered.

HIPAA-Compliant Telehealth: Privacy vs Security

First up. HIPAA. In 1996, Congress passed a law, known as the Health Insurance Portability and Accountability Act (HIPAA) to protect an individual’s medical information from being disclosed without knowledge or consent. In other words, health business entities must keep client or patient information private. But what does privacy mean?

Privacy refers to an individual’s right to control his or her personal information and how personal information is used. Think about privacy as using data responsibly. Clients should be informed of what data will be collected, why it’s being collected and with whom. Individuals must consent to this process.

The American Medical Association (AMA) categorizes types of patient privacy into physical privacy, informational privacy, decisional privacy, and associational privacy. Protected Health Information (PHI) breaks down these categories into concrete individual identifying information such as names, locations, or email addresses and also includes past, present, or future data related to conditions, care, or payment.

Additionally, PHI includes oral or recorded information, in any medium that is created or received by a healthcare provider, health plan or healthcare clearinghouse, and business associates. In addition to providers, covered entities and business associates, such as health plans and clearing houses are also required to adhere to HIPAA regulations.

Security

If privacy refers to how personal information is controlled and used, security refers to how personal information is protected, especially against malicious threats and unauthorized access. HIPAA’S Security Rule establishes administrative, physical, and technical safeguards to be adopted to protect electronically identifiable health information. For example, encryption of data at rest and in transit is found in HIPAA-compliant platforms.

Failing to protect clients’ personal health information can be troublesome for providers resulting in potential civil, criminal, and financial penalties ranging from $50 up to a max of $1.5 million annually and 10 years in prison for extreme cases, which makes choosing the best HIPAA-compliant platform critical.

When considering different HIPAA-compliant telehealth platforms, providers need to be aware of a few key factors including a company or vendor’s technology and location, the terms of their contracts, the security of additional features, and administrative factors. A list of questions providers need to weigh when choosing a HIPAA-compliant telehealth platform are:

Technology

• What are the technical requirements? (e.g., minimum Internet Speed)
• Do clinicians and clients need to download software on the computer vs the cloud (web-based)?
• Is the platform HIPAA compliant?
• What security measures are taken? (e.g., firewall, encryption, back-ups, etc.)
• What level of encryption does it have? (e.g., bank-level security)

Location

• Where is the company based?
• Where are the servers and database located?
• Are they in the U.S. or another country?
• If you have clients outside the United States, can you connect with clients outside the U.S.A. on the platform?

Costs and contracts

• What is the cost and what protections does it include for HIPAA-compliant telehealth?
• Is a contract required?
• If so, what are the terms?

Features

• Are other features such as chat, the client portal, EMR, billing, and document management also secure?

Administration/Business

• Does the company provide a Business Associate Agreement (BAA)?
• Is there an additional BAA fee?

This last question is important with regards to HIPAA-compliant platforms as the purpose of a BAA is to ensure that any party providing services/activities on behalf of the covered entity (in this case the provider) will adhere to high standards of PHI protection. If the business you’re using does not require signing a BAA, your practice could be at risk.

Once a HIPAA-compliant platform option is selected for telehealth, providers can take numerous steps at the individual level to ensure that client information is kept confidential. Understanding HIPAA privacy and security violations as related to telehealth is one such example.

HIPAA telehealth violations include:

• Discussing a patient’s care with family and/or friends
• Leaving hard copies of patient records where unauthorized individuals may access them
• Looking at your colleague’s patient’s records out of curiosity
• Allowing family members or friends in the same room during a telehealth session with a client without the client’s consent
• Conducting telehealth sessions with a group of other patients without a client’s consent
• Posting client’s care or PHI
• Working with vendors or individuals who perform functions related to PHI for covered entities who have not provided a signed BAA
• Sharing passwords
• Hacking into software that holds/transmits PHI (i.e., phishing incident, network server hack, video platform, EMR hack)
• Giving an unauthorized person access to PHI
• Stolen or lost an unencrypted device (i.e., laptop, desktop, tablet, or another portable electronic device)

To avoid these situations, privacy and security best practices can be implemented.