Telehealth is the delivery of healthcare, patient education, health information, and self-care, via telecommunications and digital communication technologies. These telehealth platforms include (among other things) live video conferencing, mobile health apps, and remote patient monitoring (RPM). The term telehealth is broader than the related term of “telemedicine.” Telemedicine is defined as the remote diagnosis and treatment of patients using telecommunications technology. Telemedicine is limited to the practice of medicine, while telehealth covers the entire spectrum of healthcare activities and components.

Is Telehealth Subject to HIPAA?

Telehealth provision or use does not alter, modify, or change a covered entity’s obligations under the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, or the HIPAA Omnibus Rule. HIPAA does not contain a specific provision devoted to telehealth. However, if a covered entity is utilizing a telehealth platform that involves protected health information, the entity must meet the same HIPAA requirements (i.e., HIPAA Privacy Rule, HIPAA Security Rule) that it would if the service was provided in person. Specific requirements for HIPAA compliant telehealth platforms are discussed below.

  • Business Associate Agreements

Telehealth practitioners frequently require a practitioner consult or otherwise work with IT personnel who are completely independent of the medical team. If these IT personnel are exposed to patient data, however, the telehealth provider may need to enter into business associate agreements with IT personnel organizations. The business associate agreement requires the IT organization to maintain the same confidentiality required of the provider under HIPAA.

  • Security Risk Analysis

Telehealth covered entities must conduct a HIPAA Security Rule risk analysis. A risk analysis consists of conducting a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of a security risk analysis encompasses potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that a telehealth provider:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits.

This includes ePHI in all forms of electronic media. Types of electronic media include (but are not limited to):

  • Hard drives;
  • CDs and DVDs;
  • Smart cards;
  • Personal digital assistants; and 
  • Portable electronic storage devices.

The term “electronic media” is defined broadly, to include something as small as a single computer workstation, all the way up to something as large as complex networks connected among multiple locations. A telehealth practitioner security risk analysis must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.

For more information on HIPAA compliant teleconferencing tools please click here.


Third Party Verification and Validation

Need Help with HIPAA?

Let our complete HIPAA solution handle it.