HIPAA Compliant Telehealth:
HIPAA Telehealth FAQs
HIPAA compliant telehealth, HIPAA telehealth rules, and HIPAA compliant telehealth technology have evolved over the past year. To provide guidance to healthcare organizations on how to offer telehealth services while complying with HIPAA standards, HIPAA telehealth FAQs are discussed.
HIPAA telehealth is the practice of ensuring that your telehealth practices comply with HIPAA standards.
HIPAA compliant telehealth, or HIPAA and telehealth, is the practice of ensuring that the tools you use for meeting with patients virtually are HIPAA compliant.
HIPAA requires healthcare providers to adapt policies and procedures to account for the nuances of operating a remote healthcare practice. This includes training workforce members on how to properly use and disclose protected health information (PHI) in a remote setting, and how to use telehealth platforms and apps while upholding HIPAA standards. These HIPAA guidelines for telehealth ensure that your organization, and workforce members, are aware of their responsibilities toward patient privacy, and keeping PHI secure.
In general, HIPAA telehealth rules require healthcare providers to use HIPAA compliant telehealth platforms to meet with patients virtually. However, during the coronavirus public health emergency, the Department of Health and Human Services’ (HHS) temporarily allowed providers to use non-compliant video conferencing platforms to offer HIPAA telemedicine in “good faith,” provided that the tools were non-public facing. This means that during the public health emergency, HHS would not seek enforcement surrounding the use of non-compliant video conferencing tools as long as the provider took reasonable precautions to ensure the privacy and security of information transmitted through the platform.
The public health emergency expires May 11, 2023. OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period will be in effect beginning on May 12, 2023 and will expire at 11:59 p.m. on August 9, 2023. OCR will continue to exercise its enforcement discretion and will not impose penalties on covered health care providers for noncompliance with the HIPAA Rules that occurs in connection with the good faith provision of telehealth during the 90-calendar day transition period.
Alaska. Alaska’s HB 29, effective as of March of 2020, requires insurance carriers providing coverage for in-person mental health benefits, to cover the same benefits through telehealth. This law is an example of a mental health parity law.
Colorado. SB 20-212, signed by the Governor in the summer of 2020, prohibits insurance carriers from requiring an existing patient-provider relationship as a prerequisite for telehealth treatment. The bill also requires state Medicaid programs to reimburse federally qualified health centers for telehealth services given to Medicaid recipients, at the same rate as in-person services.
Idaho. Executive Order No. 2020-13, signed by Governor Brad Little in June of 2020, makes temporarily waived restrictions affecting telehealth permanent.
Iowa. SF 226, signed by the Governor at the end of June of 2020, requires mental health professionals, treating students in a school setting, to establish a patient-provider relationship with those students.
Louisiana. Louisiana HB 449 updates the Louisiana Behavioral Health Services Provider Licensing Law and the Louisiana Telehealth Access Act, to provide for the delivery of behavioral health services via telehealth.
Maine. Maine SP 676, an emergency measure signed by the Governor in March of 2020, requires that at least some behavioral case management services covered by the MaineCare program to be delivered through telehealth, without requiring qualifying criteria regarding a patient’s risk of hospitalization or admission to an emergency room. MaineCare provides health care coverage for Maine’s children and adults who are elderly, disabled, or with low incomes.
Maryland. SB 402 and HB 448 require healthcare providers offering telehealth services to be held to the same standard of clinical care that apply to in-person settings. The new legislation also requires telehealth practitioners to provide or refer a patient for inpatient for another type of telehealth insurance, if clinically appropriate.
Michigan. Michigan HB 5412 prohibits health insurers issuing policies to Michigan residents from requiring face to face contact between a provider and a patient for services the insurer has determined are appropriately provided by telehealth. Related legislation, HB 5413, imposes the same restriction on group or nongroup healthcare corporation certificates. The certificate is evidence of an enrollee’s coverage.
Missouri. Missouri HB 1682 permits physicians to establish a physician-patient relationship via a telehealth encounter, provided the relevant clinical standard of care does not require an in-person visit.
North Carolina. SB 361 is one of the more innovative telehealth reforms on the state level. This law enacts the “Psychology Interjurisdictional Licensure Compact,” the purpose of which is to increase public access to professional psychological services by allowing for telepsychological practice across state lines, as well as temporary in-person, face-to-face services into a state which the psychologist is not licensed to practice psychology.
New York. SB 8416, signed by Governor Andrew Cuomo in June of 2020, expands New York’s definition of telehealth and telemedicine to include audio-only forms of telehealth (i.e., telephone).
Utah. Utah HB 313 broadens the scope of what “telemedicine” is. The law also requires certain health benefit plans to provide telehealth coverage parity and commercially reasonable reimbursement for telehealth services.
Virginia. HB 1332 directs the state Board of Health to develop and implement a Statewide Telehealth Plan to promote an integrated approach to the introduction and use of telehealth services and telemedicine services. The bill requires the Plan to include, among other provisions, provisions for (i) the use of remote patient monitoring services and store-and-forward technologies, including in cases involving patients with chronic illness; (ii) the promotion of the inclusion of telehealth services in hospitals, schools, and state agencies; and (iii) a strategy for the collection of data regarding the use of telehealth services. HB 1701 directs the Department of Health to determine the feasibility of establishing a Medical Excellence Zone Program, to allow Virginia residents living in rural underserved areas to receive medical treatment via telemedicine from providers in states that border Virginia.
Washington. SB 5385 requires telemedicine parity; the law requires health insurers to reimburse providers for telemedicine services at the same rate as health care service provided in-person.
West Virginia. HB 4003 requires telehealth insurance coverage of certain telehealth services after July 1, 2020.
At the beginning of the coronavirus public health emergency, CMS temporarily expanded telehealth reimbursement. These temporary measures were set to expire once the public health emergency was lifted, however, there were pleas to make the reimbursement permanent to improve access to care for rural communities. In December 2020, Congress agreed to expand permanent telehealth access for rural communities for certain medical specialties.
HIPAA video conferencing utilizes non-public HIPAA compliant video tools for telehealth and telemedicine. To be considered HIPAA compliant, video conferencing platforms must be willing to sign a business associate agreement before it can be used. They must also offer clients with security measures that ensure the confidentiality, integrity, and availability of PHI.
Security measures to look for include:
- Access controls. Provides users with unique login credentials to ensure that PHI is only accessible to authorized users.
- User authentication. Ensures that users are who they appear to be. This may be accomplished through the use of multi-factor authentication (MFA). MFA requires users to enter multiple credentials to gain access to sensitive information (i.e. username and password, biometrics, security questions, etc.).
- Audit controls. Monitors access to PHI, ensuring that PHI access is in accordance with the minimum necessary standard.
- Automatic logoff. User access is automatically terminated after a set period of time (i.e., 5 minutes, 10 minutes).
- Encryption. Prevents unauthorized access to PHI by converting data into a format that can only be read with a decryption key.
There are several HIPAA compliant telehealth platforms to choose from. Some HIPAA compliant telehealth apps include:
- Hangouts Meet
- Google Hangouts (chat only)
- Skype for Business
- WebEx for Healthcare
- Zoom for Healthcare
- GoToMeeting
- Microsoft Teams
In addition to teleconferencing tools, there is other technology that is frequently used for telemedicine. This technology may include online appointment scheduling apps, email platforms, and EHRs, among others. HIPAA telehealth rules require providers to use HIPAA compliant telehealth technology for all of these purposes.
A virtual private network (VPN) is a service that extends a private network over a public network. When using a VPN to connect to the internet, all data passing through the VPN is encrypted (encryption masks data, making it unreadable to unauthorized users). As such, connecting to a VPN provides the most secure connection and prevents even the most advanced hacker from accessing data.
VPNs for HIPAA are generally provided by a firewall vendor as a part of a network security package, allowing remote users to safely connect to their corporate firewall from remote locations. This allows users to connect to any WiFi connection available, then enable their VPN service.
By logging onto a VPN before opening a telehealth platform, the session is encrypted as soon the telehealth platform is launched. VPN can quickly and easily provide telehealth security whether sessions are conducted from a home office or another remote location.
