In all the chaos caused by the COVID-19 pandemic, one bright spot is the increased availability of HIPAA approved telehealth platforms. Behavioral health providers were quick to adopt these new methods of providing care, and many patients have been helped in a more convenient way.

The Department of Health and Human Services (HHS) scaled down HIPAA enforcement related to telehealth as long as there is a declared public health emergency, but at some point, things will return to normal. What should you do now to ensure that your behavioral telehealth platform is HIPAA compliant?

HIPAA Compliant Telehealth Platforms For Behavioral Health: HHS Giveth, but When Will They Take Away?

On March 15, 2020, U.S. states began shutting down in response to COVID-19. The Centers for Disease Control (CDC) reported a 154% increase in telehealth services during the last week of March 2020 over March 2019. As providers worked to provide quality telehealth care for patients during the shutdown, new options had to be considered, some of which had a steep learning curve.

In recognition of the need, HHS issued guidance stating, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” 

When the public health emergency is rescinded, regular enforcement of HIPAA rules and regulations will return. Earlier this year, the American Medical Association sent a letter to the Director of HHS’s Office for Civil Rights (OCR), asking for a “one-year glide path to compliance, during which physicians and other affected parties shall not be subject to HIPAA audits and other HIPAA enforcement activity related to telemedicine.”

HHS Secretary Xavier Becerra told reporters in October that he would give 60 days’ notice to states, healthcare providers, and other stakeholders before lifting the public health emergency. 

Rated #1 on G2

“Compliancy Group makes a highly complex process easy to understand.”

G2 Easiest to Do Business With

HIPAA Compliant Telehealth Platforms For Behavioral Health: The Must-Haves

There are things that behavioral health providers and business associates should do now to eliminate potential violations. The overarching principle should be to base any decisions regarding telehealth service platforms or apps on the same criteria you would any other vendor with whom you work.

Here are five must-haves for HIPAA compliant telehealth platforms:

  1. The telehealth service, platform, or app should be HIPAA compliant. That means they have gone through the same type of process to achieve HIPAA compliance that you have, including Security Risk Assessments, effective policies, procedures, and training for their employees, and all of the other requirements of the law.

    Most companies who are HIPAA compliant will proudly state that somewhere on their website or in their marketing materials because it differentiates them from their competitors and tells potential partners that they are committed to safeguarding the protected health information (PHI) entrusted to them.
  2. They are willing to sign a Business Associate Agreement (BAA). Here’s a quick HIPAA 101 refresher. Under HIPAA, behavioral healthcare providers and insurance companies are considered covered entities. They are responsible for creating and using patient PHI for treatment, billing, and diagnosis. If electronic protected health information (ePHI) is transferred to another company for purposes such as storage, scheduling, or telehealth, those companies are considered business associates.

    If a business associate is HIPAA compliant, they understand that a Business Associate Agreement (BAA) must be signed before any ePHI is transmitted. Failure to do so is a violation of HIPAA. A BAA should specifically address how ePHI is to be protected and the responsibilities of both parties.
  3. They have a secure and compliant cloud service with data encryption. Behavioral health providers understand that patient privacy and security concerns in telehealth are just as important as they are when delivering in-person treatment. Your telehealth partner must be able to securely store and protect your patients’ ePHI. Their network and services must meet all of the requirements of the HIPAA Security Rule.

    Encryption is a minimum requirement, but knowing how the service protects your data while in transit, at rest, being stored, and at deletion is also essential. Encryption during sessions is vital to secure video telehealth delivery by preventing data from being accessed by an unauthorized “man-in-the-middle.”
  4. They have robust access controls or can effectively implement access control measures. Access controls help fulfill the requirements of the HIPAA Privacy Rule and the Security Rule by limiting access to information to only authorized individuals.

    Multi-factor authentication for provider login is an essential requirement under the HIPAA Security Rule. The platform should also include features such as automatic log-out systems on devices and the ability to provide unique user login credentials and passwords to patients and authorized users.

    Highly secure cloud access controls separate HIPAA compliant telehealth platforms from those that are not. For example, only specific versions of Zoom are considered to be HIPAA compliant apps. If a provider uses the non-compliant version of Zoom, anyone who has (or guesses) the meeting code could drop into a private medical telehealth call.

    Many cases of this activity, called “Zoom-bombing,” occurred as companies, schools, and even medical providers had meetings or consultations interrupted by internet trolls who disrupted online meetings.
  5. They conduct periodic risk assessments and self-audits as appropriate. A HIPAA compliant telehealth platform or application will be able to track and audit the processing, transmission, storage, and proper disposal of ePHI that they possess.

At a minimum, assessments and self-audits should be conducted annually. A good rule of thumb is that the more data that is being stored by the telehealth app or platform, the more often self-audits should be conducted. Self-audits should also include scanning for unusual activity on the network. This can assist with preparing an effective response to a cyberattack or breach incident.

For examples of HIPAA compliant telehealth platforms for behavioral health, please click here.

HIPAA Compliant Telehealth Platforms For Behavioral Health: Nailing it vs. Failing it

Another option that can simplify your business life is utilizing the services of a HIPAA compliant Managed Service Provider (MSP) to help with selecting the right mix of applications, services, equipment, and vendors to meet the needs of your organization. Compliancy Group maintains a list of Endorsed MSPs to assist you, leaving you free to focus on your practice and your patients.

HIPAA for You & Your Clients

You handle security, and we’ll handle compliance.