HIPAA Compliant Telehealth Platforms: The Non-Negotiables
While we wait for OCR’s response to the request, there are things that providers and business associates should do now to eliminate potential violations. The overarching principle should be to base any decisions regarding telehealth service platforms or apps on the same criteria you would any other vendor with whom you work.
Here are five must-haves for HIPAA compliant telehealth platforms:
1. The telehealth service, platform, or app should be HIPAA compliant. That means they have gone through the same type of process to achieve HIPAA compliance that you have, including Security Risk Assessments, effective policies, procedures, and training for their employees, and all of the other requirements of the law.
Most companies who are HIPAA compliant will proudly state that somewhere on their website or in their marketing materials because it differentiates them from their competitors and tells potential partners that they are committed to safeguarding the protected health information (PHI) entrusted to them.
2. They are willing to sign a Business Associate Agreement (BAA). Here’s a quick HIPAA 101 refresher. Under HIPAA, healthcare providers and insurance companies are considered covered entities. They are responsible for creating and using patient PHI for treatment, billing, and diagnosis. If electronic protected health information (ePHI) is transferred to another company for purposes such as storage, scheduling, or telehealth, those companies are considered business associates.
If a business associate is HIPAA Compliant, they understand that a Business Associate Agreement (BAA) must be signed before any ePHI is transmitted. Failure to do so is a violation of HIPAA. A BAA should specifically address how ePHI is to be protected and the re