HIPAA Compliant Telehealth Platforms

In the midst of all the chaos caused by the COVID-19 pandemic, one bright spot is the increased availability of HIPAA compliant telehealth options. Quarantines and travel restrictions created a need for patients to be able to access health care remotely. The Department of Health and Human Services (HHS) has scaled down HIPAA enforcement as it relates to telehealth, but that won’t always be the case. 

What should you do now to ensure that you are offering HIPAA compliant telehealth services?

HIPAA Compliant Telehealth: HHS Giveth, but When Will They Take Away?

On March 15, 2020, U.S. states began shutting down in response to COVID-19. The Centers for Disease Control (CDC) reported a 154% increase in telehealth services during the last week of March 2020 over March 2019. As providers worked to provide quality telehealth care for patients during the shutdown, new options had to be considered, some of which had a steep learning curve.

In recognition of the need, HHS issued guidance stating, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” 

When the public health emergency is rescinded, normal enforcement of HIPAA rules and regulations is expected to return. Earlier this year, the American Medical Association sent a letter to the Director of HHS’s Office for Civil Rights (OCR), asking for a “one-year glide path to compliance, during which physicians and other affected parties shall not be subject to HIPAA audits and other HIPAA enforcement activity related to telemedicine.”

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

HIPAA Compliant Telehealth Platforms: The Non-Negotiables

While we wait for OCR’s response to the request, there are things that providers and business associates should do now to eliminate potential violations. The overarching principle should be to base any decisions regarding telehealth service platforms or apps on the same criteria you would any other vendor with whom you work.

Here are five must-haves for HIPAA compliant telehealth platforms:

1. The telehealth service, platform, or app should be HIPAA compliant. That means they have gone through the same type of process to achieve HIPAA compliance that you have, including Security Risk Assessments, effective policies, procedures, and training for their employees, and all of the other requirements of the law.

Most companies who are HIPAA compliant will proudly state that somewhere on their website or in their marketing materials because it differentiates them from their competitors and tells potential partners that they are committed to safeguarding the protected health information (PHI) entrusted to them.

2. They are willing to sign a Business Associate Agreement (BAA). Here’s a quick HIPAA 101 refresher. Under HIPAA, healthcare providers and insurance companies are considered covered entities. They are responsible for creating and using patient PHI for treatment, billing, and diagnosis. If electronic protected health information (ePHI)  is transferred to another company for purposes such as storage, scheduling, or telehealth, those companies are considered business associates.

If a business associate is HIPAA Compliant, they understand that a Business Associate Agreement (BAA) must be signed before any ePHI is transmitted. Failure to do so is a violation of HIPAA. A BAA should specifically address how ePHI is to be protected and the re