HIPAA Compliant Telehealth: How-Tos and Don’t Dos

What should you do now to ensure that you are offering HIPAA compliant telehealth services?

HIPAA Compliant Telehealth: HHS Giveth, but When Will They Take Away?

On March 15, 2020, U.S. states began shutting down in response to COVID-19. The Centers for Disease Control (CDC) reported a 154% increase in telehealth services during the last week of March 2020 over March 2019. As providers worked to provide quality telehealth care for patients during the shutdown, new options had to be considered, some of which had a steep learning curve.

In recognition of the need, HHS issued guidance stating, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” 

When the public health emergency is rescinded, normal enforcement of HIPAA rules and regulations is expected to return. Earlier this year, the American Medical Association sent a letter to the Director of HHS’s Office for Civil Rights (OCR), asking for a “one-year glide path to compliance, during which physicians and other affected parties shall not be subject to HIPAA audits and other HIPAA enforcement activity related to telemedicine.”

HIPAA Compliant Telehealth Platforms: The Non-Negotiables

While we wait for OCR’s response to the request, there are things that providers and business associates should do now to eliminate potential violations. The overarching principle should be to base any decisions regarding telehealth service platforms or apps on the same criteria you would any other vendor with whom you work.

Here are five must-haves for HIPAA compliant telehealth platforms:

1. The telehealth service, platform, or app should be HIPAA compliant. That means they have gone through the same type of process to achieve HIPAA compliance that you have, including Security Risk Assessments, effective policies, procedures, and training for their employees, and all of the other requirements of the law.

Most companies who are HIPAA compliant will proudly state that somewhere on their website or in their marketing materials because it differentiates them from their competitors and tells potential partners that they are committed to safeguarding the protected health information (PHI) entrusted to them.

2. They are willing to sign a Business Associate Agreement (BAA). Here’s a quick HIPAA 101 refresher. Under HIPAA, healthcare providers and insurance companies are considered covered entities. They are responsible for creating and using patient PHI for treatment, billing, and diagnosis. If electronic protected health information (ePHI)  is transferred to another company for purposes such as storage, scheduling, or telehealth, those companies are considered business associates.

If a business associate is HIPAA Compliant, they understand that a Business Associate Agreement (BAA) must be signed before any ePHI is transmitted. Failure to do so is a violation of HIPAA. A BAA should specifically address how ePHI is to be protected and the responsibilities of both parties.

3. They have a secure and compliant cloud service with data encryption. Your telehealth partner must be able to securely store and protect your ePHI. Their network and services must meet all of the requirements of the HIPAA Security Rule.

Encryption is a minimum requirement, but knowing how the services protect your data while in transit, at rest, being stored, and at deletion are important as well. Specifically, in the case of telehealth providers, encryption during sessions is vital to prevent data from being accessed by an unauthorized “man-in-the-middle.”

4. They have strong access controls or can effectively implement access control measures. Access controls help fulfill the requirements of the HIPAA Privacy Rule and the Security Rule by limiting access of information to only authorized individuals.

Multi-factor authentication for provider login is a basic requirement under the HIPAA Security Rule. The platform should also include features such as automatic log-out systems on devices and the ability to provide unique user login credentials and passwords to patients and authorized users.

Highly secure cloud access controls separate HIPAA compliant telehealth platforms from those that are not. For example, if a provider uses the non-compliant version of Zoom, anyone who has (or guesses) the meeting code could drop in to a private medical telehealth call.

Many cases of this activity called “Zoom-bombing” occurred as companies, schools and even medical providers had meetings or consultations interrupted by internet trolls who disrupted online meetings.

5. They conduct periodic risk assessments and self-audits as appropriate. A HIPAA compliant telehealth platform or application will be able to track and audit the processing, transmission, storage, and proper disposal of ePHI that they possess.

At a minimum, assessments and self-audits should be conducted annually. A good rule of thumb is that the more data that is being stored by the telehealth app or platform, the more often self-audits should be conducted. Self-audits should also include scanning for unusual activity on the network. This can assist with preparing an effective response to a cyberattack or breach incident.

For examples of HIPAA compliant telehealth platforms, please click here.

HIPAA Compliant Telehealth: Nailing it vs. Failing it

Another option that can simplify your business life is utilizing the services of a HIPAA compliant Managed Service Provider (MSP) to assist with selecting the right mix of services, equipment, and vendors to meet the needs of your organization. Compliancy Group maintains a list of Endorsed MSPs who can do this heavy lifting for you, leaving you free to focus on your practice and your patients.