HIPAA for Telemedicine

Telemedicine is defined as the remote diagnosis and treatment of patients using telecommunications technology. Telemedicine is limited to the practice of medicine (the broader term, “telehealth,” encompasses additional healthcare activities and functions, including education, intervention, monitoring, and remote admissions). Telemedicine allows patients who reside in remote locations to have access to medical services, quickly and efficiently, and without the need to travel. Telemedicine can consist of patients and doctors using video-conferencing  and smartphones to communicate in real time. A type of telemedicine called asynchronous telemedicine allows providers to share patient PHI, including lab results and diagnoses, with a physician at another location. 

What is HIPAA for Telemedicine?

HIPAA for telemedicine is not a specific legal concept with its own set of rules. Covered entities that provide telemedicine must comply with the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule – just as other covered entities must. Some specific telemedicine applications of the HIPAA Security Rule are discussed below.

HIPAA for Telemedicine: Security Rule

Telemedicine uses a variety of telecom channels to transmit ePHI. In some instances, the ePHI “crosses state lines,” such as when a patient residing in one state receives telemedical treatment from a provider in a different state. Telemedicine provider should be mindful of the above facts when they develop Security Rule compliance measures.

These measures should include (among others)

  • Restricting access to ePHI to authorized users;
  • Developing a system of secure communication to protect ePHI integrity;
  • Developing a system of monitoring communications that contain ePHI. This system should be implemented to guard against data breaches.
  • Entering into a business associate agreement with business associates (entities that performs certain functions or activities that involve the use or disclosure of protected health information for a covered entity). The business associate agreement must specify what methods the business associate uses to ensure data protection and must contain provisions for data security auditing.

HIPAA for Telemedicine: A Word of Caution

Electronic mail messages play an important role in the world of telemedicine, by allowing doctors and patients to exchange information across state lines, and without the need for an in-person consult.

However, a number of email providers will not enter into business associate agreements with covered entities. Yahoo and Hotmail are just two examples of email providers that do not enter into business associate agreements. A covered entity, therefore, uses these providers at their risk – and with no written assurance of data protection.

Telemedicine practices, if they are transmitting, creating, maintaining or accessing ePHI through email, should use an email provider that enters into a business associate agreement.