HIPAA for Telehealth
What is Telehealth?
Telehealth is the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Telehealth & telemedicine providers are HIPAA-covered entities to which the HIPAA law generally applies. HIPAA for telehealth consists of telehealth providers’ observing the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, and the HIPAA Omnibus Rule. HIPAA for telehealth is discussed in greater detail below.
What Technologies Are Used in Telehealth?
Technologies used in telehealth include the Internet and wireless communications. Technologies used in telehealth also include live videoconferencing, store-and-forward transmission, mobile health apps, and remote patient monitoring. These are defined as follows:
- Live (synchronous) videoconferencing: Live video conferencing features a two-way audiovisual link between a patient and a care provider
- Store-and-forward transmission: Store-and-forward transmission consists of transmission of a recorded health history to a health practitioner, usually a specialist.
- Mobile health apps: Mobile health apps provide health care and public health information through mobile devices. The information may include general educational information, targeted texts, and notifications about disease outbreaks.
- Remote patient monitoring (RPM): Remote patient monitoring is the use of connected electronic tools to record personal health and medical data in one location for review by a provider in another location, usually at a different time.
The term telehealth is broader than the related term of “telemedicine.” Telemedicine is defined as the remote diagnosis and treatment of patients using telecommunications technology. Telemedicine is limited to the practice of medicine, while telehealth covers the entire spectrum of healthcare activities and components.
What is HIPAA for Telehealth?
HIPAA for telehealth and telemedicine is not a unique legal concept. In fact, both HIPAA and telehealth are intertwined. Telehealth provision or use does not alter, modify, or change a covered entity’s obligations under the HIPAA Security Rule, the HIPAA Privacy Rule, the HIPAA Breach Notification Rule, or the HIPAA Omnibus Rule. HIPAA does not contain a specific provision devoted to telehealth. However, if a covered entity is utilizing telehealth that involves protected health information, the entity must meet the same HIPAA requirements (i.e., HIPAA Privacy Rule, HIPAA Security Rule) that it would if the service was provided in person. Specific “HIPAA for Telehealth” requirements are discussed below.
HIPAA for Telehealth: The HIPAA Privacy Rule
In general, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of protected health information (PHI).
Telehealth practices, which are covered entities, frequently require that a telehealth practitioner use the services of a business associate. Information technology (IT) companies frequently perform functions for or provide services to covered entities. If such services involve access by the business associate to protected health information, the HIPAA Privacy Rule comes into play.
Under the HIPAA Privacy Rule, a covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, but only if the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information
HIPAA for Telehealth: Business Associate Agreements
The satisfactory assurances mentioned above, must be in writing, whether in the form of a contract or other agreement between the covered entity and the business associate. The written document embodying the contract is called a business associate agreement or business associate contract.
The contract must describe the permitted and required PHI uses for the business associate. The contract must also state that the business associate will not use or further disclose the protected health information, other than as permitted or required by the contract, or as required by law.
A covered telehealth entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the HIPAA Privacy Rule.
In addition, when a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation. If these steps are not successful, the covered telehealth entity must terminate the business associate agreement. If termination of the contract or agreement is not feasible, a covered entity must report the problem to the Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR).
HIPAA for Telehealth: Security Risk Analysis
Telehealth covered entities must conduct a HIPAA Security Rule risk analysis. A security risk analysis consists of conducting a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
What is the Scope of a Security Risk Analysis?
According to guidance issued by the Department of Health and Human Services (HHS), the scope of a security risk analysis encompasses potential risks and vulnerabilities to the confidentiality, availability, and integrity of electronic protected health information (ePHI) that a telehealth provider:
- Creates;
- Receives;
- Maintains; and
- Transmits
Types of electronic media that contain ePHI include (but are not limited to):
- Hard drives;
- CDs and DVDs;
- Smart cards;
- Personal digital assistants; and
- Portable electronic storage devices.
A telehealth provider security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Element 1: Collecting Data
To begin the security risk analysis, the telehealth organization must identify where its ePHI is stored, received, maintained, or transmitted. It can do this in several ways, by:
- Reviewing past or existing projects
- Performing interviews
- Reviewing documentation.
Element 2: Identifying and Documenting Potential Threats and Vulnerabilities
The telehealth provider must then identify and document threats to ePHI that are reasonably anticipated. Organizations must also identify and document vulnerabilities, which, if triggered or exploited by a threat, would create a risk of improper access to or disclosure of ePHI.
Element 3: Assessing Current Security Measures
For this element, the telehealth provider should organizations should address its “state of security.” It should do so by:
- Assessing and documenting the security measures used to safeguard ePHI.
- Assessing and documenting whether security measures required by the Security Rule are already in place.
- Assessing and documenting whether current security measures are configured and used properly.
Element 4: Determining the Likelihood of Threat Occurrence
Organizations must then assess the likelihood of potential risks to ePHI. The results of this assessment, combined with the list of threats identified in element 2, will reveal what threats should be regarded as “reasonably anticipated.”
Element 5: Determining the Potential Impact of Threat Occurrence
After a telehealth organization determines the likelihood of threat occurrence, it must assess the impact of potential threats to confidentiality, integrity, and availability of ePHI. This can be done by assessing the severity of the impact resulting from a threat that triggers or exploits a vulnerability. The assessment should be documented.
A useful way to document Impact severity, is by describing the severity numerically (i.e., assigning a number to how severe an impact is, on a scale of 1 to 10, with 10 being “most severe”).
Element 6: Determining the Level of Risk
In element six, the telehealth provider determines the level of risk. The level of risk is determined by evaluating ALL threat likelihood and threat impact combinations identified in the risk analysis so far.
The level of risk is highest when a threat 1) is likely to occur; AND 2) will have a significant or severe impact on an organization. For example, if a network is completely unsecured, and that network stores all of the telehealth organization’s ePHI, two things are likely to happen: A threat will occur, and its occurrence may have a severe impact on the organization. When threat likelihood and severity are both high, the level of risk should be classified as “high.”
On the other hand, if there is a low risk of a threat occurring, AND the threat’s occurrence will have little to no impact on the organization, the level of risk is relatively low.
Once the telehealth organization has assigned risk levels, it should document those levels, and document what corrective actions are needed.
Finally, once all six elements have been addressed, all documentation should be finalized. In addition, the security risk analysis should be periodically reviewed, and updated, as needed.