A May (Not Mayday) Newsletter Update on HIPAA Telehealth Compliance
Compliancy Group noted in its April 2023 newsletter that the OCR Notice of Telehealth Enforcement Discretion Under HIPAA expires on May 11. OCR is providing a grace period for telehealth enforcement; through and ending August 9, OCR will not impose penalties on providers for non-compliance with the HIPAA rules that occur in connection with the good-faith provision of telehealth. Telehealth providers can bring themselves into compliance by ensuring their telehealth app meets HIPAA requirements.
What is a HIPAA-Compliant Telehealth App?
Providers looking into purchasing a HIPAA-compliant telehealth app are not adrift at sea. A variety of telehealth apps claim to offer HIPAA-compliant telehealth audio, video, or both
- Skype for Business (Enterprise E3 or E5)
- Microsoft Teams
- Zoom for Healthcare
- G Suite for Enterprise
Providers, before using these apps, must enter into a business associate agreement with the app. If the app does not offer a business associate agreement or refuses to enter into one, the app is not HIPAA-compliant.
The app must offer a secure and compliant storage service. Having end-to-end encryption, robust access and audit controls, automatic log-out systems, multi-factor authentication, and the ability to provide unique user login credentials and passwords to patients and authorized users, are critical for Security Rule compliance.
App settings must be properly configured to render the app HIPAA-compliant. Providers must properly implement these settings. Providers may consult their own IT department or a third-party managed IT service (often called an MSP, or managed service provider) that offers technical support to healthcare organizations, to ensure app settings are properly configured.
Click here to view information on MSP services and selection guidance. For more information on HIPAA-compliant telehealth, please click here.