At the wake of the COVID-19 pandemic, many patients have turned to telehealth services in lieu of traditional doctors visits. To increase access to telehealth services, the Department of Health and Human Services (HHS) temporarily eased restrictions, specifically on the use of certain telecommunication tools. However, telehealth is likely here to stay; providers wishing to continue to offer telehealth services, once the pandemic has passed, must ensure that they are using HIPAA compliant tools.

Are you protecting patient data? Find out now with our HIPAA compliance checklist!

Telehealth Services: HIPAA Privacy and Security

Healthcare providers offering telehealth services have the same obligation to HIPAA as traditional providers. HIPAA requires the confidentiality, integrity, and availability of protected health information (PHI) to be maintained. This is accomplished through administrative, technical, and physical safeguards. 

This is particularly important to prevent healthcare breaches; since the start of the COVID-19 pandemic, hacks on cloud service providers (which are services used to access information from remote locations) have increased by 630%.

When choosing telehealth tools consider the following:

Security risk assessment: sending a security risk assessment (SRA) to multiple vendors is a good way to determine which tool is best for your practice. A security risk assessment measures the vendor’s safeguards against HIPAA standards. Upon completion of an SRA, the vendor’s gaps in safeguards are identified. Before working with the vendor, as part of your due diligence, the vendor must agree to address gaps with remediation efforts. Vendors that are unwilling or unable to address gaps shouldn’t be used for telehealth services.

Security controls: to be HIPAA compliant, telehealth tools must have security controls. These can come in many forms, however, there are certain security controls that should be looked for when using any software. These are as follows:

Encryption: converts PHI into a format that can only be read with a decryption key. This ensures that PHI is protected from unauthorized access, ensuring the confidentiality, integrity, and availability of PHI.

User authentication: unique login credentials ensure that users are who they appear to be. It is recommended to use multi-factor authentication (MFA) to further security. MFA utilizes multiple unique login credentials for user authentication. This is a username and password in combination with security questions, one-time PIN, biometrics, etc.

Access controls: access controls are enabled through the use of unique login credentials, limiting access to PHI based on employee’s job roles. According to the HIPAA minimum necessary standard, employee’s should only have access to the PHI that they need to perform their job function. 

Audit controls: also enabled through the use of unique login credentials, audit controls monitor access to PHI. Audit controls establish normal access patterns for each employee, ensuring adherence to the minimum necessary standard, mitigating the risk of insider breaches.

Business associate agreement: dictates the safeguards that vendors (business associates) must have in place to safeguard the PHI that they create, receive, transmit, store, or maintain on your behalf. A business associate agreement (BAA) is a legal agreement that limits the liability for each signing party, as they are each responsible for their own HIPAA compliance. 

Another aspect to consider is whether or not the telehealth tools integrate with your electronic medical record (EHR) system. Integration with EHR systems is essential to comply with the “availability of PHI” requirement of HIPAA.

Telehealth Services: How to Ensure Compliance

To reinforce HIPAA compliance while using telehealth services, your practice should develop policies and procedures surrounding the proper use and disclosure of PHI. Employees must be trained on your organization’s policies and procedures as well as HIPAA standards. To ensure that employees will comply with your policies and procedures, and HIPAA, employees must legally attest that they read and understood the training material, and they agree to adhere to it.