We partnered with HITRUST, One Health, and Xtelligent today for a webcast entitled, "Panel Discussion: Security and Compliance in the Era of Telehealth and Virtual Care."
During the panel, a question came up that I thought others' would want to know about.
The question was:
"Can you summarize some of the HIPAA privacy and security guidelines that are particularly relevant to telehealth?"
This post explains how I answered the question.
HIPAA Privacy Rule
As you may recall, the Health Insurance Portability and Accountability Act, or HIPAA, became law in 1996.
As the internet became more popular, Congress added HIPAA provisions that mandated the adoption of privacy and security protections.
The first one was the HIPAA Privacy Rule, which went into effect in 2003. In a nutshell, it created a set of national standards for the safeguarding of certain health information, or protected health information (PHI).
The Privacy rule also gave birth to a new definition, covered entities. These are Health plans, health care clearinghouses, and certain health care providers that conduct health care transactions electronically.
HIPAA Security Rule
The HIPAA Security rule set national standards for the confidentiality, integrity, and availability of electronic protected health information, or ePHI. It went into effect in 2005.
The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure of PHI. These would include administrative, physical, and technical safeguards.
Now that we've summarized the HIPAA Privacy and Security Rules, let's move on to telehealth.
An apt definition of telehealth can be found via the telehealth.hhs.gov site:
"Telehealth — sometimes called telemedicine — lets your health care provider provide care for you without an in-person office visit. Telehealth is done primarily online with internet access on your computer, tablet, or smartphone."
There are three generally accepted methods to provide telehealth:
- Talking. Speaking with a health care provider live over the phone or via video.
- Messaging. Send and receive messages from a health care provider via secure email, messaging, or file exchange.
- Remote monitoring. Remote monitoring allows a health care provider can check on a patient at home. For example, a patient may be given a device to gather vital signs to help a health care provider stay informed on their progress.
HIPAA privacy and security guidelines as they relate to Telehealth
When the pandemic first hit in March 2020, HHS quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.
This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”
Examples of non-public facing applications include:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
Prior to COVID-19, we wrote about Apple Facetime, Facebook Messenger, WhatsApp, Skype and whether they were HIPAA compliant. At the time, we deemed them not to be compliant, as none of them provided a business associate agreement (BAA).
Under the Notification of Enforcement Discretion however, they are now allowed under HIPAA, as long as they are used in a good faith effort to provide audio or video telehealth services during the pandemic.
A couple things to note here are:
- The healthcare provider uses these apps in good faith during the COVID-19 public health emergency
- Health insurance companies are not covered by the provision
- Public facing apps like Facebook Live, Twitch, and TikTok are not allowed
- The Notification of Enforcement Discretion is still active and currently does not have an expiration date.
In conclusion, the Notification of Enforcement Discretion provision allows healthcare providers to use popular audio or video communication apps like WhatsApp, Skype, and FaceTime to provide telehealth services without fear of incurring HIPAA fines. In the past, these apps would not have been deemed compliant, as their parent companies do not provide a BAA.
Public facing communication apps like Twitch, TikTok, and Facebook Live are not allowed under this provision.
Lastly, the Notification of Enforcement Discretion currently does not have an expiration date.
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.
In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.
About One Health
One Health is a federally qualified health center (FQHC) serving Montana and Wyoming.
As its IT Director, Ryan Schoppe has developed and now oversees both a traditional IT department and also the One Health telehealth network.
Over the last seven years that Ryan's served as IT Director, One Health has grown from one clinic and less than 30 employees to over 10 clinics and 250 employees.