How does HIPAA apply to telehealth?

The healthcare industry has experienced a significant shift towards telehealth in recent years, with technology advancements playing a vital role in this change. Telehealth has made healthcare more accessible, especially for people living in remote areas or those with mobility issues. However, as healthcare providers embrace telemedicine, it is essential to understand how the Health Insurance Portability and Accountability Act (HIPAA) applies to this digital landscape.

Does HIPAA apply to telehealth?

During the COVID-19 pandemic, the Department of Health and Human Services (HHS) relaxed some HIPAA enforcement, granting temporary exemptions to telehealth providers. However, as announced by HHS, these exemptions will expire on May 11, 2023. Telehealth providers must now ensure they comply with HIPAA requirements, which can be complex and daunting.

What is telehealth?

Telehealth, or telemedicine, refers to the remote delivery of healthcare services through technology, allowing healthcare providers to interact with patients and exchange information without being physically present. It includes video conferencing, remote patient monitoring, and online consultations, among other digital tools.

Telemedicine has become an essential part of modern healthcare, offering increased accessibility, cost-effectiveness, and convenience for both patients and providers. As technology has advanced and the need for remote healthcare has grown, telemedicine has become an increasingly essential aspect of healthcare delivery.

In the know:

• Stay informed about the latest trends and technologies to provide the best care to your patients.
• Familiarize yourself with the HIPAA requirements for telemedicine.
• Explore new telehealth tools and platforms that can help streamline the patient experience and enhance the efficiency of your practice.

Are Telehealth providers covered entities or business associates under HIPAA?

Under HIPAA, both covered entities and business associates are required to protect the privacy and security of patients' health information. To understand HIPAA compliance in telemedicine, determine whether telehealth providers fall into one of these categories.

Covered entities include healthcare providers, health plans, and healthcare clearinghouses that transmit health information electronically. Telehealth providers offering healthcare services and managing patients' health information electronically are covered entities under HIPAA.

Business associates are third-party organizations that perform certain functions or services on behalf of covered entities that involve the use or disclosure of protected health information (PHI). Telemedicine platform providers, electronic health record (EHR) vendors, and other service providers that handle PHI on behalf of telehealth providers are considered business associates.

Next steps:

• Identify whether your telehealth organization is a covered entity or a business associate under HIPAA.
• If you are a covered entity, ensure you have proper agreements in place with your business associates, such as business associate agreements (BAAs), outlining their responsibilities in maintaining HIPAA compliance.
• Regularly review and update your BAAs to ensure they reflect current regulations and any changes in your telehealth services.
• Perform due diligence when selecting telemedicine platform providers and other business associates, ensuring they have a solid track record of maintaining HIPAA compliance.

How does the HIPAA Privacy Rule apply to telemedicine?

The HIPAA Privacy Rule establishes standards for protecting patients' PHI, including ePHI, which is often handled during telemedicine encounters. Telehealth providers must adhere to the Privacy Rule by safeguarding the confidentiality and integrity of patients' health information.

Essential aspects of the Privacy Rule for telemedicine include:

• Use and disclosure of ePHI: Telehealth providers should use and disclose ePHI only for authorized purposes, such as treatment, payment, or healthcare operations. Any other uses or disclosures generally require patient authorization.
• Patient consent: Telehealth providers must obtain appropriate consent from patients before sharing their ePHI with other healthcare providers unless it is for treatment purposes.
• Notice of Privacy Practices (NPP): Covered entities must provide patients with a clear and concise NPP, informing them of their privacy rights and how their information may be used or disclosed.

Putting it into practice:

• Develop and implement privacy policies and procedures that address the use and disclosure of ePHI in telemedicine.
• Train your telehealth staff on HIPAA Privacy Rule requirements and protecting patient privacy.
• Obtain patient consent before sharing their ePHI for purposes other than treatment, payment, or healthcare operations.
• Provide patients with a Notice of Privacy Practices, making sure it is easily accessible and understandable.
• Regularly review and update your privacy policies to ensure they align with the latest HIPAA requirements and industry best practices.

How does the HIPAA Security Rule affect telemedicine?

The HIPAA Security Rule is particularly relevant for telemedicine providers who transmit, store, and process health information electronically. Telehealth providers must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

Essential aspects of the Security Rule for telemedicine include:

• Administrative safeguards: Telehealth providers should develop and implement policies and procedures to manage the selection, development, implementation, and maintenance of security measures that protect ePHI.
• Physical safeguards: These measures involve securing the physical environment where ePHI is stored or accessed, such as server rooms or workstations used by telehealth staff.
• Technical safeguards: Telemedicine providers must implement security technologies, such as encryption, HIPAA compliant email, and other secure communication channels, to protect ePHI from unauthorized access or disclosure.

Practical tips for compliance:

• Conduct a thorough risk assessment to identify potential security vulnerabilities and develop a risk management plan to address them.
• Implement administrative, physical, and technical safeguards based on your risk assessment results, considering your telemedicine practice's unique needs.
• Use secure communication channels for telemedicine consultations, including encryption and HIPAA compliant video conferencing platforms.
• Establish strong authentication and access control measures, such as multi-factor authentication, to verify the identities of both patients and healthcare providers.

What should telehealth providers do in case of a data breach?

Data breaches can have severe consequences for both patients and healthcare providers, including potential HIPAA violations and financial penalties. Telehealth providers must be prepared to handle potential data breaches and understand their responsibilities under HIPAA's Breach Notification Rule.

The Breach Notification Rule for telemedicine includes:

• Identifying a breach: Telehealth providers should have a process in place to detect and investigate potential breaches involving ePHI.
• Notifying affected individuals: If a breach is confirmed, telehealth providers must notify affected individuals "without unreasonable delay" and no later than 60 days after discovering the breach.
• Reporting to HHS: In addition to notifying affected individuals, telehealth providers must report the breach to the HHS Office for Civil Rights (OCR). For breaches affecting fewer than 500 individuals, providers can report within 60 days of the end of the calendar year in which the breach was discovered.
• Media notification: For breaches affecting 500 or more individuals, telehealth providers must also notify prominent media outlets serving the affected area.

How to handle data breaches:

• Develop and implement a breach response plan that outlines the steps your organization will take in the event of a data breach.
• Train your staff on how to identify potential data breaches and the procedures for reporting and investigating them.
• Establish a system for documenting and tracking data breaches, including the actions taken in response to each breach.

How can telemedicine providers stay HIPAA compliant?

Maintaining HIPAA compliance is an ongoing process that requires continuous effort and adaptation to evolving regulations and industry standards. Telehealth providers must prioritize training and awareness to ensure that their staff, technology, and processes comply with HIPAA requirements.

Ongoing HIPAA compliance for telemedicine requires:

• Regular training: Telehealth providers should ensure that all employees who handle ePHI receive regular training on HIPAA requirements and the organization's privacy and security policies.
• Awareness campaigns: Conduct awareness campaigns to inform employees about the importance of HIPAA compliance and their responsibilities in protecting patient privacy and data security.
• Periodic risk assessments: Perform risk assessments regularly to identify potential vulnerabilities and address them proactively.
• Monitoring and audits: Regularly monitor and audit your telehealth platform and processes to ensure that privacy and security measures function effectively.
• Continuous improvement: Update your privacy and security policies, procedures, and technologies as needed to maintain compliance with evolving regulations and industry best practices.

Pro-tip: These above steps could help with insurance claims in case of a breach leading to monetary penalties. According to Embroker Insurance, having policies in place and following preventative best practices is something insurers look at when evaluating claims. 

How to select HIPAA compliant telehealth platforms and Vendors

Telehealth providers should carefully evaluate potential platforms and vendors to ensure they meet the necessary security and privacy standards.

Key considerations are:

• HIPAA compliance: Verify that the platform or vendor has a history of maintaining HIPAA compliance and has the safeguards to protect ePHI.
• Business associate agreement (BAA): Ensure the vendor is willing to sign a BAA. Without a BAA, the platform can not be considered HIPAA compliant.
• Security features: Evaluate the platform's security features, such as encryption, access controls, and secure communication channels, to ensure they meet HIPAA requirements.
• User experience: Consider the platform's ease of use for both patients and healthcare providers. A user-friendly platform can help minimize errors and enhance the overall telemedicine experience.
• Integration capabilities: Assess whether the platform can easily integrate with your existing systems, such as electronic health records (EHRs) or practice management software.

How can Telehealth providers prepare for post-COVID-19 HIPAA compliance?

As the COVID-19 pandemic subsides and temporary HIPAA exemptions expire, telehealth providers must transition from the relaxed compliance measures implemented during the pandemic to long-term, sustainable HIPAA compliant practices. This process requires careful planning and a proactive approach to ensure a smooth transition.

How to bring telehealth practices into compliance:

1. Review and update policies and procedures: Assess your current privacy and security policies, procedures, and practices to identify any areas requiring updates or improvements to meet HIPAA requirements.
2. Assess telemedicine platforms and vendors: Reevaluate your telemedicine platform and any third-party vendors to ensure they are fully HIPAA compliant and have the necessary safeguards in place to protect ePHI.
3. Train staff on updated policies and procedures: Provide comprehensive training to all telehealth staff on the updated privacy and security policies, procedures, and practices, emphasizing the importance of HIPAA compliance in a post-COVID-19 world.
4. Establish a clear communication plan: Develop a plan to communicate any changes in telehealth practices to your patients, ensuring they are aware of their privacy rights and the measures taken to protect their ePHI.

Go deeper: 

• HIPAA enforcement discretion for COVID-19 to expire midnight, May 11, 2023 
• Telehealth HIPAA compliance after the COVID-19 exemption ends

What is the future outlook for telehealth and HIPAA compliance?

The widespread adoption of telemedicine during the COVID-19 pandemic has demonstrated the value and potential of remote healthcare services. As telemedicine continues to evolve, HIPAA compliance will remain a critical consideration for ensuring the privacy and security of patients' health information.

Trends and factors influencing the future of telemedicine and HIPAA compliance:

1. Ongoing regulatory updates: Expect ongoing updates to HIPAA and other healthcare regulations to address remote healthcare services' unique challenges and opportunities. A recent example is Washington's My Health My Data Act. 
2. Integration of emerging technologies: Integrating innovative technologies, such as artificial intelligence and machine learning, into telemedicine platforms will require close attention to HIPAA compliance and the protection of ePHI.
3. Increased emphasis on cybersecurity: With the growing reliance on digital platforms for healthcare services, there will be an increased focus on cybersecurity to protect sensitive patient information from data breaches and other security threats.
4. Patient privacy awareness: As patients become more aware of their privacy rights and the importance of protecting their health information, they will likely demand greater transparency and accountability from telehealth providers regarding HIPAA compliance.