HIPAA privacy and security guidelines as they relate to telehealth

Featured image

Share this article

Worms eye view of large city buildings

We partnered with HITRUST, One Health, and Xtelligent today for a webcast entitled, “Panel Discussion: Security and Compliance in the Era of Telehealth and Virtual Care.”

During the panel, a question came up that I thought others’ would want to know about.

The question was:

“Can you summarize some of the HIPAA privacy and security guidelines that are particularly relevant to telehealth?”

This post explains how I answered the question.

HIPAA Privacy Rule

As you may recall, the Health Insurance Portability and Accountability Act, or HIPAA, became law in 1996.

As the internet became more popular, Congress added HIPAA provisions that mandated the adoption of privacy and security protections.

The first one was the HIPAA Privacy Rule, which went into effect in 2003. In a nutshell, it created a set of national standards for the safeguarding of certain health information, or protected health information (PHI).

The Privacy rule also gave birth to a new definition, covered entities. These are Health plans, health care clearinghouses, and certain health care providers that conduct health care transactions electronically.

HIPAA Security Rule

The HIPAA Security rule set national standards for the confidentiality, integrity, and availability of electronic protected health information, or ePHI. It went into effect in 2005.

The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure of PHI. These would include administrative, physical, and technical safeguards.

Now that we’ve summarized the HIPAA Privacy and Security Rules, let’s move on to telehealth.

Telehealth (Telemedicine)

An apt definition of telehealth can be found via the telehealth.hhs.gov site:

“Telehealth — sometimes called telemedicine — lets your health care provider provide care for you without an in-person office visit. Telehealth is done primarily online with internet access on your computer, tablet, or smartphone.”

There are three generally accepted methods to provide telehealth:

  • Talking. Speaking with a health care provider live over the phone or via video.
  • Messaging. Send and receive messages from a health care provider via secure email, messaging, or file exchange.
  • Remote monitoring. Remote monitoring allows a health care provider can check on a patient at home. For example, a patient may be given a device to gather vital signs to help a health care provider stay informed on their progress.

HIPAA privacy and security guidelines as they relate to Telehealth

When the pandemic first hit in March 2020, HHS quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available communication apps without the risk of incurring HIPAA fines.

This notice allows health care providers to use popular applications to provide telehealth services, so long as they are “non-public facing.”

Examples of non-public facing applications include:

  • Apple FaceTime
  • Facebook Messenger video chat
  • Google Hangouts video
  • Zoom
  • Skype
  • Signal
  • Jabber
  • Facebook Messenger
  • Google Hangouts
  • WhatsApp
  • iMessage

Prior to COVID-19, we wrote about Apple Facetime, Facebook Messenger, WhatsApp, Skype and whether they were HIPAA compliant. At the time, we deemed them not to be compliant, as none of them provided a business associate agreement (BAA).

Under the Notification of Enforcement Discretion however, they are now allowed under HIPAA, as long as they are used in a good faith effort to provide telehealth services during the pandemic.

A couple things to note here are:

  • The healthcare provider uses these apps in good faith during the COVID-19 public health emergency
  • Health insurance companies are not covered by the provision
  • Public facing apps like Facebook Live and Twitch are not allowed
  • The Notification of Enforcement Discretion is still active and currently does not have an expiration date.

Conclusion

In conclusion, the Notification of Enforcement Discretion provision allows healthcare providers to use popular communication apps like WhatsApp, Skype, and FaceTime to provide telehealth services without fear of incurring HIPAA fines. In the past, these apps would not have been deemed compliant, as their parent companies do not provide a BAA.

Public facing communication apps like Twitch and Facebook Live are not allowed under this provision.

Lastly, the Notification of Enforcement Discretion currently does not have an expiration date.

About HITRUST

Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.

In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.

About One Health

One Health is a federally qualified health center (FQHC) serving Montana and Wyoming.

As its IT Director, Ryan Schoppe has developed and now oversees both a traditional IT department and also the One Health telehealth network.

Over the last seven years that Ryan’s served as IT Director, One Health has grown from one clinic and less than 30 employees to over 10 clinics and 250 employees.

Author Photo

About the author

Hoala Greevy

Founder of Paubox. Kayak fishing when I can. Native Hawaiian CEO.

Read more by Hoala Greevy

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022