Background Image

Blog Post

Dec 09

Telehealth and HIPAA

Progressing through 2020 we saw more services provided to patients and more clinical tasks occurring remotely.  The use of HIPAA-compliant teleconferencing and telecommuting tools is essential for practices to remain compliant.

We recommend practices that provide Telehealth (audio and video) services to patients do so only using HIPAA-compliant services and follow all the rules and guidelines from CMS and other payers.  This helps ensure you are set up for success.  When the temporary waivers end you will continue normal operations while others will need to learn new workflows or applications.

The U.S. Department of Health and Human Services (HHS) states, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.” 

There are several things to consider when deciding on your primary Telehealth platform (ease of use, EMR integration, bandwidth requirements, patient-side ease of use).  As a covered entity, you must also consider whether the platform is HIPAA-compliant.

When selecting digital partners to support care delivery and all other aspects of your practice that handles PHI, ensuring workflows and systems are compliant is a must.  We recommend working with an independent expert to ensure all audits are conducted and documented properly (since that’s where the fines and penalties get assessed).  To select the right support team, register on our site and GET HELP for Practice Compliance. 

Our colleagues at Compliancy Group evaluated a few common teleconferencing tools, giving some amplifying information on (these links go to their site):

They also provided the following:

Telehealth and HIPAA Compliant Software Usage

Under HIPAA, software companies that “touch” PHI are considered business associates. For HIPAA compliant use, software must have technical and administrative safeguards securing the protected health information (PHI) that is transmitted, stored, received, maintained, or created through it. 

Additionally, there must be a signed business associate agreement (BAA) before the platform can be utilized in conjunction with PHI. A BAA is a legal contract that mandates that the business associate has the proper safeguards to secure the PHI that is transmitted through their platform. Additionally, a BAA states that each signing party, both the covered entity and the business associate, is responsible for maintaining its own compliance. Lastly, it determines which party is responsible for reporting a breach should one occur. 

However, no software is fully HIPAA compliant straight out of the box, so it is up to the end user to ensure that they are using the platform in a HIPAA compliant manner, with HIPAA compliant configurations enabled. 

  • Access controls. Provide users with unique login credentials to ensure that PHI is only accessible to authorized users.
  • User authentication. Ensures that users are who they appear to be. This may be accomplished through the use of multi-factor authentication (MFA). MFA requires users to enter multiple credentials to gain access to sensitive information (i.e. username and password, biometrics, security questions, etc.).
  • Audit controls. Monitors access to PHI, ensuring that PHI access is in accordance with the minimum necessary standard.
  • Automatic log-off. User access is automatically terminated after a set period of time (i.e., 5 minutes, 10 minutes).
  • Encryption. Prevents unauthorized access to PHI by converting data into a format that can only be read with a decryption key.

If you want additional information on HIPAA compliance, Telehealth, or other healthcare topics, you can GET HELP and additional information to assist your practice.