When COVID-19 hit, providers across the country turned to telehealth as a way to replace office visits and monitor patients at home. Healthcare delivery could not stop—providers had to get creative in how they delivered care to patients.
With many of the rules around HIPAA compliance relaxed, many providers turned to the first telehealth solution they could find that accomplished their set of needs. With HIPAA compliant telehealth no longer a requirement, providers had many choices and flexibility in what they could use. Many of these solutions, however, will not be acceptable beyond the Public Health Emergency. Why? They’re not HIPAA compliant.
In 1996 Congress passed The Health Insurance Portability and Accountability Act (HIPAA). The law protects sensitive patient health information from being disclosed without the patient’s consent or knowledge. Via the Privacy Rule, the main goal is to ensure individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.
Who is required to comply?
- Every healthcare provider who electronically transmits health information
- Health plans
- Healthcare clearinghouses
- Business associates that act on behalf of a covered entity (including telehealth vendors)
HIPAA Compliant Telehealth Platforms in the Wake of COVID-19
Now that COVID-19 is slowing, the lasting power of telehealth is being seen across the healthcare industry. Today more providers are using telehealth to extend patient care, and more patients are willing to adopt the service (or already have). With convenient, patient-centric care top of mind, providers are looking to “meet the patient where they are,'' to improve patient engagement, and to make healthcare less fragmented and more continuous.
If you’re considering, or already using telehealth, it’s essential that safety and security is a top priority. Ensuring your telehealth vendor is HIPAA compliant is crucial for safe and secure patient care. HIPAA prevents patient information from being disclosed without the patient’s consent or knowledge. When a provider organization fails to adhere to compliance standards, the consequences can be dire. Lack of compliance can result in inappropriately shared PHI that harms patients through identity theft, data extortion, embarrassment, etc.
- Ensures privacy and confidentiality
- Provides patients with access to their healthcare data (medical record)
- Reduces fraudulent activity
- Improves data systems
HIPAA Relaxed During COVID-19
You’re probably thinking, “Wait, weren’t HIPAA regulations around telehealth relaxed due to COVID-19? Can’t I use applications like Skype and FaceTime?” You’re correct—at the beginning of the pandemic, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued new guidance on HIPAA. Many HIPAA regulations were relaxed and rolled back to allow for more flexibility in healthcare delivery.
When the PHE ends, the relaxed rules around HIPAA will end with it. Before this happens, it’s essential that:
- Providers already using telehealth consider whether their current platform is HIPAA compliant
- Providers looking to implement a new telehealth program prioritize HIPAA compliance in their vendor evaluation
When the PHE waivers and federal enforcement discretion ends, it will certainly be a confusing time. It’s crucial that your organization’s take steps now to ensure telehealth HIPAA compliance.
HIPAA Compliant Telehealth - What is It?
To comply with the HIPAA guidelines on telehealth, the telehealth platform, the channel of communication must be HIPAA compliant. This means:
- Only authorized users should have access to patient health information (PHI)
- To protect the integrity of PHI, a system of secure communication should be implemented
- To prevent accidental or malicious breaches, a system of monitoring communications containing PHI should be implemented
HIPAA rules require that business associates enter into a contract to ensure that all protected health information is safeguarded by everyone who may be able to access it. When you’re evaluating telehealth vendors, be sure to consider whether they will sign a Business Associate Agreement (BAA).
When choosing a telehealth vendor, you should look for one that is entirely HIPAA compliant. Remember, once the HIPAA regulations are relaxed, compliance will be a requirement, not a recommendation.
Let’s explore a few examples of telehealth features and what to look for when evaluating HIPAA compliance.
Unsecure methods of communication, for example, Skype, SMS and email are not HIPAA compliant. A common telehealth feature providers use is messaging. If your telehealth vendor offers messaging, ensure the tool is a secure messaging solution.
The text messaging feature within HRS PatientConnect is a secure messaging solution. It exists solely for communication between the patient and provider, and can not be accessed by anyone else. Additionally, all communication between the patient and provider that occurs via messaging through is encrypted.
The same goes for virtual visit solutions. Many providers are attracted to virtual visits, or telemedicine, to increase patient touch points, improve access, boost revenue, and optimize patient engagement and satisfaction.
If you’re considering offering a video visit capability, HIPAA compliant telemedicine should be the first item on your check-list. Instead of using a consumer video app like Skype, providers should leverage platforms designed for healthcare use. Platforms designed for healthcare have built in measures to protect PHI, and are designed with the provider experience in mind. To meet the HIPAA standard for security, the platform must be encrypted. Videos should not be stored (recorded) on the platform.
Here at HRS, we provide HIPAA compliant telehealth and remote patient monitoring solutions. The platform is available for all healthcare providers, from community-based home health agencies and family practices, to integrated delivery networks, and commercial payers.
Using HRS, providers can communicate with their patients and monitor symptoms and medication adherence safely and securely. HRS’ secure platform gives providers the unique ability to interact with and monitor their patients from the office, clinic, or while on the go through a cloud-based dashboard. It provides patients with the flexibility to receive HIPAA-compliant care safely and conveniently, resulting in improved engagement and outcomes.
HIPAA Extends Beyond the Acute Setting
Simply, when using telehealth solutions providers should prioritize patient privacy and confidentiality just as much as they would for in-office visits or hospital admissions. Under HIPAA the provider is required to meet the same requirements via telehealth as they would in-person. Providers have the responsibility to protect ALL patient data, both electronic and paper.
To increase access, improve patient engagement and decrease cost of care, telehealth is essential. For telehealth to be possible, safety and security must be a number one priority. If you’re selecting a new telehealth vendor, be sure to choose one that is HIPAA compliant.