HIPAA Guidelines on Telemedicine: A Complete Guide

HIPAA Guidelines on Telemedicine: A Complete Guide

  In February of 2020, the CDC noted that the level of telemedicine visits skyrocketed to about 154 percent more than in 2019. No doubt, with the COVID-19 pandemic plaguing the world, the need for socially distanced doctor visits have been on the rise. Due to this increase, covered entities must take extra care to review the HIPAA Guidelines on telemedicine. With healthcare shifting to online status, protecting your clients is of the utmost importance. Learn more about HIPAA telemedicine guidelines in this complete guide.

What Is ePHI?

Protected Health Information, or PHI, is any personal information about a client regarding their health, billing, or anything else of confidential nature. In turn, ePHI is any public health information electronically stored or sent out via emails, files, or digital copies of medical reports. Public health information includes:

  • Patient names
  • Patient billing info
  • Patient contact information
  • Patient social security numbers
  • Patient fingerprints
  • Patient home address

HIPAA rules serve both PHI and ePHI. However, due to the digital nature of ePHI, it is more at risk of being compromised.

HIPAA Security Rule

The HIPAA security rule was enacted to protect digital health information. HIPAA requires several safeguards to be set in place regarding staff and administrative services. Though the HIPAA security rule does not specify a type of telemedicine vendor for covered entities to use. The entity should implement its best judgment regarding internet security.

Technical Safeguards

Telemedicine vendors must adhere to the specified HIPAA guidelines. Providers are expected to remain compliant and provide services that protect ePHI. HHS states that technical safeguards should include the following:

  • User Identification: This will allow the entity to view all user activity when logged into a service
  • Use encryption: The provider should include an encryption function for all messages, files, or reports sent out electronically
  • Establish emergency procedures: Instructional procedures used by members of the staff team to access ePHI information under emergencies
  • Protect Data Integrity: The integrity of patient data and records could mistakenly be altered, even destroyed. The right policies should be designed to prevent compromising data integrity.

Physical Safeguards

Under the HIPAA Security Rule, physical safeguards should also be implemented within the covered entity's workspace. These are measures taken physically, outside of the digital world, to ensure HIPAA compliance. Physical Safeguards should include the following:

  • Facility Security Plan: Have a document describing the policies set in place to protect information from being stolen.
  • Access Control and Validation Procedures: Assign specific access to information in regard's to each individual's role in the workplace
  • Maintenance Records: Keep documentation pertaining to any repairs or work done on the facility in regards to security such as doors or locks.
  • Media Maintenance: Document and create policies for all media usage such as disposal, re-use, or back-up files.
  • Work Station Maintenance: All workstations that have access to ePHI should be under scrutinization. Policies regarding the handling of data should be created, and authorized use restricted.

HIPAA Guidelines on Telemedicine

By providing a remote health service, you may have questions about specific HIPAA telemedicine guidelines. As HIPAA rules can be vague, a covered entity needs to re-educate on the subject matter.

What Is Telemedicine?

Telemedicine is a system that allows professionals within the medical field (ex. doctors and nurses) to perform health evaluations and check-ups, and prescribe medication from a socially distant site. Telehealth communications may be given via video conferencing software, texting apps, or audio phone calls.

Covered Entities

According to the HHS Office for Civil Rights (OCR) all covered entities within the world of medicine, or those labeled "health care providers" are included in the telemedicine HIPAA security rules. A list of included healthcare providers includes (but is not limited to) the following:

  • Doctors
  • Nurses
  • Physical therapists
  • Chiropractors
  • Pharmacists
  • Hospitals
  • Clinics

This list is not comprehensive. You should check to make sure you are considered a health care provider. If you are an insurance agency that pays for Telehealth services, you are not included under the Notification of Enforcement Discretion Act.

Where Can I Conduct Telehealth Sessions?

You may perform Telehealth services anywhere that is considered a private location, such as your office. Do not give medical advice while others are present in the room or in a public space where someone may listen or overhear patient information. No matter where you provide remote Telehealth services, proper technical and physical safeguards need to be enforced to reduce risk.

Does COVID-19 Affect HIPAA Rules?

The rules and regulations stated by the Health Insurance Portability and Accountability Act regarding compliance and confidentiality have not changed. This is to say that the COVID-19 virus has not altered the privacy or security laws set in place. With concern to ePHI, the same discretion for COVID-19 health information submitted electronically should be enforced.

Secure Messaging

Secure messaging is a bonafide way to ensure HIPAA compliance through ePHI. These messaging operators should be easy to use, as they incorporate similar interfaces as regular texting and video conferencing. Why Use Secure Messaging? Many people will question why they cannot use the regular texting and video chatting when going into a Telehealth session. The reason for this is because secure messaging solutions will ensure that ePHI information stays between the patient and the covered entity. The problem with Zoom, Skype, or any other standard video conferencing server, is they have no safeguards implemented within their systems. This means they run freely when connected to Wi-Fi and are subject to being broken into, compromised, or stolen. Telehealth vendors were created to maintain the covered entity's HIPAA compliance. The vendors will only allow authorized personnel access to a Telehealth conference and the accompanied ePHI. How Does It Work? Most health care providers should have some knowledge of these applications already as they have been in use long before the pandemic. This is how the apps generally work:

  • The app limits access to who can use the server.
  • The authorized user will be issued a personal log in which they can use to enter the app.
  • From there, covered entities can choose what files, documents, and images are viewed by members of their staff.
  • If anyone forgets to log-off, these apps have a handy "auto log off" feature that will ensure no ePHI is left open on the screen.

Encryption When choosing a secure messaging app, be sure that it will encrypt the ePHI. Encryption is when any PHI or ePHI information is converted into a series of complex codes. Encryption is necessary for ePHI because it is being sent back and forth between doctors, patients, and other covered entities. While the ePHI travels through cyberspace, it is susceptible to being stolen. Secure messaging apps should contain a feature that encrypts any messages sent through the interface. With an encryption service, the covered entity can perform Telehealth advice without worrying that ePHI is being stolen from public Wi-FI. Why Can't I Use Normal Apps? It is generally not a good idea to use regular apps for Telemedicine. These apps contain no safeguards, no encrypting capabilities, and run through public Wi-Fi. Anyone with knowledge on how to crack through a basic security system would be able to get through and steal this information. This can cost your practice a fortune in fines and, possibly, it can even lead to jail time. Therefore, while patients may find regular apps more familiar, it would be in any covered entity's best interest to find their preferred secure messaging service and recommend it to the patient. Is Texting HIPAA Compliant? As a rule of thumb, general SMS messaging should be avoided for Telehealth conferencing. As previously stated, many find texting to be a much easier route of communication. Speedily sharing information between patients and other health care providers is the preferred method. However, being too lax on the sharing ePHI could lead down a road on non-compliance and a breach in ePHI. Of course, there are a few exceptions to the rule. There are plenty of secure messaging apps on the market which offer a safeguarded, encrypted SMS messaging system. What if a Patient Won't Use Secure Messaging? As a health care provider, you must educate patients on the importance of HIPAA regulations pertaining to their public health information. After all, patients will not be knowledgeable on all of the HIPAA security and privacy statutes. Let them know that patient confidentiality is of great importance. Without the use of these secure messaging apps, their personal information could be in jeopardy.

BAA Contracts

As per HIPAA guidelines, when entering into a deal with a Telehealth vendor, all covered entities should initiate a Business Associate Agreement (BAA). Business contracts maintain that the business associates will handle and safeguard all public health information, remaining in compliance with HIPAA laws. What Is a BAA? A BAA is a contract that covered entities must seek out when employing any third-party service that will handle ePHI or PHI. Examples of a third-party vendor would be an insurance company, Telehealth vendor, or any third party outside of the medical field lending services to a covered entity. A BAA should control how the business associate uses the ePHI or PHI they will have access to and limit the amount of information they receive. According to the HHS, a Business Associate Agreement should do the following:

  • Lay the groundwork of how third parties may use ePHI or PHI
  • State that ePHI or PHI disclosure outside of what the law requires is considered a direct violation
  • Require that the proper technical and physical safeguards are taken
  • Require the third party to report any breaches in security
  • Relay the disclosure of health amendments
  • Follow HIPAA Privacy and Security rules
  • Require the business associate to report any use of ePHI or PHI files and reports to HHS
  • Require that the third party should destroy all ePHI or PHI if the contract ends
  • Require the third-party entity to hold any third party subcontractors accountable regarding HIPAA guidelines
  • State that if the third party violates contract terms, the contract will immediately end

Who Is Considered a Business Associate? A business associate exists outside of the realm of the medical world. They generally lend services to aid medical professionals. If you are a business associate and would like to learn more about contracts, you can take a HIPAA business associate course online. Examples of Business Associates are as follows:

  • Telehealth vendors
  • Medical insurance companies
  • Accountants
  • Attorneys
  • Billing companies
  • Encryption services
  • Information technology services

Along with these third-party business associates comes a list of sub-contractors. HIPAA guidelines state that a BAS (Business Associate Sub-contractor agreement) should also be considered. By incorporating a BAA and BAS, you ensure the entire realm of third parties with ePHI access. Why Is a BAA Important? Entering into a Business Associate Agreement is vital for any covered entity hiring a third-party service. These third parties will have access to a large amount of patient ePHI. Therefore, it is advised that third parties be educated on HIPAA guidelines and Telemedicine guidelines. A BAA exists to keep all entities involved in public health service compliant. In regards to Telehealth vendors, this contract will hold them liable should a breach in security occur. Should HIPAA compliance be violated by a third-party vendor, the contract serves to protect, and possibly destroy, all ePHI that had been gathered during the time of employment. Can a BAA Be Violated? There are several ways a Business Associate Agreement could be violated. If the third-party vendor does not adhere to the HIPAA guidelines for PHI or Telemedicine, that would be considered a contract violation. If the third-party entity violates any section of the contract that had been laid out and agreed upon, consider it a violation. If violated, the contract should be terminated, and any ePHI gathered or stored by the third party needs to be destroyed immediately. If a violation does occur, it should be reported immediately. This could result in thousands of dollars in fines. On the other hand, if no BAA contract has been created, agreed upon, and signed, and a violation of HIPAA laws occurs, it could cost up to $31 thousand in fines.

Finding a Telehealth Vendor

A Telehealth vendor is a company that sells Telehealth software. With the rise in socially distant health conferencing, these vendors have multiplied. Looking into different vendors will take time as you will want to choose one that fits your practice's needs while minimizing the risk of federal penalties. Is It what You Need? Ask yourself whether the vendor you are looking into provides everything you need to stay compliant. Compare the service to your current patient portal to see similarities or differences in software. Ask whether or not the company:

  • Requires a contract
  • Has special equipment
  • Contains a "waiting room" feature
  • Can schedule appointments
  • Can encrypt ePHI

You should also thoroughly research how well protected your ePHI and PHI will be under the company. Look at ratings and reviews, or ask trusted health care providers what they think of the company. Is It Easy to Use? A new system will require training. Hiring a vendor with easy-to-use software would keep the momentum flowing smoothly within the office. You're going to want software that is fast and quickly pulls patient information, preventing any drawbacks in waiting time for your patients. If the company offers a live demo, you should try the software out for yourself. You might also have your staff try it and get their opinions on what they like and dislike about the software. If your patients will also have to use this software, then having an easy interface is necessary. Remember that not all patients will be tech-savvy, so complicated software could frustrate people while in use. Is It Encrypted? The vendor should provide encryption tools with their services. No encryption is a deal-breaker, as this coding method is what secures your ePHI the best. A vendor should offer an encryption tool with an intense amount of cybersecurity to ensure that hackers cannot break their way through. Luckily, most Telehealth vendors know this about encryption, so it should be a common service found amongst an array of Telehealth vendors. Is It Affordable? Look into your budget when considering a vendor, and compare the prices vs services offered. If you are considering a Telehealth vendor but the price isn't matching what you'd like to spend, keep in mind that there are others out there. With Telemedicine becoming a fundamental need in our modern society, you should be able to find an affordable vendor at an affordable price. Is There a Mobile App? These days, everyone is on-the-go, even medical professionals. Mobile apps are a nice touch to send information quickly and safely. See if your vendor offers mobile access so that you can schedule appointments, store information, and check ePHI records whenever, and wherever, you need.

How to Ensure HIPAA Compliance for ePHI

After reading through guidelines, looking at Telehealth apps, and searching for a vendor, there can still be a breach in your security. It couldn't hurt to take a few extra precautions to make sure everyone in your office remains HIPAA compliant.

Regular Meetings

Having regular staff meetings to remind staff members of the telemedicine HIPAA guidelines would remind your employees of the importance of staying compliant. Sometimes, things slip our minds as the workday goes on. A regular reminder would prove effective in keeping your employees and medical office staff wary of their compliance when handling ePHI.


You can hire a service to audit your staff's work. A hired third-party will look over the safety measures taken within your office regarding emails, messaging, files, reports, images, and any other ePHI or PHI documents. This way, you will be able to pinpoint any cracks in the system. Catching these mistakes early on could save you thousands of dollars and a lawsuit.

Risk Assessment

Assess the risk factors regarding your business. You could do this on your own or hire a service to provide you with a risk analysis. A detailed risk analysis service should do the following:

  • Look into where you store ePHI documents
  • Determine how secure your devices (PCS, laptops, tablets, etc.) are in the office
  • Look over your office's security measures to allocate any mistakes
  • Assess the repercussions should there be a security breach
  • Assess how likely it is that your office would endure a breach of security

When ePHI is concerned, there are several different matters to account for to prevent violating HIPAA guidelines. You would benefit from a service that could calculate all of the risk information so you can stay on top of your daily duties.

Appoint a Monitor

Ask a trusted staff member in your office if they would mind taking on the extra task as a monitor. Having a monitor overlook the security measures taken by your staff would keep your employees aware of compliance. A monitor would also ensure that mistakes in details, such as encryption, would be caught early on.

Get Certified

A tried and true method to keeping our staff HIPAA compliant is getting them certified. Certification is not legally mandated by the HHS. However, a HIPAA training certification comes with several benefits, such as:

  • Re-educating staff members on HIPAA compliance and guidelines
  • Re-educating staff on handling ePHI documents
  • Raising your business's credibility
  • Helping you avoid mistakes in securing ePHI
  • Assuring patients their information is in good hands

Since HIPAA laws are changed or added every year, enrolling your staff in a HIPAA guidelines certification program would be a great way to keep your office up-to-date on current compliance statutes.

Hire a Credible Service

With HIPAA guidelines on telemedicine ever-changing, it can be difficult for covered entities to keep their staff up to speed. Covered entities should look into medical office staff training on HIPAA compliance, telemedicine HIPAA guidelines, and how to handle ePHI in the office. HIPAA Exams is here to save you time, money, and unnecessary stress. Our team offers several different services regarding BAA's, vendor credentialing, and HIPAA guidelines training, that will keep your staff compliant. Click here to view our most popular training courses and discounted bundle programs, to get your staff enrolled today.

Publish/Republish Date
Scheduled Content

In the ever-evolving world of healthcare, telemedicine has taken center stage, completely transforming patient care as we know it. Telemedicine has seen explosive growth over the past few years, primarily propelled by the global health crisis.

To help you navigate this budding aspect of digital healthcare, we've created this comprehensive guide covering the nuances of HIPAA guidelines for telemedicine.

Telehealth Growth: The Stats

Reports indicate that telehealth visits surged by a staggering 154% in 2020 compared to the previous year. The convenience of connecting with a healthcare professional from the comfort of your own home has garnered significant attention from all age groups and medical specialties.

In 2021, approximately 80% of consumers acknowledged the vital role telemedicine plays in modern healthcare, a testament to its rapid growth and wide acceptance. This dramatic surge in telehealth implementation offers a compelling glimpse into how digital tools are democratizing healthcare, presenting us with a dynamic new frontier of patient-centric care.

Understanding ePHI

Protected Health Information (PHI) comprises all confidential patient data, whether related to their health status, billing information, or any other personal details. Electronic PHI (ePHI) is all PHI data that gets stored or transmitted electronically, including emails, files, or digital medical reports.

Given the digital nature of ePHI, healthcare providers need to be especially vigilant to prevent data breaches.

Deciphering the HIPAA Security Rule

The HIPAA security rule safeguards digital health information, requiring healthcare providers to implement several precautions regarding staffing and administrative services. While it doesn't mandate specific telemedicine vendors, healthcare providers are encouraged to implement the best judgment relating to internet security.

Technical Safeguards

HIPAA technical safeguards are technological methods aimed at securing Electronic Protected Health Information (ePHI) from unauthorized access and breaches. In the context of telemedicine, these safeguards take on an even more pivotal role in the privacy and security of patient data, given the increased potential risks in remote healthcare delivery.

One unique technical safeguard that must be implemented by healthcare providers in telemedicine is ‘Access Control.’ This safeguard, consisting of unique user identification, emergency access protocol, automatic log-off, and encryption and decryption measures, ensures that ePHI is accessible only to authorized individuals.

Similarly, 'Audit Controls,' another critical safeguard, require telemedicine providers to implement hardware, software, and procedural mechanisms to record and examine access and activities in systems that contain or use ePHI. These crucial measures not only assure the security of patient data but also reinforce trust, underpinning the patient-provider relationship in the telemedicine realm.

Physical Safeguards

Physical safeguards under HIPAA are primarily focused on physical measures to protect Electronic Protected Health Information (ePHI) and related hardware from theft and damage. As telehealth services frequently involve healthcare professionals working remotely, the implementation of these safeguards takes on a unique twist.

First among these is Workstation Use and Security. Telemedicine necessitates the use of computers and other devices from diverse locations to access and transmit ePHI. In such a case, it's crucial for healthcare practitioners to ensure they use their workstations in a manner that respects HIPAA laws.

This can entail a range of controls, such as the securing of screens from unauthorized view and keeping the equipment in a safe and private location. Another significant safeguard is the Device and Media Control, which includes the disposal and re-use of ePHI.

This implies that healthcare providers engaged in telemedicine need to have robust procedures in place for efficient data deletion from any hardware that's being discarded or repurposed. These steps ensure the protection and integrity of ePHI, thus securing patient privacy, a cornerstone of successful telemedicine practice.

Compliant Messaging in Telemedicine

Ensuring online messaging is HIPAA compliant primarily revolves around the protection of Protected Health Information (PHI) during transmission from one healthcare professional to another or between a healthcare professional and a patient. To make online messaging HIPAA compliant, several important steps should be observed.

  1. Every platform used for communication must implement strong access controls. This includes having a unique user identification for each user and an automated log-off feature to ensure that PHI can't be accessed by unauthorized individuals.
  2. A crucial part of a compliant platform is the encryption of messages in transit and at rest. This ensures that even if a breach occurs, the data would be unreadable and unusable.
  3. Platforms should include an audit control mechanism to record and monitor access and activities. These controls should keep track of every login attempt and every bit of PHI that is accessed.
  4. A company must use a secure, password-protected communication platform for discussing sensitive health conditions and treatment with patients. There are many third-party HIPAA-compliant text messaging services that offer such solutions.
  5. Organizations or providers should have Business Associate Agreements (BAAs) for third-party vendors who have access to PHI. For online messaging, these vendors would primarily include any software solutions the organization uses.

Following these guidelines can ensure your online messaging system aligns with HIPAA's requirements for compliant, secure, and private communication platforms in healthcare.

Role of Business Associate Agreements (BAA)

Under HIPAA regulations, a Business Associate Agreement (BAA) is required when a healthcare provider is using services that will handle or interact with Protected Health Information (PHI). In the context of telemedicine, the BAA is typically a contract between the healthcare provider and the telemedicine platform or service provider. It details the responsibilities that each party has towards the protection of PHI.

As per the HIPAA guidelines on telemedicine, depending on the specificity of the service, healthcare providers must confirm that compliant business associate agreements are in place with each business associate and software vendor. This helps maintain the highest levels of security and integrity of patient data.

The BAA serves as an assurance that the telehealth solution provider will implement all necessary safeguards to protect PHI. If a telemedicine service provider is classified as a 'business associate' under HIPAA, a BAA is required between the healthcare provider and the service provider. It is also noted that the business associates themselves are directly liable under the HIPAA rules.

The Bottom Line

In conclusion, the symbiosis between telemedicine and HIPAA is emblematic of the unfolding fusion of healthcare and technology.

As telemedicine continues to burgeon, becoming an integral part of our healthcare landscape, adherence to HIPAA regulations remains firmly at its core, ensuring the security and confidentiality of patients' electronic protected health information (ePHI). The essence of this dynamic partnership lies in its ability to marry convenience and accessibility with steadfast data protection.

As we venture further into the realm of digital health solutions, we must continue to embrace measures that uphold patient trust and data integrity. Both telemedicine and HIPAA compliance must mark every step of our journey, highlighting that while we move forward in healthcare innovation, we do so without compromising our ethical responsibility to protect patient information.

Don't let the complexity of HIPAA regulations become a roadblock in your telemedicine journey. Navigating through the maze of privacy laws, data protection requirements, and patient confidentiality can be overwhelming, often leaving even seasoned practitioners at risk of accidentally breaching these regulations.

But it doesn't have to be this way. Equip yourself with the skills and knowledge needed to confidently navigate telemedicine laws with our online HIPAA refresher course. Stay updated, compliant, and ensure the safety and privacy of your patients. To avoid any potential slip-ups and to embody the professionalism that's vital to your role, sign up for our course today!