HIPAA Guidelines on Telemedicine: A Complete Guide
In February of 2020, the CDC noted that the level of telemedicine visits skyrocketed to about 154 percent more than in 2019. No doubt, with the COVID-19 pandemic plaguing the world, the need for socially distanced doctor visits have been on the rise. Due to this increase, covered entities must take extra care to review the HIPAA Guidelines on telemedicine. With healthcare shifting to online status, protecting your clients is of the utmost importance. Learn more about HIPAA telemedicine guidelines in this complete guide.
What Is ePHI?
Protected Health Information, or PHI, is any personal information about a client regarding their health, billing, or anything else of confidential nature. In turn, ePHI is any public health information electronically stored or sent out via emails, files, or digital copies of medical reports. Public health information includes:
- Patient names
- Patient billing info
- Patient contact information
- Patient social security numbers
- Patient fingerprints
- Patient home address
HIPAA rules serve both PHI and ePHI. However, due to the digital nature of ePHI, it is more at risk of being compromised.
HIPAA Security Rule
The HIPAA security rule was enacted to protect digital health information. HIPAA requires several safeguards to be set in place regarding staff and administrative services. Though the HIPAA security rule does not specify a type of telemedicine vendor for covered entities to use. The entity should implement its best judgment regarding internet security.
Telemedicine vendors must adhere to the specified HIPAA guidelines. Providers are expected to remain compliant and provide services that protect ePHI. HHS states that technical safeguards should include the following:
- User Identification: This will allow the entity to view all user activity when logged into a service
- Use encryption: The provider should include an encryption function for all messages, files, or reports sent out electronically
- Establish emergency procedures: Instructional procedures used by members of the staff team to access ePHI information under emergencies
- Protect Data Integrity: The integrity of patient data and records could mistakenly be altered, even destroyed. The right policies should be designed to prevent compromising data integrity.
Under the HIPAA Security Rule, physical safeguards should also be implemented within the covered entity's workspace. These are measures taken physically, outside of the digital world, to ensure HIPAA compliance. Physical Safeguards should include the following:
- Facility Security Plan: Have a document describing the policies set in place to protect information from being stolen.
- Access Control and Validation Procedures: Assign specific access to information in regard's to each individual's role in the workplace
- Maintenance Records: Keep documentation pertaining to any repairs or work done on the facility in regards to security such as doors or locks.
- Media Maintenance: Document and create policies for all media usage such as disposal, re-use, or back-up files.
- Work Station Maintenance: All workstations that have access to ePHI should be under scrutinization. Policies regarding the handling of data should be created, and authorized use restricted.
HIPAA Guidelines on Telemedicine
By providing a remote health service, you may have questions about specific HIPAA telemedicine guidelines. As HIPAA rules can be vague, a covered entity needs to re-educate on the subject matter.
What Is Telemedicine?
Telemedicine is a system that allows professionals within the medical field (ex. doctors and nurses) to perform health evaluations and check-ups, and prescribe medication from a socially distant site. Telehealth communications may be given via video conferencing software, texting apps, or audio phone calls.
According to the HHS Office for Civil Rights (OCR) all covered entities within the world of medicine, or those labeled "health care providers" are included in the telemedicine HIPAA security rules. A list of included healthcare providers includes (but is not limited to) the following:
- Physical therapists
This list is not comprehensive. You should check to make sure you are considered a health care provider. If you are an insurance agency that pays for Telehealth services, you are not included under the Notification of Enforcement Discretion Act.
Where Can I Conduct Telehealth Sessions?
You may perform Telehealth services anywhere that is considered a private location, such as your office. Do not give medical advice while others are present in the room or in a public space where someone may listen or overhear patient information. No matter where you provide remote Telehealth services, proper technical and physical safeguards need to be enforced to reduce risk.
Does COVID-19 Affect HIPAA Rules?
The rules and regulations stated by the Health Insurance Portability and Accountability Act regarding compliance and confidentiality have not changed. This is to say that the COVID-19 virus has not altered the privacy or security laws set in place. With concern to ePHI, the same discretion for COVID-19 health information submitted electronically should be enforced.
Secure messaging is a bonafide way to ensure HIPAA compliance through ePHI. These messaging operators should be easy to use, as they incorporate similar interfaces as regular texting and video conferencing. Why Use Secure Messaging? Many people will question why they cannot use the regular texting and video chatting when going into a Telehealth session. The reason for this is because secure messaging solutions will ensure that ePHI information stays between the patient and the covered entity. The problem with Zoom, Skype, or any other standard video conferencing server, is they have no safeguards implemented within their systems. This means they run freely when connected to Wi-Fi and are subject to being broken into, compromised, or stolen. Telehealth vendors were created to maintain the covered entity's HIPAA compliance. The vendors will only allow authorized personnel access to a Telehealth conference and the accompanied ePHI. How Does It Work? Most health care providers should have some knowledge of these applications already as they have been in use long before the pandemic. This is how the apps generally work:
- The app limits access to who can use the server.
- The authorized user will be issued a personal log in which they can use to enter the app.
- From there, covered entities can choose what files, documents, and images are viewed by members of their staff.
- If anyone forgets to log-off, these apps have a handy "auto log off" feature that will ensure no ePHI is left open on the screen.
Encryption When choosing a secure messaging app, be sure that it will encrypt the ePHI. Encryption is when any PHI or ePHI information is converted into a series of complex codes. Encryption is necessary for ePHI because it is being sent back and forth between doctors, patients, and other covered entities. While the ePHI travels through cyberspace, it is susceptible to being stolen. Secure messaging apps should contain a feature that encrypts any messages sent through the interface. With an encryption service, the covered entity can perform Telehealth advice without worrying that ePHI is being stolen from public Wi-FI. Why Can't I Use Normal Apps? It is generally not a good idea to use regular apps for Telemedicine. These apps contain no safeguards, no encrypting capabilities, and run through public Wi-Fi. Anyone with knowledge on how to crack through a basic security system would be able to get through and steal this information. This can cost your practice a fortune in fines and, possibly, it can even lead to jail time. Therefore, while patients may find regular apps more familiar, it would be in any covered entity's best interest to find their preferred secure messaging service and recommend it to the patient. Is Texting HIPAA Compliant? As a rule of thumb, general SMS messaging should be avoided for Telehealth conferencing. As previously stated, many find texting to be a much easier route of communication. Speedily sharing information between patients and other health care providers is the preferred method. However, being too lax on the sharing ePHI could lead down a road on non-compliance and a breach in ePHI. Of course, there are a few exceptions to the rule. There are plenty of secure messaging apps on the market which offer a safeguarded, encrypted SMS messaging system. What if a Patient Won't Use Secure Messaging? As a health care provider, you must educate patients on the importance of HIPAA regulations pertaining to their public health information. After all, patients will not be knowledgeable on all of the HIPAA security and privacy statutes. Let them know that patient confidentiality is of great importance. Without the use of these secure messaging apps, their personal information could be in jeopardy.
As per HIPAA guidelines, when entering into a deal with a Telehealth vendor, all covered entities should initiate a Business Associate Agreement (BAA). Business contracts maintain that the business associates will handle and safeguard all public health information, remaining in compliance with HIPAA laws. What Is a BAA? A BAA is a contract that covered entities must seek out when employing any third-party service that will handle ePHI or PHI. Examples of a third-party vendor would be an insurance company, Telehealth vendor, or any third party outside of the medical field lending services to a covered entity. A BAA should control how the business associate uses the ePHI or PHI they will have access to and limit the amount of information they receive. According to the HHS, a Business Associate Agreement should do the following:
- Lay the groundwork of how third parties may use ePHI or PHI
- State that ePHI or PHI disclosure outside of what the law requires is considered a direct violation
- Require that the proper technical and physical safeguards are taken
- Require the third party to report any breaches in security
- Relay the disclosure of health amendments
- Follow HIPAA Privacy and Security rules
- Require the business associate to report any use of ePHI or PHI files and reports to HHS
- Require that the third party should destroy all ePHI or PHI if the contract ends
- Require the third-party entity to hold any third party subcontractors accountable regarding HIPAA guidelines
- State that if the third party violates contract terms, the contract will immediately end
Who Is Considered a Business Associate? A business associate exists outside of the realm of the medical world. They generally lend services to aid medical professionals. If you are a business associate and would like to learn more about contracts, you can take a HIPAA business associate course online. Examples of Business Associates are as follows:
- Telehealth vendors
- Medical insurance companies
- Billing companies
- Encryption services
- Information technology services
Along with these third-party business associates comes a list of sub-contractors. HIPAA guidelines state that a BAS (Business Associate Sub-contractor agreement) should also be considered. By incorporating a BAA and BAS, you ensure the entire realm of third parties with ePHI access. Why Is a BAA Important? Entering into a Business Associate Agreement is vital for any covered entity hiring a third-party service. These third parties will have access to a large amount of patient ePHI. Therefore, it is advised that third parties be educated on HIPAA guidelines and Telemedicine guidelines. A BAA exists to keep all entities involved in public health service compliant. In regards to Telehealth vendors, this contract will hold them liable should a breach in security occur. Should HIPAA compliance be violated by a third-party vendor, the contract serves to protect, and possibly destroy, all ePHI that had been gathered during the time of employment. Can a BAA Be Violated? There are several ways a Business Associate Agreement could be violated. If the third-party vendor does not adhere to the HIPAA guidelines for PHI or Telemedicine, that would be considered a contract violation. If the third-party entity violates any section of the contract that had been laid out and agreed upon, consider it a violation. If violated, the contract should be terminated, and any ePHI gathered or stored by the third party needs to be destroyed immediately. If a violation does occur, it should be reported immediately. This could result in thousands of dollars in fines. On the other hand, if no BAA contract has been created, agreed upon, and signed, and a violation of HIPAA laws occurs, it could cost up to $31 thousand in fines.
Finding a Telehealth Vendor
A Telehealth vendor is a company that sells Telehealth software. With the rise in socially distant health conferencing, these vendors have multiplied. Looking into different vendors will take time as you will want to choose one that fits your practice's needs while minimizing the risk of federal penalties. Is It what You Need? Ask yourself whether the vendor you are looking into provides everything you need to stay compliant. Compare the service to your current patient portal to see similarities or differences in software. Ask whether or not the company:
- Requires a contract
- Has special equipment
- Contains a "waiting room" feature
- Can schedule appointments
- Can encrypt ePHI
You should also thoroughly research how well protected your ePHI and PHI will be under the company. Look at ratings and reviews, or ask trusted health care providers what they think of the company. Is It Easy to Use? A new system will require training. Hiring a vendor with easy-to-use software would keep the momentum flowing smoothly within the office. You're going to want software that is fast and quickly pulls patient information, preventing any drawbacks in waiting time for your patients. If the company offers a live demo, you should try the software out for yourself. You might also have your staff try it and get their opinions on what they like and dislike about the software. If your patients will also have to use this software, then having an easy interface is necessary. Remember that not all patients will be tech-savvy, so complicated software could frustrate people while in use. Is It Encrypted? The vendor should provide encryption tools with their services. No encryption is a deal-breaker, as this coding method is what secures your ePHI the best. A vendor should offer an encryption tool with an intense amount of cybersecurity to ensure that hackers cannot break their way through. Luckily, most Telehealth vendors know this about encryption, so it should be a common service found amongst an array of Telehealth vendors. Is It Affordable? Look into your budget when considering a vendor, and compare the prices vs services offered. If you are considering a Telehealth vendor but the price isn't matching what you'd like to spend, keep in mind that there are others out there. With Telemedicine becoming a fundamental need in our modern society, you should be able to find an affordable vendor at an affordable price. Is There a Mobile App? These days, everyone is on-the-go, even medical professionals. Mobile apps are a nice touch to send information quickly and safely. See if your vendor offers mobile access so that you can schedule appointments, store information, and check ePHI records whenever, and wherever, you need.
How to Ensure HIPAA Compliance for ePHI
After reading through guidelines, looking at Telehealth apps, and searching for a vendor, there can still be a breach in your security. It couldn't hurt to take a few extra precautions to make sure everyone in your office remains HIPAA compliant.
Having regular staff meetings to remind staff members of the telemedicine HIPAA guidelines would remind your employees of the importance of staying compliant. Sometimes, things slip our minds as the workday goes on. A regular reminder would prove effective in keeping your employees and medical office staff wary of their compliance when handling ePHI.
You can hire a service to audit your staff's work. A hired third-party will look over the safety measures taken within your office regarding emails, messaging, files, reports, images, and any other ePHI or PHI documents. This way, you will be able to pinpoint any cracks in the system. Catching these mistakes early on could save you thousands of dollars and a lawsuit.
Assess the risk factors regarding your business. You could do this on your own or hire a service to provide you with a risk analysis. A detailed risk analysis service should do the following:
- Look into where you store ePHI documents
- Determine how secure your devices (PCS, laptops, tablets, etc.) are in the office
- Look over your office's security measures to allocate any mistakes
- Assess the repercussions should there be a security breach
- Assess how likely it is that your office would endure a breach of security
When ePHI is concerned, there are several different matters to account for to prevent violating HIPAA guidelines. You would benefit from a service that could calculate all of the risk information so you can stay on top of your daily duties.
Appoint a Monitor
Ask a trusted staff member in your office if they would mind taking on the extra task as a monitor. Having a monitor overlook the security measures taken by your staff would keep your employees aware of compliance. A monitor would also ensure that mistakes in details, such as encryption, would be caught early on.
A tried and true method to keeping our staff HIPAA compliant is getting them certified. Certification is not legally mandated by the HHS. However, a HIPAA training certification comes with several benefits, such as:
- Re-educating staff members on HIPAA compliance and guidelines
- Re-educating staff on handling ePHI documents
- Raising your business's credibility
- Helping you avoid mistakes in securing ePHI
- Assuring patients their information is in good hands
Since HIPAA laws are changed or added every year, enrolling your staff in a HIPAA guidelines certification program would be a great way to keep your office up-to-date on current compliance statutes.
Hire a Credible Service
With HIPAA guidelines on telemedicine ever-changing, it can be difficult for covered entities to keep their staff up to speed. Covered entities should look into medical office staff training on HIPAA compliance, telemedicine HIPAA guidelines, and how to handle ePHI in the office. HIPAA Exams is here to save you time, money, and unnecessary stress. Our team offers several different services regarding BAA's, vendor credentialing, and HIPAA guidelines training, that will keep your staff compliant. Click here to view our most popular training courses and discounted bundle programs, to get your staff enrolled today.