Telemedicine is revolutionizing the way healthcare is performed, especially in rural areas and for patients with limited mobility. Security and HIPAA compliance, however, remain critical.
As telemedicine becomes a more common way for healthcare providers to interact with patients – especially during the COVID-19 pandemic – HIPAA must be at the forefront of every healthcare organization's planning. Implementing and deploying a telemedicine solution to extend telehealth services to patients is immensely important to modernizing hospitals and medical practices; however, rolling out telemedicine services must be done securely and in compliance with HIPAA. This guide will explain the three things you need to do to ensure HIPPA compliance, as well as the basics of HIPAA and how the rules currently apply to telemedicine services.
Is telemedicine HIPAA compliant?
Telemedicine can certainly be compliant with HIPAA privacy and security standards. However, it poses significant risks to the security of electronic protected health information (ePHI), so healthcare organizations must take care when implementing a telemedicine solution for the first time.
The first step in the successful implementation of a telemedicine solution is to ensure that it is secure. This means doing the following:
- Determining how virtual consultations and related communications will be secured in transit
- Determining how recorded consultations and all associated clinical documentation and data will be stored after the consultation has ended
- Establishing ongoing monitoring of telemedicine-related communications and efforts to prevent or respond to malicious data breaches involving ePHI
When you're examining any telemedicine platform or software, it is important to confirm in written detail how the third-party service achieves these criteria. You must understand how it secures data both in transmission and in storage, as well as how it monitors and secures data (or if your own IT team is responsible for mitigating threats and data breaches).
Editor's note: Need a telemedicine solution for your healthcare organization? Fill out the questionnaire below to be contacted by our vendor partners with more information.
What types of telemedicine communication can violate HIPAA?
A telemedicine appointment violates HIPAA anytime it is improperly secured either in transit or at rest, or when an unauthorized user is able to access the information associated with virtual care. Text, audio, images and video could all be considered ePHI depending upon the content. Therefore, every aspect of communication on a telemedicine platform must be protected by secure messaging.
To prevent accidental disclosure of medical records or malicious data breaches and cyberattacks, healthcare organizations are responsible for maintaining a comprehensive view of all ePHI communicated across its network or stored on any of its devices. A combination of encryption and well-crafted governing policies and procedures can help prevent unlawful disclosures of or unauthorized access to ePHI during telehealth sessions.
How can you remain HIPAA compliant while using telemedicine?
Here are the three things you need to do to comply with HIPAA when using telemedicine technology.
Choose a secure platform or software. Whether you are looking for a simple mobile solution for telehealth or a complex telemedicine platform with diagnostic tools for advanced consultations, security is critical. Make sure you clearly understand how the data is secured by encryption and other technical means while in storage and during communication.
Limit access to sensitive information. All the technical security measures in the world won't do you any good if the wrong people have access to ePHI. You must establish a clear set of policies and procedures around who is authorized to access any ePHI related to telehealth services, and when and why. Rigorously document access to ePHI so you can easily demonstrate compliance to regulators.
- Confirm that there are monitoring processes in place, as well as a cybersecurity strategy in the event of a data breach or cyberattack. Whether that process is the domain of a third-party telemedicine service provider or your internal IT team, it's critical to understand the details and how often the plan is revisited in order to demonstrate your ongoing compliance.
Telemedicine is here to stay, and security is critical
If there was any question as to the importance of telemedicine in the modern healthcare industry before, the COVID-19 pandemic demonstrated that it is here to stay. While telemedicine continues to evolve and change as it is adopted by more healthcare organizations, security remains at the heart of the discussion.
Telemedicine serves as an effective tool to connect underserved areas and patients with limited mobility to their healthcare providers, as well as a way for hospitals and medical practices to improve efficiency and cut down on waste. To fully realize these benefits, however, healthcare organizations must implement telemedicine services in a secure way that keeps them in compliance with HIPAA and reinforces patient confidence that their data is adequately protected at all times.
What is HIPAA?
The Healthcare Insurance Portability and Accountability Act of 1996 is the foremost federal law on healthcare data privacy in the U.S. The law established national standards to protect sensitive patient health information from disclosure without the patient's knowledge or consent.
The HIPAA Privacy Rule
One of the central provisions of HIPAA is the Privacy Rule, which was established in 2000. The Privacy Rule identifies covered entities, such as hospitals, medical practices, insurance companies and clearinghouses. A covered entity is subject to a set of standards that aim to protect patients' sensitive data, or "protected health information."
The HIPAA Privacy Rule permits the use and disclosure of protected health information by a covered entity without prior authorization from the patient under specific circumstances:
Disclosure to the subject of the information: Healthcare organizations are permitted to disclose health information to the individual patient. They also must disclose this information if it is required for access or accounting of disclosures.
Treatment, payment and healthcare operations: When disclosure of protected healthcare information is required for treatment (such as ordering medications) or payment (such as billing insurance companies), healthcare organizations are permitted to disclose it.
Opportunity to agree or object to disclosure: Healthcare organizations can receive informal permission to disclose protected health information from an individual by directly asking or by giving the individual the opportunity to agree or object to a disclosure.
Public interest and benefit: There are 12 circumstances that constitute a public interest in disclosure of otherwise protected health information. These include instances of domestic violence, law enforcement requirements, research and workers' compensation.
- Compliance purposes: Covered entities are permitted to disclose protected health information to the Department of Health and Human Services (HHS) for compliance purposes.
Beyond these circumstances, covered entities are not permitted to disclose any protected health information without prior authorization from the patient.
The HIPAA Security Rule
Another important element of HIPAA is the Security Rule, which was finalized in 2003. Like the Privacy Rule, the Security Rule focuses on protected health information. However, rather than how an organization can or cannot disclose information, the Security Rule governs how an organization must secure data both in storage and in transit. This data is sometimes referred to as "electronic protected health information" or "ePHI."
Under the Security Rule, covered entities must abide by the following standards:
- Protect the confidentiality of electronic protected health information.
- Identify and mitigate anticipated threats to the security of ePHI.
- Protect against anticipated unauthorized access, use and disclosure of ePHI.
- Document and certify workforce compliance across the organization.
There are no explicit encryption requirements under HIPAA; they are intentionally vague and open to interpretation to account for the progression of technology, according to HIPAA Journal. Rather than peg healthcare organizations to an encryption requirement that could soon be outdated, the Department of Health and Human Services permits organizations to select the most appropriate protection for their particular systems. Documentation of these security measures must be available for compliance purposes.
The National Institute of Standards and Technology recommends the use of Advanced Encryption Standard (AES) 128-, 192- or 256-bit encryption, as well as Open PHP and S/MIME.
Enforcement of a HIPAA violation
The HHS Office for Civil Rights is responsible for enforcing the Privacy Rule and Security Rule under HIPAA. To date, the OCR has reviewed more than 230,000 HIPAA complaints, resulting in corrective action to healthcare organizations' policies and procedures, as well as referrals to the Department of Justice for potential criminal violations of HIPAA.
The OCR has the ability to issue financial penalties for violations of HIPAA rules. There are four categories of violations a covered entity could commit, according to HIPAA Journal, and a fine associated with each tier:
Tier 1: This is a violation that the covered entity was unaware of and could not have realistically avoided, even with reasonable care taken. The minimum fine is $100 per violation, up to a total of $50,000.
Tier 2: This is a violation that the covered entity should have been aware of but could not have avoided even with reasonable care (short of willful neglect of HIPAA rules). The minimum fine is $1,000 per violation, up to a total of $50,000.
Tier 3: This type of violation is a direct result of willful neglect of HIPAA rules, in cases where an attempt has been made to correct the violation. The minimum fine is $10,000 per violation, up to a total of $50,000.
- Tier 4: This is a violation of HIPAA rules constituting willful neglect, with no attempt to correct the violation. The minimum fine is $50,000 per violation.