Security and HIPAA
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. legislation that provides data privacy and security provisions for safeguarding medical information. It is designed to reduce healthcare fraud and abuse by setting industry-wide standards for health care information on electronic billing and other processes. It also requires the protection and secure handling of specific patient health information. This is addressed by the Privacy Rule and the Security Rule and is highly relevant to telemedicine.
What is the HIPAA Privacy Rule?
The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
What is HIPAA Security Rule?
Whereas the HIPAA Privacy Rule deals with Protected Health Information (PHI) in general, the HIPAA Security Rule (SR) deals with electronic Protected Health Information (ePHI), which is essentially a subset of what the HIPAA Privacy Rule encompasses.
Updates on Security and HIPAA concerning telemedicine are related to the current Public Health Emergency (PHE) in the United States due to the COVID-19 pandemic.
- March 13, 2020- National Emergency declared by the President of the United States.
- July 23, 2020- U.S. Department of Health and Human Services (HHS) renewed the COVID-19 PHE declaration for another 90 days and it has continued to be renewed throughout the PHE.
- January 1, 2021- Renewal of determination that a PHE exists by Secretary of health and human services.
PHE status allows many of the waivers and expansions for telehealth that have occurred since the COVID-19 pandemic began in March 2020 to remain active, including enforcement discretion on HIPAA violations for use of commonplace remote communication technologies.
The HHS Office for Civil Rights temporarily decided to “exercise enforcement discretion; waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communication technologies such as facetime or skype.” There is no video requirement for telephone visit, only audio.
This has allowed for utilization of non-encrypted platforms such as Apple Facetime, Google Hangouts, Skype, and Zoom (free and regular versions) in telemedicine practice. At this time, it is unclear what waivers and expansions will or will not remain active once the PHE is over.
Health Information Privacy
HIPAA Compliance in Telemedicine
Medical professionals often mistakenly believe that communicating ePHI is acceptable when the communication is directly between physician and patient. Often, little regard is given to the channel of communication that is used for communicating ePHI. Medical professionals who wish to comply with the HIPAA guidelines on telemedicine must adhere to rigorous standards for such communications to be deemed compliant.
The HIPAA guidelines on telemedicine are contained within the HIPAA Security Rule and stipulate:
1. Only authorized users should have access to ePHI.
2. A system of secure communication should be implemented to protect the integrity of ePHI.
3. A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
Third party data storage
A medical professional or a healthcare organization creating ePHI that is stored by a third party, is required to have a Business Associate Agreement (BAA) with the party storing the data.
The BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.
Who is a Business Associate?
Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate. This individual or organization may also provide services to a covered entity.
Examples of Business Associates:
• A third-party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• An independent medical transcriptionist that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.
There are exceptions to the business associate standard, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”
These exceptions include but are not limited to the following situations:
• Disclosures by a covered entity to a healthcare provider for treatment of the individual
• PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
• Disclosures to a health plan sponsor, by a group health plan, the health insurance issuer, or HMO that provides health insurance benefits or coverage for the group health plan
• With individuals or organizations that are a conduit for PHI, like the US Postal Service
Once a covered entity has identified their applicable business associates, it is necessary to ensure that these third-parties will only use any provided PHI in a secure and established manner.
It is stated on the HHS website that “covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate”.
Here is where business associate agreements, or business associate contracts come into play.
What should a BAA include?
- Describe the permitted and required uses of protected health information by the business associate
- Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
- Require the business associate to use appropriate safeguards to prevent a use or disclosure of the protected health information other than as provided for by the contract
- Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement
- If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
Information on Business Associates
NOTE: Since copies of communications sent by SMS, Skype or email remain on the service providers´ servers and contain individually identifiable healthcare information that is not encrypted, this ePHI is not considered HIPAA compliant, as a BAA with the cell service provider, Skype or Google would be required.
Vendors providing telemedicine technology
(adapted from Baker, J. & Stanley, A. Curr Allergy Asthma Rep (2018) 18: 60.)
• Skype for Business
• Click Meeting
• Join Me
• Amazon Chime
Direct to consumer
• American Well
• Doctor on demand
Provider Access Software
• Intouch Health
Each technology changes frequently so it is important to visit their web site for information about current offerings. Note: It is important to check with each company to determine HIPAA compliance and to verify it with an IT security expert
Considering Technologies for HIPAA compliance
- Intrusion Detection Systems (IDS): Intrusion detection systems run the gamut from complex host-based detection to lightweight network-based detection. Generally, any credible IDS will provide core functionality designed to detect known bad activity based on known signatures.
- Web Application Protection: An excellent way to protect your internet-facing websites and applications is to implement a Web Application Firewall (WAF). The WAF can provide inline protection from invalid / malformed requests made against your website or simply monitor web requests, alerting when these bad requests are encountered.
- Log Management: Log management solutions provide the broadest coverage in regard to your HIPAA mandates. There is a myriad of solutions that provide complex query languages that enable skilled users to mine logs for indicators of compromise, as well as any activity that may indicate a HIPAA mandate may have been broken.
Other items to consider in technologies:
- Fully encrypted data transmission
- Peer-to-peer secure network connections
- No storage of video
Baker, J. & Stanley, A. Curr Allergy Asthma Rep (2018) 18: 60
Informed consent for telemedicine
Know your state and payer requirements for informed consent. Getting your patient’s consent could be a legal requirement in your state, or a condition of getting paid, depending on the payer you’re billing. There is much variability in state requirements for consent ranging from no requirements to verbal consent only to obtaining written consent that must be stored in the patient’s health record.
To check requirements by specific state a great resource is The National Telehealth Policy Resource Center’s state map.
The Center for Connected Health Policy
Informed consent best practices.
Even if getting a patient consent for telemedicine visits is not required in your state, it would still be an advisable telemedicine best practice to implement.
Information you should include on your consent form:
• Inform patients of their rights when receiving telemedicine, including the right to stop or refuse treatment.
• Inform patients of their own responsibilities when receiving telemedicine treatment such as providing accurate and complete information about medical complaints, past illnesses, hospitalizations, medications, pain, and other matters relating to their health.
• Have a formal complaint or grievance process to resolve any potential ethical concerns or issues that might come up as a result of telecare.
• Describe the potential benefits, constraints, and risks (like privacy and security) of telemedicine.
• Inform patients of what will happen in the case of technology or equipment failures during telemedicine sessions, and state a contingency plan.
• Outline your basic telemedicine program policies around billing, scheduling, and cancellations.
Consideration of patient privacy concerns
Patients have every right to be concerned about privacy and ask how their information will be handled during a remote clinical encounter. Providers should be prepared to educate patients about the steps that they are taking, with their technology provider, to secure their confidential information. It is also important to let patients know that you’ve chosen technology designed for this purpose and that you take your obligations under HIPAA very seriously.
These links are for research only. They are not endorsed by the American Academy of Allergy, Asthma & Immunology (AAAAI).