Cookie Notice

This site uses cookies. By continuing to browse this site, you are agreeing to our use of cookies. Review our cookies information for more details.

OK
skip to main content

Security and HIPAA

Telemedicine SecurityTelemedicine (TM) technology brings with it concerns about privacy, security and confidentiality that exceed those associated with protecting medical records. TM encounters should be held to the same privacy and security standards as applied in a standard in-person office visit.

What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is U.S. legislation that provides a set of national standards for securing protected health information (PHI) from being disclosed without a patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA and the Security Rule to protect a subset of information covered by the Privacy Rule.

The Privacy Rule applies to both face-to-face and virtual visits. The rule guarantees patients that their PHI will remain confidential, will not be released without consent, and will only be used for healthcare purposes. The Privacy Rule also gives patients the right to review and acquire a copy of their health records, to direct a covered entity to transmit an electronic copy of their PHI to a third party, and to request corrections.

The HIPAA Security Rule was published in 2003 and specifically protects electronic PHI (ePHI). This includes all individually identifiable health information an authorized person creates, receives, maintains, or transmits in electronic form. HIPAA requires that all ePHI data be encrypted when they are transferred. The rule does not apply to PHI transmitted orally or in writing.

Several updates on Security and HIPAA concerning telemedicine were made before and after the Public Health Emergency (PHE) was declared in the United States due to the COVID-19 pandemic.
• March 13, 2020- National Emergency declared by the President of the United States.
• July 23, 2020- U.S. Department of Health and Human Services (HHS) renewed the COVID-19 PHE declaration for another 90 days and it has continued to be renewed throughout the PHE.
• January 1, 2021- Renewal of determination that a PHE exists by Secretary of health and human services.
• December 2022- Congress passes HR 2617 extending most TM flexibilities in Medicare through December 2024
• May 11, 2023- PHE ends meaning termination of many COVID-19 based waivers and flexibilities.

The PHE status allowed many of the waivers and expansions for telehealth that occurred since the COVID-19 pandemic began in March 2020, including enforcement discretion on HIPAA violations for use of commonplace remote communication technologies.

HIPAA Compliance in Telemedicine
It is very important for healthcare providers to implement HIPAA guidelines for TM due to the unique challenges of delivering healthcare remotely. Any transmission via video or internet protocol should be encrypted to ensure security.
HIPAA dictates that a TM vendor must monitor data, such as ePHI, that is stored during transfer. Therefore, TM vendors are required to provide customers with a business associate agreement (BAA). A business associate is any individual or entity that performs functions of activities on behalf of a covered entity that requires the business associate to access PHI. This individual or organization may also provide services to a covered entity. A BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.

Video conferencing platforms such as FaceTime, Google Hangouts, and Skype do not have a BAA and thus previously did not fully comply with HIPAA. The Center for Medicare and Medicaid Services (CMS) relaxed guidelines during the COVID-19 pandemic to allow the use of noncertified HIPAA-compliant telehealth tools (e.g., Zoom, Teams, FaceTime, What’s App, Google Hangout)2. Applications such as Facebook Live, Twitch, Instagram, TikTok, and similar video platforms are public facing and have never been allowed.

After the PHE ended in May 2023, the HHS Office for Civil Rights (OCR) decided to “exercise enforcement discretion; waive penalties for HIPAA violations against health care providers that serve patients in good faith through everyday communication technologies.” Practitioners were given a 90-day transition period and as of August 9. 2023 all providers have had to come into compliance.

Only HIPAA complaint tools (e.g., Zoom for HealthCare, Doxy.me, GoTo-Meeting) are allowed now.  Many TM vendors have their own documentation product built into their TM platform, which allows pdf  reports to be sent to other electronic health records (EHRs), though the reports may be unseen or challenging to retrieve. Some electronic health record (EHR) vendors, such as EPIC, have an embedded TM option as well. If the EHR does not have embedded TM, providers can use their existing EHR and use a different TM platform just for the video capabilities.

HIPAA Compliant Telemedicine Platforms
There are several vendors providing telemedicine technology. These technologies change frequently, so it is imperative to visit each vendor’s website for information on current products. It is also important to work with an IT security expert to ensure that the technologies are HIPAA compliant and offer secure data encryption.

Charm Telehealth
Doximity
Doxy.me
GoTo
Jotform
Kareo
Mend
Poly
Secure Telehealth
Teladoc
Vidyo
Vsee
Zoom (Health Care version)

Informed consent for telemedicine
Several states require telehealth providers to obtain written or verbal consent from the patient prior to delivering the telehealth service. Informed consent for telemedicine (TM) typically involves a discussion about the telehealth technology and an overview of privacy and security considerations, among other topics.

Specific informed consent laws vary by state and it is important to know your state and payer requirements. Getting your patient’s consent could be a legal requirement in your state, or a condition of getting paid, depending on the payer being billed. There is much variability in state requirements for consent ranging from no requirements to verbal consent only to obtaining written consent that must be stored in the patient’s health record.

To check informed consent requirements by specific state a great resource is
The Center for Connected Health Policy (https://www.cchpca.org/topic/consent-requirements-medicaid-medicare/)

Informed consent best practices.
Even if getting patient consent for telemedicine visits is not required in your state, it is still an advisable telemedicine best practice to implement.

Information to include when consenting a patient:
• Inform the patient what telemedicine is, who the provider delivering care by telehealth is, and what the technology being used is
• Inform patients of their rights when receiving telemedicine, including the right to stop or refuse treatment.
• Obtain the location of the patient and inform the patient with the provider’s location
• Describe the care that can be provided via telemedicine and how any needs for in-person care will be managed
• Inform patients of their own responsibilities when receiving telemedicine treatment such as providing accurate and complete information about medical complaints, past illnesses, hospitalizations, medications, pain, and other matters relating to their health.
• Describe the potential benefits, constraints, and risks (like privacy and security) of telemedicine.
• Inform patients of what will happen in the case of technology or equipment failures during telemedicine sessions, and state a contingency plan.
• Outline your basic telemedicine program policies around billing, scheduling, and cancellations.
 
Patient privacy concerns
Medical information almost always has a sensitive nature and patients have every right to be concerned about privacy and inquire how their information will be handled during a TM visit. Clinicians should be prepared to educate patients about the steps taken for HIPAA compliance and ways to ensure the privacy of other confidential information. It is also important to review how patients can help protect their PHI during a TM visit. For example, make sure they can be in a private location, use a headset/ear buds where others cannot overhear the conversation during the visit.

These links are for research only. They are not endorsed by the American Academy of Allergy, Asthma & Immunology (AAAAI).

12/7/2023