HIPAA Compliant Guidelines on Telemedicine



HIPAA is the acronym for the Health Insurance Portability and Accountability Act which Congress passed in 1996. HIPAA does the following:

  • Provides the ability for millions of American workers and their families to transfer and continue health insurance coverage once they change or lose their jobs
  • Decreases fraud and violence of health-care
  • Mandates industry-wide health care information standards regarding electronic billing and other processes;
  • Needs the protection and confidential handling of protected health information

HIPAA Privacy and Security Rules

After HIPAA officially became law, the United States Department of Health and Human Services began working on the Act’s Privacy and Security Rules. The Privacy Rules came into force on 14 April 2003. These regulations specifically considered that Protected Health Information (PIH) is any information in the hands of a covered agency relating to the provision of medical treatment, health status or payment that may be connected to a particular individual.

Instructions were also provided on how to divide this information, and that the individual’s permission must be obtained before their PHI is used for research, marketing, or fundraising. In addition, patients were given the right to hide their health-related information from insurance companies if their care is privately funded.

HIPAA’s Security Rules became effective two years later on April 21, 2005. These governed the use of electronically stored PHI (ePHI), and created three security layers: technical, physical, and administrative. Under HIPAA, adherence to those rules is required. They each have the intended purpose:

Technical: To safeguard media containing PHI when electronically transmitted across open networks

Physical: To restrict access to information storage areas and prevent unauthorized access

Administrative: To put procedures and policies in place to delineate how an entity must comply with HIPAA.


Medical professionals often mistakenly believe that ePHI communication is acceptable when the communication between doctor and patient is direct. Often, the medium of communication that is used to communicate ePHI is little regard. Medical professionals wishing to comply with the HIPAA telemedicine guidelines must adhere to rigorous standards for such communications to be deemed compliant. :

  1. The ePHI should only be access to authorized users.
  2. To safeguard the integrity of ePHI a safe communication system should be implemented.
  3. To avoid accidental or malicious breaches, a communications control system that includes ePHI should be implemented.

Third Party Data Storage

A medical professional or healthcare company that produces ePHI that is collected by a third party must have a Business Associate Agreement (BAA) with the data held by the client.

The BAA should include procedures used by the third party to ensure data safety, and arrangements for periodic data security auditing.

Who is a Business Associate?

Any individual or entity conducting tasks or activities on behalf of a covered entity needs the business associate to access PHI is called business associate. The person or organization can also provide a service to a covered entity.

Examples of Business Associates:

A third-party administrator who helps a health plan with claims processing.

A CPA firm whose accounting services include access to protected health information to a health care provider.

An independent medical transcriber who provides physician transcription services

A manager of pharmacy services, who oversees the pharmacist network of a health program.

Ensure Your System Is HIPAA-Compliant

Before setting up a telehealth practice, make sure that HIPAA enforcement is known to the technical experts you are recruiting. Ask to see their methods of access controls and data encryption. Additionally evaluate the system’s backup and disaster plans. These should include offsite backup options in the event of catastrophic breaches or system crashes. Finally, make sure that every member of staff in your technology provider is familiar with HIPAA, dedicated to compliance, and willing to participate in regular internal audits. Ask for copies of the disaster recovery plan from your vendor, as well as credentials and instructions for access control.


Some concluding thoughts on the HIPAA Telemedicine Guidelines

Initially, secure messaging technologies were designed to promote HIPAA-compliant messaging, but many of the features of secure messaging have resulted in benefits that have improved healthcare professionals’ workflows, lowered medical facility costs and increased the standard of healthcare received by patients.

Most healthcare organizations have been pleasantly surprised at the simplicity with which to comply with the HIPAA telemedicine guidelines can be, and even more pleasantly surprised at the expense with no need to invest in costly hardware or complex software, or finish the organization´s IT resources.

The HIPAA telemedicine guidelines make it very clear what steps need to be placed in place to ensure the safety of ePHI. With major advantages to introducing a secure messaging solution, it is just a question of time before all covered entities providing a telemedicine service are communicating with the secure messaging ePHI at distance.


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Leave a comment

Your email address will not be published.