HIPAA Compliant Guidelines on Telemedicine

HIPAA Compliant Guidelines on Telemedicine


The HIPAA guidelines on telemedicine apply to any medical professional or health organization that provides remote services to patients in their homes or in community centers. The HIPAA Privacy Rule assumes that ePHI can be communicated at distance if the communication is between physician and patient, as many people mistakenly believe.

If medical professionals or healthcare organizations wish to adhere to the HIPAA guidelines for telemedicine, they must also ensure that the communication channel used to communicate ePHI over the internet is HIPAA compliant. The HIPAA Security Rule contains this element and it stipulates:

  • Access to ePHI should only be granted to authorized users.
  • To protect the integrity and confidentiality of ePHI, a system of secure communications should be established.
  • To prevent malicious or accidental breaches, a system of monitoring communications containing ePHI needs to be in place.

This bullet point is acceptable provided that physicians use reasonable and appropriate safeguards to protect ePHI from being divulged to unauthorised parties. The second bullet point states that ePHI should not be sent via unsecure communication channels such as email, Skype, or SMS.

According to HIPAA guidelines, any system for communicating ePHI over the internet must have mechanisms that allow remote monitoring and remote deletion of communications. If the system isn’t being used for a certain time, it should have an automatic log-off capability. The third and fourth bullet points also refer to ePHI stored – an issue that we will address in section 2.




HIPAA is the acronym for the Health Insurance Portability and Accountability Act which Congress passed in 1996. HIPAA does the following:

  • Provides the ability for millions of American workers and their families to transfer and continue health insurance coverage once they change or lose their jobs
  • Decreases fraud and violence of health-care
  • Mandates industry-wide health care information standards regarding electronic billing and other processes;
  • Needs the protection and confidential handling of protected health information

HIPAA Privacy and Security Rules

After HIPAA officially became law, the United States Department of Health and Human Services began working on the Act’s Privacy and Security Rules. The Privacy Rules came into force on 14 April 2003. These regulations specifically considered that Protected Health Information (PIH) is any information in the hands of a covered agency relating to the provision of medical treatment, health status or payment that may be connected to a particular individual.

Instructions were also provided on how to divide this information, and that the individual’s permission must be obtained before their PHI is used for research, marketing, or fundraising. In addition, patients were given the right to hide their health-related information from insurance companies if their care is privately funded.



HIPAA’s Security Rules became effective two years later on April 21, 2005. These governed the use of electronically stored PHI (ePHI), and created three security layers: technical, physical, and administrative. Under HIPAA, adherence to those rules is required. They each have the intended purpose:

Technical: To safeguard media containing PHI when electronically transmitted across open networks

Physical: To restrict access to information storage areas and prevent unauthorized access

Administrative: To put procedures and policies in place to delineate how an entity must comply with HIPAA.



Telehealth that is HIPAA compliant

Although there are many options available for doctors who wish to offer a HIPAA-compliant telehealth service to patients, these can be expensive and complicated. Microsoft offers a Business Associate Agreement to physicians who want to use HIPAA-compliant Skype for Business. To take advantage of this opportunity, every patient must have an Office365 account that is linked to the cloud-based Skype for Business.

Patients may be discouraged from using a HIPAA-compliant telehealth service because of the high monthly cost (up to $35.00 per person per month). There are cheaper options, but they tend to not be as accurate for diagnosing patients’ problems. Patients may also have other applications running that could eat up bandwidth, making the service inaccessible.



Ensure Your System Is HIPAA-Compliant

Before setting up a telehealth practice, make sure that HIPAA enforcement is known to the technical experts you are recruiting. Ask to see their methods of access controls and data encryption. Additionally evaluate the system’s backup and disaster plans. These should include offsite backup options in the event of catastrophic breaches or system crashes. Finally, make sure that every member of staff in your technology provider is familiar with HIPAA, dedicated to compliance, and willing to participate in regular internal audits. Ask for copies of the disaster recovery plan from your vendor, as well as credentials and instructions for access control.



Have an Idea for Telemedicine?

We build Telemedicine apps! Get the FREE estimation of your product idea

Talk to us

Some concluding thoughts on the HIPAA Telemedicine Guidelines

Initially, secure messaging technologies were designed to promote HIPAA-compliant messaging, but many of the features of secure messaging have resulted in benefits that have improved healthcare professionals’ workflows, lowered medical facility costs and increased the standard of healthcare received by patients.

Most healthcare organizations have been pleasantly surprised at the simplicity with which to comply with the HIPAA telemedicine guidelines can be, and even more pleasantly surprised at the expense with no need to invest in costly hardware or complex software, or finish the organization´s IT resources.

The HIPAA telemedicine guidelines make it very clear what steps need to be placed in place to ensure the safety of ePHI. With major advantages to introducing a secure messaging solution, it is just a question of time before all covered entities providing a telemedicine services are communicating with the secure messaging ePHI at distance.

Sanjeev Agrawal

Sanjeev Agrawal

My name is Sanjeev Agrawal. I am a Director and Co-founder of Dreamsoft4u, IT Consulting Company. I am having a keen interest in the latest trends and technologies that are emerging in different domains. Being an entrepreneur in the field of the IT sector, it becomes my responsibility to aid my audience with the knowledge of the latest trends in the market.

Leave a comment

Your email address will not be published.

[ivory-search id="9136" title="Default Search Form"]


Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Latest Post

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about new products, updates.

OFFER: Save 10% on your first project. Grab opportunity on the occasion of Christmas