The HIPAA guidelines on telemedicine apply to any medical professional or health organization that provides remote services to patients in their homes or in community centers. The HIPAA Privacy Rule assumes that ePHI can be communicated at distance if the communication is between physician and patient, as many people mistakenly believe.
If medical professionals or healthcare organizations wish to adhere to the HIPAA guidelines for telemedicine, they must also ensure that the communication channel used to communicate ePHI over the internet is HIPAA compliant. The HIPAA Security Rule contains this element and it stipulates:
- Access to ePHI should only be granted to authorized users.
- To protect the integrity and confidentiality of ePHI, a system of secure communications should be established.
- To prevent malicious or accidental breaches, a system of monitoring communications containing ePHI needs to be in place.
This bullet point is acceptable provided that physicians use reasonable and appropriate safeguards to protect ePHI from being divulged to unauthorised parties. The second bullet point states that ePHI should not be sent via unsecure communication channels such as email, Skype, or SMS.
According to HIPAA guidelines, any system for communicating ePHI over the internet must have mechanisms that allow remote monitoring and remote deletion of communications. If the system isn’t being used for a certain time, it should have an automatic log-off capability. The third and fourth bullet points also refer to ePHI stored – an issue that we will address in section 2.
Read More: Top New Trending Technologies in 2022
WHAT IS HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act which Congress passed in 1996. HIPAA does the following:
- Provides the ability for millions of American workers and their families to transfer and continue health insurance coverage once they change or lose their jobs
- Decreases fraud and violence of health-care
- Mandates industry-wide health care information standards regarding electronic billing and other processes;
- Needs the protection and confidential handling of protected health information
HIPAA Privacy and Security Rules
After HIPAA officially became law, the United States Department of Health and Human Services began working on the Act’s Privacy and Security Rules. The Privacy Rules came into force on 14 April 2003. These regulations specifically considered that Protected Health Information (PIH) is any information in the hands of a covered agency relating to the provision of medical treatment, health status or payment that may be connected to a particular individual.
Instructions were also provided on how to divide this information, and that the individual’s permission must be obtained before their PHI is used for research, marketing, or fundraising. In addition, patients were given the right to hide their health-related information from insurance companies if their care is privately funded.
HIPAA’s Security Rules became effective two years later on April 21, 2005. These governed the use of electronically stored PHI (ePHI), and created three security layers: technical, physical, and administrative. Under HIPAA, adherence to those rules is required. They each have the intended purpose:
Technical: To safeguard media containing PHI when electronically transmitted across open networks
Physical: To restrict access to information storage areas and prevent unauthorized access
Administrative: To put procedures and policies in place to delineate how an entity must comply with HIPAA.
Telehealth that is HIPAA compliant
Although there are many options available for doctors who wish to offer a HIPAA-compliant telehealth service to patients, these can be expensive and complicated. Microsoft offers a Business Associate Agreement to physicians who want to use HIPAA-compliant Skype for Business. To take advantage of this opportunity, every patient must have an Office365 account that is linked to the cloud-based Skype for Business.
Patients may be discouraged from using a HIPAA-compliant telehealth service because of the high monthly cost (up to $35.00 per person per month). There are cheaper options, but they tend to not be as accurate for diagnosing patients’ problems. Patients may also have other applications running that could eat up bandwidth, making the service inaccessible.
Ensure Your System Is HIPAA-Compliant
Before setting up a telehealth practice, make sure that HIPAA enforcement is known to the technical experts you are recruiting. Ask to see their methods of access controls and data encryption. Additionally evaluate the system’s backup and disaster plans. These should include offsite backup options in the event of catastrophic breaches or system crashes. Finally, make sure that every member of staff in your technology provider is familiar with HIPAA, dedicated to compliance, and willing to participate in regular internal audits. Ask for copies of the disaster recovery plan from your vendor, as well as credentials and instructions for access control.
Have an Idea for Telemedicine?
We build Telemedicine apps! Get the FREE estimation of your product ideaTalk to us
Some concluding thoughts on the HIPAA Telemedicine Guidelines
Initially, secure messaging technologies were designed to promote HIPAA-compliant messaging, but many of the features of secure messaging have resulted in benefits that have improved healthcare professionals’ workflows, lowered medical facility costs and increased the standard of healthcare received by patients.
Most healthcare organizations have been pleasantly surprised at the simplicity with which to comply with the HIPAA telemedicine guidelines can be, and even more pleasantly surprised at the expense with no need to invest in costly hardware or complex software, or finish the organization´s IT resources.
The HIPAA telemedicine guidelines make it very clear what steps need to be placed in place to ensure the safety of ePHI. With major advantages to introducing a secure messaging solution, it is just a question of time before all covered entities providing a telemedicine services are communicating with the secure messaging ePHI at distance.