4 Ways to Know You're Using HIPAA Compliant Telehealth
Over the past few years, healthcare providers have become familiar with the many benefits of telehealth solutions across specific speciality areas. If you’re a healthcare provider, you’ve probably been considering moving some or all of your services over to telehealth but maybe you just hadn’t quite pulled the trigger yet. We get it. Learning about all of the telehealth technology options out there can be daunting. And perhaps revisiting your practice’s HIPAA compliance isn’t something you wanted to deal with. Or maybe you simply hadn’t felt a strong sense of urgency to begin offering telehealth to patients.
But the onslaught of the Covid 19 pandemic has forced many healthcare providers to rapidly adopt telehealth services as a core offering. No one could have imagined the speed at which providers would need to make this transition to ensure that patients didn’t suffer from breaks in care and their businesses stayed stable and intact. And while telehealth appointments have skyrocketed, the reality is that many providers have avoided thinking through some extremely important aspects of it, namely the importance of HIPAA Compliant Telehealth.
In the rush to adopt telehealth, many healthcare providers have overlooked the important technology requirements needed to protect patient data and remain HIPAA compliant, leaving their practices wide open to violations.
What about Telehealth makes your practice more vulnerable to HIPAA
law breaches?
With telehealth, providers suddenly find themselves sending, retrieving and analyzing all kinds of ePHI (electronic Protected Health Information) like test results, e-prescriptions, digital calendar appointments and much more on a regular basis. This digital handling of ePHI makes providers highly vulnerable to data breaches and violations of the HIPAA Security Rule if they don’t have the right platform in place to ensure the highest levels of security.
The HIPAA Security Rule was created specifically to safeguard ePHI. It outlines three classes of safeguards that providers must take to ensure the confidentiality, integrity and availability of ePHI.
- Administrative – Create policies and procedures designed to clearly show how the entity will comply with the Act.
- Physical – Control physical access to areas of data storage to protect against inappropriate access.
- Technical – Protect communications containing PHI when transmitted electronically over open networks and when data is at rest.
Seemingly innocuous decisions like using Facetime or Skype for telehealth appointments or emailing lab results might seem fine, but in reality, these actions simply don’t adhere to the required administrative, physical, and technical safeguards to prevent data breaches and ensure HIPAA compliant telemedicine. HIPAA violations usually mean heavy fines, potential criminal charges and major administrative headaches imposed by the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR).
To avoid these headaches, you’ll need to make sure that your current or future technology partner provides rock-solid HIPAA compliant telehealth and is going to offer the right features that protect you now and far into the future.
Ways to know you are using a HIPAA Compliant Telehealth Platform
Providers might find themselves swimming in a sea of information when it comes to feeling confident that their telehealth appointments are actually HIPAA compliant. To help alleviate some confusion, we’ve outlined four key ways to evaluate your partner/platform that can help you understand if your practice is currently engaged in HIPAA compliant telehealth:
Only authorized people have access to ePHI
One major way to know if you are using a HIPAA compliant video platform is that only authorized users are logging in and attending appointments. This ensures that access to the communication of medical data is restricted to a user database system — an important part of HIPAA compliance. There are a few important ways a HIPAA compliant telehealth provider would accomplish this:
- Two-Factor Authentication – Two-factor authentication is the ideal way to ensure that ePHI is securely protected. Successful two factor authentication consists of the following:
1. SMS Passcode or phone call
2. Email verifications
With two-factor authentication, patients are notified of their appointments and receive an email and/or a text message notification informing them that they have an upcoming appointment. This email does not offer any additional information regarding the provider’s name, address, or purpose of the appointment.
Not only does HIPAA Video offer this two-factor authentication but also provides additional ways to ensure that access to PHI is fully protected is through:
- Administrator access controls
- Routine reminders to change passwords
- Secure waiting room access
End 2 End (E2E) Encryption, a critical part
The HIPAA Security Rule sets specific safeguards that must be in place to fully protect ePHI data. E2E encryption, a critical part of HIPAA compliant telehealth, is the best way to meet these requirements, protect ePHI and reduce the probability of a breach of your patients’ or customers’ sensitive health data.
Encryption, in general, takes your data or written text/PHI and turns it into unreadable text using software or algorithms. This unreadable text can only be deciphered through an encryption key that will allow you to read it once again.
E2E encryption means that the ePHI data can only be viewed or accessed by the sender and intended recipient.
When you communicate with patients, electronic messages are secured with locks, and only the recipient and the clinician or healthcare provider have the special keys that are needed to unlock and read the messages.
Every message has a unique lock and key. This security measure is always activated and automatic; there is no way of turning it off. This ensures secure messaging every time.
Truly secure platforms such as HIPAA Video guarantee HIPAA compliant telehealth by using E2E encryption to protect your data so that even in the event of a breach or theft, any stolen data becomes useless to the party who is obtaining or stealing it.
Signed Business Associate Agreement (BAA)
The HIPAA Privacy Rule requires all covered entities (your practice) to have a signed Business Associate Agreement (BAA) with any Business Associate (BA) you hire that may come in contact with PHI. Since the telehealth platform you’re using or considering using creates, receives, maintains or transmits ePHI on behalf of a practice, it is considered your practice’s business associate.
The Business Associate Agreement (BAA) confirms HIPAA compliant telehealth by specifying how data is stored, where it is stored and what the procedures that the telehealth provider follows to ensure that data is protected. A BAA is required by the federal government for one healthcare entity to share HIPAA-sensitive data with another healthcare entity. The BAA is important because it shows that both entities comply with HIPAA, but it also provides remedies in case your telehealth partner has a breach or other HIPAA violation. It’s an important protection for both parties.
Every HIPAA Video partner is guaranteed a HIPAA BAA that can be accessed 24/7 through your Provider Portal, but can also be downloaded, emailed, and filed as needed.
Your Telehealth partner performs ongoing HIPAA compliance checks
Ultimately, what matters most is the wellbeing of your patients. Telehealth is an exciting way to drive the success of patient outcomes and will be here well beyond the Covid-19 pandemic.
So it’s important to understand that while using commercial video conferencing platforms might feel like the easy telehealth fix, this option lacks encryption and other important security features needed in health care to ensure you’re actually providing HIPAA compliant telehealth.
HIPAA Video provides all of these compliance measures so you can rest easy and focus on your patients and your practice. As you evaluate the right solution for you, use these important points to guide you and you’ll be well on your way to providing fool-proof HIPAA compliant telehealth.
HIPAA Video capabilities for Telehealth
