Telehealth and HIPAA Compliance: What You Need to Know Now

Originally published by CyberGuard Compliance.

In the early days of the COVID-19 pandemic, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion which announced that the OCR would would be exercising it enforcement discretion to not impose penalties for Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations against covered health care providers in connection with their good faith provision of telehealth using non-public facing remote communication technologies.

Telehealth and telemedicine are often used interchangeably, but telemedicine refers to providing clinical services (either in real time or asynchronously) between patient and clinician and/or between clinician and clinician when the two parties are physically remote from one another using some form of information-communication technology. The term telehealth is a larger umbrella term encompassing other remote health-related services, such as administration, continuing medical education, and/or provider training.

Prior to the notification, providers who used technologies for telehealth visits were considered in violation of the HIPAA Security, Privacy, or Breach Notification Rules if they used unallowable technologies or the use of allowable technologies resulted in a breach. According to the notification during the pandemic, as long as providers used “good faith” efforts and only the allowable technologies included in the announcement, they would not be in violation of HIPAA.

Acceptable technologies included non-public facing tools (those that only allow the intended parties to participate) such as Apple’s FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video, Zoom, or Skype. The use of public-facing communication products such as TikTok, Twitch, Facebook Live, or public chat rooms were considered unacceptable and a violation of HIPAA.

On April 12, 2023, OCR announced that the Notifications of Enforcement Discretion issued under the HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act during the COVID-19 public health emergency would expire on May 11, 2023, due to the expiration of the COVID-19 public health emergency. OCR provided a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. The transition period was in effect beginning on May 12, 2023 and recently expired on August 9, 2023.

What this means for providers is that the enforcement discretion OCR used during the pandemic is over, and all covered entities and their business associates must revert back to previous HIPAA requirements.

Implications for HIPAA Compliance:

Security and Privacy Concerns:

Telemedicine platforms must ensure that the transmission of electronic protected information (ePHI) is secure and that patient privacy is maintained. This involves encrypting communications and implementing appropriate authentication measures to prevent unauthorized access to ePHI.

Business Associate Agreements (BAAs):

Telemedicine platforms and service providers that have access to ePHI are considered business associates under HIPAA. Covered entities (healthcare providers) must have signed BAAs with these business associates to ensure that they adhere to HIPAA regulations and maintain the security and privacy of ePHI.

Technology Evaluation:

Healthcare providers need to carefully assess the telemedicine platforms they use to ensure they comply with HIPAA regulations. This includes evaluating the platform's security features, data storage practices, and any third-party integrations.

Patient Authorization:

Patients must provide informed consent for the use of telemedicine technologies and the transmission of their PHI. This consent should include information about the potential risks and benefits of telemedicine, as well as the security measures in place to protect their data.

Remote Access Security:

Healthcare providers need to implement strong role-based access controls to ensure that only authorized individuals can participate in telemedicine sessions. This prevents unauthorized individuals from gaining access to PHI.

Training and Education:

Healthcare providers using telemedicine should receive training on how to use the technology securely and how to protect PHI during remote consultations.

Record Keeping:

Just like in traditional healthcare settings, accurate and complete records of telemedicine sessions, diagnoses, treatment plans, and other relevant information should be maintained. These records must be protected in accordance with HIPAA requirements.

Data Retention and Disposal:

Telemedicine platforms must have policies and procedures in place for the secure retention and eventual disposal of patient data. PHI should not be stored longer than necessary, and proper data disposal methods should be followed.

State Regulations:

In addition to federal HIPAA regulations, healthcare providers using telemedicine must also be aware of and comply with any relevant state-specific regulations pertaining to telehealth services. This includes additional privacy, data retention and breach notification requirements.

Adapting to Changing Regulations:

As telemedicine continues to evolve, healthcare providers and telemedicine platforms need to stay updated on any changes to HIPAA regulations that may affect telehealth practices.

Remember that HIPAA compliance is an ongoing process that requires vigilance and adaptation to new technologies and practices. It's crucial for healthcare organizations and telemedicine platforms to prioritize patient privacy and security while embracing the benefits of telemedicine. For the latest and most accurate information, always refer to official sources and consult legal and compliance experts.