Intersection Between HIPAA and Emerging Telehealth Practices

Telehealth is changing the way that patients can access health care, but when new technology meets decades-old federal regulation, tensions will necessarily arise.

When it comes to the intersection between telehealth and HIPAA regulation, there are many common misconceptions about how to run a telehealth practice while maintaining compliance with federal privacy and security standards.

Before we dive into some of the particularities of HIPAA as they apply to telehealth professionals, let's look at some of the basics of HIPAA regulation.

Understanding HIPAA Compliance

HIPAA regulation is composed of a series of HIPAA Rules that outline national standards for the use and distribution of protected health information (PHI). PHI is any demographic information that can potentially identify a patient. Common examples of PHI include name, address, date of birth, phone number, Social Security number, insurance ID number, medical record, or full facial photograph, to name a few.

Under the regulation, telehealth practitioners are considered covered entities. A covered entity is any health care provider, health care clearinghouse, or insurance company. As a covered entity, a telehealth practitioner is required to address all elements of the HIPAA Rules. 

Here is a list of the HIPAA Rules and what they generally require:

  • HIPAA Privacy Rule: The HIPAA Privacy Rule establishes federal standards for the use and disclosure of PHI. This includes employee access and patient authorization forms.
  • HIPAA Security Rule: The HIPAA Security Rule sets standards for how practitioners must safeguard PHI they encounter. The rule is broken up into Administrative, Physical, and Technological standards.
  • HIPAA Omnibus Rule: The HIPAA Omnibus Rule states that before any PHI can be shared with vendors, the two organizations must execute Business Associate Agreements to ensure that data is protected in transit and reduce liability in the event of a breach.
  • HIPAA Breach Notification Rule: The Breach Notification Rule identifies the different classifications of data breaches that an organization can experience. It also outlines how organizations must respond to these breaches via patient notification and HHS reporting.

These are the fundamental HIPAA Rules that all health care providers must adhere to regardless of how they conduct their business--telehealth or otherwise.

But in addition to these Rules, there are certain key areas that make telehealth practitioners potentially more vulnerable to a HIPAA violation.

HIPAA Violations and Telehealth

Because Telehealth professionals rely on telecommunications and video chat clients to serve their patients, the risk of data being exposed in the event of a health breach is significant.

In order to protect your practice from potential data breaches caused by a faulty vendor, your practice must have a robust HIPAA compliance program in place first in order to establish uniform policies. These policies will guide your practice in the event that a relationship with a vendor begins or ends. By outlining exactly who can share information with vendors and under what circumstances, your practice is already significantly reducing your risk of PHI being mishandled.

Once your organization's HIPAA compliance plan is in place, you must ensure that you execute Business Associate Agreements with all vendors BEFORE any PHI is shared. Vendors who handle PHI over the course of the work they've been hired to perform are necessarily considered business associates under HIPAA. 

Business Associate Agreements ensure that your practice will not be held liable in the event of a data breach caused by a vendor. With massive data breaches like the Equifax and Anthem examples from 2017 making headlines, Business Associate Agreements are more important than ever before.

And finally, your practice must perform due diligence investigations of vendors you decide to do business with. By assessing the security measures and security infrastructure your vendors have in place, in addition to the status of their HIPAA compliance, before doing business with them, you can save your practice from mounting HIPAA audits and fines.

These are just a few of the ways telehealth professionals can start protecting their practice right now from data breaches and ensuing HIPAA violations.

About Compliancy Group:

Compliancy Group gives telehealth professionals confidence in their HIPAA compliance with The Guard®. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.

Compliancy Group's team of expert Compliance Coaches® field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and vendor management.

With The Guard, telehealth professionals can focus on running their practice while keeping their patients' data protected and secure.

Find out more about how Compliancy Group and the HIPAA Seal of Compliance® can help simplify your HIPAA compliance today!

Because of the benefits Compliancy Group can bring to clinical practices and IT providers, Telehealth Certification Institute has an affiliation agreement with them. Follow the link above to our affiliate page on their site to receive the first three months free.

Media

intersection-between-hipaa-and-emerging-telehealth-practices

1 comment

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.