Healthcare providers must prioritize the implementation of HIPAA guidelines for telemedicine in order to address the unique challenges associated with remote healthcare delivery. Additionally, there is a wide range of HIPAA compliant technologies available for the remote delivery of healthcare, and it is crucial to adhere to other state and federal laws that govern the provision of remote healthcare.The HIPAA telemedicine guidelines outline several important steps. Firstly, healthcare professionals should conduct an audit to identify how they communicate with patients and business associates. This allows them to assess potential risks to the privacy of health information and the security of electronic transmissions. Subsequently, policies should be developed to mitigate the risk of violations and breaches, and healthcare professionals should ensure they receive HIPAA training regarding these policies. Moreover, it is crucial to have compliant business associate agreements in place with each business associate and software vendor. Verification procedures should be implemented for initial contacts and compromised access credentials. Furthermore, policies must be established for recording patient consent in cases where the confidentiality of a remote consultation cannot be guaranteed. Lastly, all remote patient encounters should be documented to comply with HIPAA's document retention requirements.
Telemedicine has played a significant role in healthcare provision since the advent of the telephone. With the evolution of video and digital technologies throughout the twentieth century, healthcare providers began incorporating these tools to improve remote care quality. This approach not only replaced physical visits with virtual ones but also facilitated faster collaboration between healthcare units. The adoption of physician-to-patient telemedicine gained momentum after the passage of the Affordable Care Act and the subsequent introduction of the Hospital Readmissions Reduction Program by the Centers for Medicare and Medicaid Services (CMS). Healthcare providers discovered that monitoring patients' health remotely significantly reduced hospital readmissions, resulting in substantial cost savings.
Healthcare providers that fall under the category of HIPAA Covered Entities have been obligated to follow the HIPAA Administrative Simplification Regulations since the early 2000s. These regulations are primarily known for safeguarding the privacy of personal health information (known as the Privacy Rule) and ensuring the secure collection, storage, sharing, and transmission of Protected Health Information (PHI) in electronic form (known as the Security Rule). The Privacy Rule applies to both in-person and remote healthcare services, but it doesn't specifically provide guidelines for telemedicine. As a result, the guidelines for HIPAA compliant telemedicine have been derived from guidance issued by the Department of Health and Human Services (HHS) and interpretations of the Privacy Rule, leading to the establishment of best practices for HIPAA compliant telemedicine. Most telehealth activities are subject to the Security Rule, except for certain cases mentioned under 'Telehealth Phone Calls.' Moreover, the Security Rule also applies to Business Associates of Covered Entities, which in the context of telemedicine and HIPAA refers to Covered Entities that offer services on behalf of other Covered Entities (when there is no direct treatment relationship with the patient), as well as providers of HIPAA compliant telemedicine platforms and software. Given the complexity of 'indirect treatment relationships' in telemedicine, healthcare providers of all types must consider additional factors when delivering telemedicine services. The subsequent sections elaborate on these considerations, as well as the HIPAA requirements for telehealth when sharing PHI with other healthcare providers acting as Business Associates or transmitting PHI via HIPAA compliant telemedicine software.
Telehealth professionals face unique obstacles in their practice. One of these challenges revolves around verifying the identity of their patients, especially in situations where a patient is referred from one healthcare provider to another with no prior treatment history, or when the consultation takes place at a different facility managed by a separate healthcare provider due to the patient's lack of access to telehealth technology. Once patient identity is confirmed, ensuring the privacy of the consultation can also be difficult. In cases where a translator, caregiver, or family member is present, or when the consultation occurs in a public location where others may overhear, healthcare providers may need to obtain explicit consent to proceed. There have been instances of patients participating in telemedicine calls while at work or even at the gym. Furthermore, compliance with the Privacy Rule HIPAA telehealth requirements can present challenges based on the healthcare provider's location. Consultations may have to take place in a busy office, at home, or in a public area with excessive background noise, making it difficult to maintain confidentiality. In such circumstances, rescheduling the consultation or informing the patient about limitations in disclosing personal information may be necessary. Perhaps the most challenging issue to address is when a healthcare provider refers a patient to another provider that is not under the same controlling entity. Depending on the nature of the telehealth activity, it may be essential to restrict the amount of patient health information disclosed to the second provider. Additionally, it might be necessary to request that the second provider enters into a Business Associate agreement or confirms that any disclosed patient health information will not be further shared.
The HIPAA telehealth requirements under the Security Rule are generally the same as those for other healthcare activities. However, there are specific guidelines for telemedicine that Covered Entities and Business Associates need to be aware of in order to avoid accidental violations of HIPAA and unauthorized disclosure of PHI. This also helps prevent unfounded patient complaints regarding privacy breaches. The first guideline addresses software vendors claiming HIPAA compliance but refusing to enter into a Business Associate Agreement because they lack access to encrypted PHI, as the Covered Entity holds the decryption key. HHS has provided guidance stating that software vendors and service providers are considered Business Associates due to their "persistent access" to PHI on their servers. The second guideline focuses on conducting risk analyses for complex telemedicine frameworks, such as when a HIPAA compliant telemedicine platform directly connects with an EHR. The final guideline pertains to potential security risks at the patient's end during a telemedicine consultation. Although originally mentioned in the context of CMS' Interoperability and Patient Access Final Rule (2020), it is also applicable to the Security Rule HIPAA telehealth requirements. It states that the Covered Entity is not held liable for any issues relating to PHI once the designated third party, i.e., the patient's device, receives the information.
The HIPAA General Provisions in Part 160 contain a definition of electronic media. It is crucial to understand this definition because, in certain circumstances, certain transmissions of PHI are not considered electronic transmissions. In such instances, the administrative, physical, and technical safeguards outlined in the Security Rule do not apply, but other state privacy and security laws might still be applicable. To address this situation, the Department of Health and Human Services (HHS) has released HIPAA guidelines regarding telemedicine and its relationship to this definition. According to the guidance released in 2022, the HIPAA Security Rule does not extend to audio-only telehealth services offered by a Covered Entity using a standard telephone line, often referred to as a traditional landline, since the transmitted information is not electronic. This guidance is applicable to audio-only telehealth phone calls made or received by a Covered Entity, regardless of the patient's technology. However, it should be noted that the definition of "standard telephone lines" as used by a Covered Entity does not encompass VoIP services or mobile or desktop platforms that utilize electronic media such as the Internet, cellular networks, or Wi-Fi.
Healthcare providers must not only adhere to the Privacy and Security Rules of HIPAA but also be aware of the HIPAA General Provisions outlined in Part 164. These provisions extend the Privacy Rule standards to Business Associates in specific cases. One such case is when one healthcare provider conducts consultations on behalf of another provider as a Business Associate without a direct treatment relationship.While most healthcare providers qualify as Covered Entities under HIPAA, there are exceptions. Therefore, healthcare providers conducting consultations as Business Associates must comply not only with the Security and Breach Notification Rules applicable to all Business Associates but also with the Privacy Rule standards that pertain to their role in relation to the Covered Entity. This requirement should be explicitly stated in the Business Associate Agreement.In terms of software vendors and service providers, it is important to note that not all of them are willing to sign Covered Entities' Business Associate Agreements. Instead, they may insist that Covered Entities sign their own agreements. This is particularly common among large Cloud Service Providers such as Microsoft, AWS, and Google, as they offer standardized services to all customers and cannot customize services to meet each Covered Entity's unique compliance needs. However, it is crucial for healthcare providers to understand that just because other providers accept the terms of a specific vendor's Business Associate Agreement, it does not automatically mean that the agreement is suitable for every Covered Entity.Therefore, healthcare providers are strongly advised to carefully review all the terms of any Business Associate Agreement they are asked to enter into. If a clause is identified that does not align with an existing HIPAA policy, providers should be prepared to either seek alternative service providers or amend their HIPAA policy accordingly.
Telemedicine healthcare providers should be well-informed about various non-HIPAA guidelines. It is crucial to understand that every state has its own unique definition and regulations regarding telemedicine, which may even supersede HIPAA regulations by offering enhanced privacy protections or greater patient rights. One notable aspect to consider, concerning HIPAA telehealth rules, is whether the state allows HIPAA Covered Entities to provide telehealth services across state borders. In addition, different states may have distinct regulations pertaining to breach notifications. Under HIPAA, breach exceptions are applicable, and if none applies, Covered Entities must notify affected individuals of the breach within sixty days. However, these exceptions are not universally recognized, and some states have broader definitions of a Covered Entity. Moreover, some states impose shorter notification time frames for affected individuals and State Attorneys General. With regards to HIPAA telehealth requirements, a breach refers to any unauthorized use or disclosure that compromises the security or privacy of PHI. An example would be a healthcare provider discussing someone else's health condition without verifying the remote patient's identity. In certain states, the definition of a breach is even more stringent, encompassing any unauthorized use or disclosure of PHI, regardless of whether the security or privacy is compromised. Furthermore, healthcare providers should be aware of additional non-HIPAA guidelines that cover matters like prescribing controlled substances remotely and disclosing substance use disorder patient records via telemedicine. It is also crucial to stay updated on the telemedicine services covered by health plans and Medicare, as these can vary and frequently undergo changes. The most recent updates on Medicare coverage can be found in the provided policy update.
The true impact of the COVID-19 public health crisis on telemedicine is hard to gauge accurately. The only available data comes from the Medicare FFS Part B Claims Data, as presented in CMS' Telehealth Trends Report. Without health plan data, we learn that prior to the pandemic, only 7% of eligible patients utilized telemedicine services. However, as the public health emergency unfolded, the percentage skyrocketed to 47%. This surge was driven mainly by restrictions on outpatient visits, as well as the temporary HIPAA guidelines on telemedicine announced by the HHS' Office for Civil Rights, which eased enforcement actions against providers who made good faith violations of HIPAA rules. Over time, as providers, staff, and patients became more comfortable with virus mitigation strategies, the percentage of telehealth users gradually declined and stabilized around 15%. This level is expected to persist due to a newfound appreciation and acceptance of telemedicine, even after the temporary HIPAA guidelines come to an end in August 2023.
During the COVID-19 pandemic, the HIPAA guidelines pertaining to telehealth underwent temporary modifications. In response to the Public Health Emergency, the Office for Civil Rights of the U.S. Department of Health and Human Services introduced a Notice of Enforcement Discretion for Telehealth Remote Communications. This allowed Covered Entities to utilize telemedicine platforms that may not have been fully compliant in order to communicate with patients. However, these temporary measures expired in May 2023, with a possible transition extension until August 2023.
Despite a decrease in the percentage of patients using telehealth services since the end of the public health emergency, the benefits of telehealth experienced during the pandemic have encouraged CMS to explore different services in order to determine which ones provide the best value for money. In a recent move, CMS has revised its Category 3 list of services that are likely to offer both clinical and financial benefits, but lack sufficient evidence to warrant permanent coverage. As opportunities to improve services and save costs are identified, health plans are following CMS's lead, and advancements in technology are allowing for the expansion of telemedicine options for patients. This expansion poses new challenges for healthcare professionals who aim to provide HIPAA compliant telemedicine services, and it is possible that HHS will release specific HIPAA guidelines for telehealth to address any questions regarding the requirements. If your organization is uncertain about the necessary safeguards and guidelines to support HIPAA compliant telemedicine, please get in touch.
To ensure HIPAA compliance, organizations need to conduct an audit of how healthcare professionals communicate with patients. Without this understanding, it is impossible to guarantee adherence to best practices.When performing a risk analysis, organizations should extend their assessment to include the use and disclosure of protected health information (PHI) during remote communications. This analysis should align with the requirements set forth in the Security Rule.Existing policies that govern face-to-face interactions with patients should be extended to cover remote interactions as well. It is important to develop comprehensive policies that address the unique considerations and challenges associated with remote healthcare.When a third party provides telemedicine services on behalf of the organization, it is crucial to include them in business associate agreements. This step is especially important in cases where there is no direct treatment relationship with the patient.Verification procedures must be put in place to ensure that business associates promptly report any security incidents, as required by §164.314. This will help identify instances where access credentials have been compromised.Consent should be obtained when using unsecured communication channels or when there is a risk of a consultation being overheard. This step helps protect patient privacy and confidentiality.It is advisable to document and retain documentation of remote communications with patients. While some telemedicine platforms may have built-in recording and archiving capabilities, organizations should ensure that the recorded data is securely stored.By following these guidelines, healthcare organizations can enhance the effectiveness and security of their remote communication practices in telemedicine and ensure the well-being of their patients.
Various organizations have a say in establishing the regulations surrounding HIPAA and telehealth. One such organization is HHS' Office for Civil Rights, which releases the Privacy and Security Rules. Additionally, HHS' Centers for Medicare and Medicaid Services are responsible for determining the fee schedule for physicians. This fee schedule determines the extent of telehealth services covered by Medicare. Moreover, the Federal Trade Commission oversees compliance with the Breach Notification Rule for entities that do not meet the criteria of HIPAA Covered Entities.
According to the Office of the National Coordinator for Health Information Technology, there is a distinction between HIPAA compliant telemedicine and HIPAA compliant telehealth. Telemedicine specifically refers to remote clinical services that adhere to HIPAA regulations, while telehealth encompasses a wider range of remote services, including non-clinical offerings such as provider training and medical education. However, it is important to note that when any telehealth service involves the use or disclosure of PHI (Protected Health Information), it must be conducted in a manner that complies with HIPAA guidelines.
When establishing a secure connection between a physician and a patient, meeting the HIPAA telemedicine requirements goes beyond just that. The Security Rule necessitates the implementation of further safeguards, including auditing capabilities, data back-up procedures, and disaster recovery mechanisms. It is crucial to track, log, and securely store all communications to maintain the confidentiality, integrity, and availability of ePHI. This not only ensures patient privacy but also supports business continuity during man-made or natural disasters.
The prevalence of Man-in-the-Middle attacks in the medical field remains uncertain. According to a 2020 survey, 62% of healthcare industry professionals claimed to have experienced such attacks in the past five years. However, the survey's scope and scale have not been disclosed, leaving questions about the percentage of telemedicine-related attacks and how respondents identified these incidents as Man-in-the-Middle attacks.
If a patient is not familiar with technology and can only use a service that is not compliant, like Facebook Live, healthcare providers should utilize a communications channel that the patient is accustomed to. For instance, Google Meet can be employed instead of Facebook Live, as the patient can simply click on a Gmail link to join a meeting without the need to download or install any software.
The Department of Health and Human Services (HHS) refrains from endorsing any particular telemedicine software as being HIPAA compliant. This is because the Security Rule of HIPAA is designed to be flexible, scalable, and technologically neutral. Moreover, the General Rules of the Security Rule (45 CFR § 164.306) permit Covered Entities to choose their own approach in determining which security measures and technologies are reasonable and appropriate for their organizations.
The challenges associated with HIPAA compliance in the context of telehealth depend on the specific service being offered. When it comes to communication between healthcare providers and patients, the primary challenges typically revolve around verifying patient identity and ensuring the confidentiality of the exchanges. On the other hand, when telehealth services are provided among healthcare professionals, the main challenges often entail authenticating users and establishing secure channels of communication. In some cases, the existence of a HIPAA compliant Business Associate Agreement may also pose a challenge, depending on the relationship between the parties involved.
Telehealth can achieve HIPAA compliance by implementing policies and security measures that adhere to the HIPAA Privacy and Security Rules. To ensure this compliance, it is recommended to carry out a risk analysis and establish protocols for identity verification and obtaining patient consent as required. It is essential to maintain records of the risk analyses, policies, patient consent forms, and Business Associate Agreements (if applicable) for a minimum of six years.
A telehealth platform that adheres to HIPAA standards is a secure communication service operated in the cloud. It includes all the necessary measures and protocols to ensure compliance with HIPAA regulations. To ensure the responsible handling of Protected Health Information (PHI), it is crucial to configure the platform controls according to HIPAA Privacy and Security Rules. Additionally, users must receive appropriate training on how to utilize the platform in a compliant manner, and the platform vendor must establish a Business Associate Agreement to formalize their commitment to HIPAA compliance.
The requirement to adhere to HIPAA telehealth rules when reaching out to a patient over the phone is determined by the type of phone you utilize. If you opt for a landline to conduct an audio-only telehealth consultation, you are exempt from the Security Rules for HIPAA compliant telehealth. On the other hand, if you rely on a VoIP service, mobile or desktop app that connects you to the patient using a cellular or Wi-Fi network, or the internet, all the HIPAA telehealth rules must be followed.
Telehealth communication is subject to the Privacy Rule to ensure that telehealth consultations maintain confidentiality and prevent any unauthorized disclosure of protected health information (PHI). However, there are exceptions to this HIPAA guideline on telehealth when two healthcare units controlled by the same Covered Entity share PHI remotely for collaborative purposes such as diagnosing, determining treatment plans, and developing care plans.
All healthcare providers that meet the criteria of a HIPAA Covered Entity are subject to the telemedicine requirements under HIPAA. To be considered a HIPAA Covered Entity, a healthcare provider must electronically transmit health information, or use a third party to transmit this information, in accordance with standards set by the Secretary for Health and Human Services. These standards primarily pertain to authorizations, claims, and billing and can be found in Part 162 of the HIPAA Administrative Simplification Regulations.
State or federal legislation can have an impact on telehealth and HIPAA compliance when these laws offer greater privacy safeguards or grant patients more control over their protected health information (PHI) than what HIPAA currently mandates. This means that certain federal regulations such as those pertaining to the confidentiality of substance use disorder patient records (42 CFR Part 2) or specific state laws like the Texas Medical Records Privacy Act, can take precedence over HIPAA requirements. As a result, healthcare providers must implement additional measures to comply with these laws while still adhering to HIPAA regulations.
The telemedicine guidelines set forth by HIPAA do not impose restrictions on the patients who can receive remote consultations. The determination of eligibility rests with either the insurance provider or the Centers for Medicare and Medicaid Services (CMS). To assist in this process, the Health Resources and Services Administration has introduced a helpful tool that enables individuals to determine whether a healthcare provider is eligible to offer remote consultations under a Medicare plan. Alternatively, patients have the option to privately compensate their healthcare provider for remote consultations.
The consequences of failing to comply with HIPAA requirements for telehealth vary based on the specific violation, its impact, and your status as an employee of a Covered Entity. Your employer's sanctions policy will also come into play. Generally, minor violations may lead to a verbal warning and additional training. However, repeated or more severe violations could result in contract suspension or termination.
According to HIPAA regulations (45 CFR §164.530), it is crucial for the members of the workforce to receive appropriate training on HIPAA and telehealth in order to fulfill their duties in compliance with the law. In addition, the Covered Entity's security and awareness training program (45 CFR §164.308) should incorporate the proper use of HIPAA compliant telehealth platforms. Failing to provide sufficient training on HIPAA and telehealth is considered a direct violation of HIPAA regulations.
The guidelines regarding HIPAA regulations for telehealth services require patients to verify their identity. However, there are different protocols for handling cases where a patient is unable to do so, depending on whether they are unwilling or incapable of verifying their identity. If a patient is unwilling to provide verification, it is generally recommended to postpone the remote consultation unless there are compelling reasons to proceed. On the other hand, if a patient is unable to verify their identity, a healthcare provider may choose to either postpone the consultation or continue with it based on their professional judgment and what they believe is in the patient's best interests.
Failure to comply with the telemedicine rules outlined by HIPAA is typically considered a civil violation, unless it can be shown that an employee of a Covered Entity deliberately and unlawfully exposed personal health information, which is in contradiction to Section 1177 of the Social Security Act. In these instances, the inappropriate disclosure of protected health information (PHI) will be reported to the Department of Justice by the Office for Civil Rights under the U.S. Department of Health and Human Services (HHS) for a criminal investigation.
Parents have the same rights and access to their child's personal health information during telehealth consultations as they do during in-person visits, as per the HIPAA rules. Unless there is a state law that overrides HIPAA, parents who have custody over minors are legally recognized as their personal representatives and can review their child's PHI. This also means that parents can be present during a virtual consultation with their child without needing the child's consent.
Quick & Simple
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you