HIPAA concerns for Telehealth
Thanks to innovative technology and changing reimbursement policies for telehealth, it is becoming more popular across the country. Increasing numbers of practices and facilities are utilizing telehealth to reach more patients, quickly consult with other physicians, and increase their revenue.
One of the challenges of setting up telehealth services is ensuring you continue to provide HIPAA-compliant care. While telehealth does not yet have its own specific HIPAA guidelines, you need to ensure your telehealth services provide the same privacy you offer to the patients who come to your office. This may result in some extra work, but you should already have infrastructure, such as HIPAA policies and secure networks in place to support HIPAA-compliant telehealth.
When you are providing telehealth care, you’ll need to:
Create a Private Space
When you are speaking to a patient via telemedicine, you are speaking to them as if you are both in an exam room together. While you can’t control where your patient is during a virtual session, you need to ensure you are in a private place. You must create a dedicated space that can be closed off to the rest of the practice so that others cannot overhear your conversation and violate your patient’s privacy.
Choose the Right Equipment
You must use equipment that encrypts information, keeping it private even on public Wi-fi connections. Current EHR software's will do this. There are also programs, apps and equipment on the market that provide this encryption through secure messaging.
Through this software, you temporarily give patients or consulting physicians access to the secure network you already have at your office. If you are using a third-party software or program, it should integrate with your EHR, making it even easier to provide virtual care.
Sign Business Associate Agreements
According to the Department of Health and Human Services, business associates are entities that access PHI on your behalf. These may be contractors who collect billing data or do utilization reviews. They may also be software developers or a company that shreds documents for you.
All of these vendors need to have signed business associate agreements stating how PHI is used and protected by these companies. A business associate agreement can help protect you from violating HIPAA law.
Some companies used for telehealth, like Skype, do not qualify for business associate agreements. Instead, they are considered “conduits” for transferring information. They do not access the data; they merely transport it. Some conduits can provide the same high level of data protection as companies who would qualify as business associates.
To prove that you are HIPAA compliant, you need to conduct risk assessments and regular evaluations of your systems to ensure no unauthorized individuals are accessing patient information. Whenever you perform an assessment, document it thoroughly.
You also need to have security policies and procedures in place. These should outline how PHI is used, stored, and accessed. You should provide regular employee training on these policies, again documenting which employees attended and what you covered.
Ensuring HIPAA-compliance for telemedicine care doesn’t have to be complicated. With the right policies and the right vendors, you can enact HIPAA compliant services quickly.
Get your practice ready for telemedicine. Download the complete ‘Providers’ Guide to Telemedicine’ to learn more.