Understanding HIPAA Requirements for Telehealth

With the rise of telehealth, healthcare providers must be proactive in addressing how they utilize telehealth services and whether those uses meet HIPAA standards. Learn how to identify potential gaps in a HIPAA-compliant telehealth system.

blog image

During the COVID-19 public health emergency, telehealth became a popular, even preferred, method of conducting healthcare visits between providers and patients. While HIPAA rules apply to telehealth visits — and there are many rules to follow — violations were largely ignored during the pandemic. This grace period is coming to an end, which means telehealth providers must ensure HIPAA compliance at all times.

The rise of telehealth

COVID-19 was a catalyst for the telehealth boom, and telemedicine has quickly evolved since its mass adoption. Although many people think of telehealth as strictly a video consultation with a clinician, the term encompasses so much more. Today, telehealth refers to caregiving through a wide array of digital technologies, including audio, text, virtual, streaming, store and forward, prerecorded video, and videoconferencing.

Telehealth services are not only diverse in medium but also broadly applicable across the healthcare continuum. A technology-centric approach to care enables professionals to deliver clinical consultations, remote monitoring solutions, education, and information in a virtual setting at any given time.

The benefits of telehealth are broad. It makes healthcare more accessible, affordable, and equitable for patients while reducing provider stress by creating flexibility. Yet there are drawbacks to telehealth, primarily with how it fits within the scope of patient privacy as defined by HIPAA.

HIPAA concerns over telehealth

HIPAA is intended to ensure the privacy of personal health information (PHI) by regulating how it’s collected, maintained, utilized, and disclosed by providers and payers. Unfortunately, HIPAA standards aren’t yet inclusive of the new telehealth reality. The Office of Civil Rights (OCR) claims HIPAA covers telehealth “provided in good faith,” but this is a far cry from the stringent requirements of official HIPAA policy.

It also begs the question: What constitutes a “bad faith” application of telehealth? While criminal activities such as fraud or identity theft are clear violations of HIPAA guidelines regarding PHI, it’s not so simple for other applications.

For instance, what about a legitimate good-faith consultation conducted through a commercial app like Facebook? Although it seems innocent, the use of a public-facing remote communications platform is enough to run you afoul of HIPAA standards on secure PHI handling. This is in contrast to audio-only telehealth services delivered over a landline, which aren’t required to have any special safeguards.

These niche and nuanced situations have mostly gone unregulated during and since the pandemic. It was a sign of both the incredible need for telehealth and an allowance of mainstream adoption, in which regulation lags best practices. This may be about to change.

On Jan. 30, 2023, the Biden administration announced plans to officially end the COVID-19 public health emergency on May 11, 2023. While this hardly means a return to normalcy, it does enable the OCR to reassess how it views telemedicine through the lens of PHI and HIPAA standards.

Addressing telehealth HIPAA challenges

With the post-pandemic era officially coming soon, providers must be proactive in addressing how they’re utilizing telehealth services and whether those uses meet HIPAA digital data standards.

Thankfully, future HIPAA guidance and OCR enforcement on telehealth aren’t likely to deviate much from established best practices. Providers should offer telehealth services in private settings to the extent feasible and always take precautions to prevent the disclosure of private information.

According to the HIPAA Security Rule, covered entities must identify and address risks and vulnerabilities related to the confidentiality, integrity, and availability of protected electronic health information. To verify compliance, conduct a risk assessment to identify potential gaps in a HIPAA-compliant telehealth system, such as:

  • Could an unauthorized party intercept the transmission?
  • Does your telehealth platform or technology support encryption?
  • Is data from the telehealth session secure in transit?
  • Is authentication required to access the stored telehealth session?
  • Does the platform automatically end the session after a period of inactivity?

You’ll find these features standard on most modern telehealth platforms, which further suggests forthcoming guidance specific to telehealth will be rooted in established best practices. The last remaining step is to ensure caregivers and staff are trained on proper administration, as they should be in any situation involving PHI.

Create a secure future of telemedicine

Telehealth is here to stay and will only grow larger and more inclusive as the healthcare landscape shifts. As demand for distance medicine grows, providers must understand the evolving regulations governing it, including HIPAA compliance standards. Although telehealth has the power to democratize healthcare in new and powerful ways, it must do so with patient privacy at its core.

Learn more about HIPAA-compliant telehealth solutions at trubridge.com.