Find out some of the items you might need to address in HIPAA compliance that can translate into your Telehealth practices.
Telehealth has become somewhat of a buzzword now that many health care organizations are looking for ways to make health care more accessible to their patients. The Health Resources and Services Administration (HRSA) defines telehealth as “the use of electronic information and telecommunication technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include video conferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”
Regardless of whether you must be HIPAA compliant or not, the HIPAA Security Rule is a great place to start to help ensure patient information is still protected when using these new forms of communication. It’s also important to note that your health care organization will need to be HIPAA compliant to receive reimbursement from insurance companies. So, there is a high likelihood that your organization needs to be HIPAA compliant.
HIPAA compliance items to think about when delivering telehealth
HIPAA compliance requires the patient information be encrypted, or if not financially feasible, some other way of obfuscating the information. Ideally, you should have a telehealth software or program that is already HIPAA compliant and will offer you encryption for electronic protected health information (ePHI).
If the patient is accessing ePHI on a portal system or logging into a telehealth session, there should be a method to authenticate that patient meaning that the patient uses a unique username and password to log in to their sessions or portal. This is an addressable requirement, which means that it is somewhat optional in that you must determine how it can be feasibly administered at your office. Find out more about required vs. addressable HIPAA requirements, here.
There should be a time-out feature in case a patient or doctor steps away from the session or portal for a specified length of time, the software will log the user out so no one can access the information. This is particularly important if a mobile device is used for health care purposes. If the mobile device is lost or stolen, you will want the information as protected as possible before remotely wiping it.
Speaking of a remote wipe feature, this is another great item to add to your checklist. While there is nothing in HIPAA compliance regulations that specify a remote wipe feature is required, you will want to ensure that a mobile device can be wiped remotely if it is lost or stolen. There are plenty of examples like the Advocate Health Care Settlement where a remote wipe technology might have helped significantly reduce the fines incurred.
If any information is stored in the software or program you use for telehealth, you will want to ensure that emergency access is available. Should there be an emergency like a fire or flood where resources might be limited and your patient requires care by you or another provider, you will want to have access to the health information to provide the best care possible.
Additionally, integrity controls will be important if information is stored in your telehealth software or programs. You will want to know if ePHI is modified by anyone besides you or your designated employee(s).
Finally, a Business Associate Agreement (BAA) must be drawn up for anyone providing you telehealth software or programs. This ensures that any ePHI the Business Associate comes into contact with during the performance of their duties will remain protected by them like it would be protected by you. BAAs are an essential part of HIPAA compliance.
For more information on HIPAA compliance and the ways it might translate into telehealth, join other telehealth practitioners on HIPAAgps today!