What does HIPAA Compliant Telehealth Mean?
Many providers are concerned about how to provide secure Telehealth or Telemedicine to their patients. After all, treating patients with secure Telehealth technology is new to most providers, patients, and even health plans. So how do you provide HIPAA-compliant secure Telehealth? Read on. You might be surprised that you have most of the policies and protocols already in place for your practice. All of the same procedures and protocols you take now to ensure HIPAA compliance for our way apply to be a HIPAA compliant secure Telehealth provider.
Key questions to ask a company before selecting a Telehealth Solution
To ensure that you are providing HIPAA compliant Telehealth, you must ensure that the company you are working for will provide you with a Business Associate Agreement (BAA) between you and the Telehealth Company. This is not an option once the emergency regulations around COVID-19 are stopped. A provider using a HIPAA compliant Telehealth platform and a valid BAA in place will be protected if there is a data breach of the Telehealth technology. This means that your practice is not at risk for the costly fines that can occur for a data breach. In addition, this means that the Telehealth company is responsible and accountable for any breach of their technology that results in the release of Protected Health Information (PHI).
The Federal Department of Health and Human Services (HHS) provides clear guidance on which companies are HIPAA compliant. The list includes companies like Zoom for Healthcare, Doxy. me, and VSee. Drexly Telehealth products all use the VSee platform as their engine, so you can be assured that Drexly fully meets the HIPAA compliant telehealth requirements. To see this list and more from HHS, click here
I have a HIPAA-compliant Telehealth platform; now what?
Once you have the BAA completed with your Telehealth vendor, then comes the part that most providers are already familiar with and practicing when it comes to HIPAA compliance. Providers will want to update their policies and procedures to include the delivery of HIPAA-compliant telehealth in those policies and procedures (P&P). It is recommended to take the time to write us a Telehealth-specific P&P that is kept updated. Many health plans will be asking providers for copies of their P&Ps that demonstrate how they provide HIPAA compliant Telehealth. Just supplying them with this new policy will often meet their request’s needs and be accepted by the plan.
Telehealth Resource Network Centers
Refresher on HIPAA and being compliant
A great free resource for providers in learning how to integrate Telehealth into their practice is the Telehealth Resource Network of Centers (NCTRC). The TRNC is a non-profit, government grant-funded organization comprised of 12 regional centers across the U.S. They are specifically there to support and answer questions for all providers in learning about secure Telehealth. Find your local Telehealth Center by clicking on this link.
Also, watch the video here provided by one of the Regional Centers on HIPAA compliant Telehealth.
Refresher on HIPAA and Being Compliant
If you’re not familiar with HIPAA, it stands for Health Insurance Portability and Accountability Act. It was designed and put in place to protect American workers and their families with health care coverage and put industry-wide guidelines to protect their confidential information.
Simply put, any organization that handles “protected health information” (PHI) has to be HIPAA compliant. And who are these organizations?
They include, but are not limited to, the following:
- Company health plans
- Any company or school that handles protected health information if they enroll students or employees in a health care plan
That sounds like it’s only big organizations that need to be concerned. Don’t be fooled. Even if you are a one-person/woman running your practice out of an addition to your home, you need to comply as well. That’s every Chiropractor, Dentist, Physiotherapist. It doesn’t matter your designation. If you are a health care provider of any sort, you need to comply and ensure you conduct secure telehealth healthcare.
Does HIPAA Apply to only Healthcare Providers?
It should also be noted that companies that just collect and handle information from the existing health care facility or entity must also comply with the Act. This would include billing services or community health management information services, even some software companies.
Also included would be health, disability, or life insurance companies—and any others—who obtain medical reports to access a policy application or claim.
Steps a Health Care Provider Can Take to Ensure Patient Privacy
It may seem like an incredible burden for anyone in health care or on the fringes of health care. But several steps can be taken that will help you stay within the guidelines of the Act. If you follow these, you have a better chance of not being in violation
Who is a Business Associate?
Any individual or entity that performs functions or activities on behalf of a covered entity that requires the business associate to access PHI is considered a business associate. This individual or organization may also provide services to a covered entity.
Examples of Business Associates:
• A third-party administrator that assists a health plan with claims processing.
• A CPA firm whose accounting services to a health care provider involve access to protected health information.
• An attorney whose legal services to a health plan involve access to protected health information.
• An independent medical transcriptional that provides transcription services to a physician.
• A pharmacy benefits manager that manages a health plan’s pharmacist network.
There are exceptions to the business associate standard, where “a covered entity is not required to have a business associate contract or other written agreement in place before protected health information may be disclosed to the person or entity.”
These exceptions include but are not limited to the following situations:
• Disclosures by a covered entity to a healthcare provider for treatment of the individual
• PHI collection and sharing by a health plan that is a public benefits program, such as Medicare
• With individuals or organizations that are a conduit for PHI, like the US Postal Service
It is stated on the HHS website that “covered entities may disclose protected health information to an entity in its role as a business associate only to help the covered entity carry out its health care functions – not for the business associate’s independent use or purposes, except as needed for the proper management and administration of the business associate.”
Here is where business associate agreements or business associate contracts come into play.
What should a BAA include?
– Describe the permitted and required uses of protected health information by the business associate
– Provide that the business associate will not use or further disclose the protected health information other than as permitted or required by the contract or as required by law
– Require the business associate to use appropriate safeguards to prevent use or disclosure of the protected health information other than as provided for by the contract
– Where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the offense, and if such efforts are unsuccessful, to terminate the contract or arrangement
– If termination of the contract or agreement is not feasible, a covered entity is required to report the problem to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR)
NOTE: Since copies of communications sent by SMS, standard Skype or email remain on the service providers’ servers and contain individually identifiable healthcare information that is not encrypted, this ePHI is not considered HIPAA compliant BAA.
Have A Business Associate Agreement With Your Vendors
As mentioned earlier, companies that store or regularly access patient information also need to be HIPAA compliant. It doesn’t matter if they don’t provide healthcare services. Suppose you use such a vendor (like a billing service, EMR, or video chat software) to help provide your services. In that case, the vendor is called a Business Associate. More importantly, it’s your responsibility to make sure your Business Associates are HIPAA compliant. You must do this by signing a Business Associate Agreement with them to follow the HIPAA rules.
Respect Your Patients Privacy While They're in Your Office
Whether they’re in your lobby or your exam rooms, give patients the privacy they deserve.
- Don’t leave patient records, files, or documents anywhere where they are unsecured.
- Always knock before entering a patient’s room.
- When you access any patient information on an electronic device—desktop or mobile—be sure that no one unauthorized can see it.
- Train your staff to follow these rules.
Post a Notice of your Privacy Practices
- Let your patients know you have rules in place by posting them in a public place for them to view.
- If your practice maintains a website, have a page that clearly states your Notice of Privacy llowPolicies
- Always have copies of your policy available for your patients.
Develop & Follow a Privacy Policies and Procedures Manual
- Develop a procedure manual with step-by-step guidelines for patient privacy and HIPAA compliance.
- Make sure this manual is accessible to all staff members and get signatures indicating that they have read and for your policies and procedures.
- Annually review your systems to be sure they remain current, and in turn, check them with your staff.
Train Your Team
- Don’t just assume your team is keeping up to date with the HIPAA. Do annual training.
- Continue to obtain signatures from your staff, indicating they are keeping up with their annual training.
- Be sure that any other businesses you associate with also keep up to date with their HIPAA training.
Do the Mandatory Annual HIPAA Risk Assessment.
- You have the choice of doing this risk assessment internally or hiring and HIPPA expert to come in and perform the evaluation.
- Develop a plan of action and timeline for any areas where remediation and follow-up are necessary.
- Only use secure disposal techniques when disposing of anything with patient health information included, regardless of the format.
Suppose you’re diligent in following these guidelines. In that case, you can be sure that you and your office remain in compliance with HIPAA.
For practices already with a HIPAA compliance plan, the above is nothing new. However, it’s essential to ensure that your documentation on PHI and consent includes delivering patient care using telehealth technology.