clapboard-play library calculator2 list3 menu2 chevron-down chevron-right

HIPAA Compliance for Telemedicine Providers

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to provide the ability to transfer and continue health insurance coverage for many American workers and their families when they change their jobs. It was also designed to reduce healthcare fraud and abuse, partially by setting industry-wide standards for health care information on electronic billing and other processes. It also requires the protection and secure handling of specific patient health information. The Privacy Rule and the Security Rule address this last point, which is highly relevant to telemedicine.

The Privacy Rule

The Privacy Rule defines and governs the use and disclosure of Protected Health Information (PHI). Providers and their associates who are covered by HIPAA must develop and stick to procedures that protect and secure PHI whenever it is received, handled, transferred, or shared. It makes no difference if the information is shared on paper, electronically, or orally. The rule provides guidance that only the minimum health information necessary to care for the patient be used or shared.

The Security Rule

The Security Rule is shorthand for the Protection of Electronic Protected Health Information. It sets the standards for securing patient data that is stored or transferred by electronic methods. It outlines three areas of protection required for compliance; administrative, physical, and technical. The rule establishes security standards for each.

Covered Entities

The HIPAA Privacy and Security rules apply to certain “covered entities.” They include: healthcare service providers, medical clearinghouses, and insurers, including some employer sponsored health plans.

A business associate is an entity or a person that performs activities on behalf of a covered entity. Common examples are accountants, transcription services, attorneys, and some technology service providers. Under HIPAA, covered entities enter into contracts with business associates, requiring everyone who has access to protected data to treat it with the same level of care.

HIPAA and Telemedicine

The same requirements for patient privacy and confidentiality that apply for in-person visits apply to visits conducted over video. The provider has the identical responsibility to protect patient information. The storage of electronic files, video, and images needs to be approached with the same caution as one would take with physical documents.
Consumer grade services, like Skype and Facetime, do not support HIPAA compliant video conferencing because they are not encrypted. Therefore, they should never be used for any purpose that requires the use of Protected Health Information.

Telemedicine Technology and HIPAA

In terms of telemedicine, providers looking to remain compliant with the law should look for the following features in any telemedicine technology that they consider:

  • Fully encrypted data transmission
  • No storage of video

In addition, the technology partner should be willing to enter into a business associate agreement.

Addressing Patient’s Privacy Concerns

Patients have every right to be concerned about privacy and ask how their information will be protected during a remote clinical encounter. Providers should be prepared to educate patients about the steps that they are taking, with their technology provider, to secure their confidential information. It is important to let patients know that you’ve chosen technology designed for this purpose and that you take your obligations under HIPAA very seriously.

While it is absolutely necessary to keep HIPAA in mind when setting up a telehealth program, it is possible to embrace this powerful innovation without any risk to your patient’s confidential information.

We guarantee private payer reimbursement

Don’t stress about getting paid — we’ve got you covered.