The Privacy Rule defines and governs the use and disclosure of Protected Health Information (PHI). Providers and their associates who are covered by HIPAA must develop and stick to procedures that protect and secure PHI whenever it is received, handled, transferred, or shared. It makes no difference if the information is shared on paper, electronically, or orally. The rule provides guidance that only the minimum health information necessary to care for the patient be used or shared.
The Security Rule is shorthand for the Protection of Electronic Protected Health Information. It sets the standards for securing patient data that is stored or transferred by electronic methods. It outlines three areas of protection required for compliance; administrative, physical, and technical. The rule establishes security standards for each.
The HIPAA Privacy and Security rules apply to certain “covered entities.” They include: healthcare service providers, medical clearinghouses, and insurers, including some employer sponsored health plans.
A business associate is an entity or a person that performs activities on behalf of a covered entity. Common examples are accountants, transcription services, attorneys, and some technology service providers. Under HIPAA, covered entities enter into contracts with business associates, requiring everyone who has access to protected data to treat it with the same level of care.
The same requirements for patient privacy and confidentiality that apply for in-person visits apply to visits conducted over video. The provider has the identical responsibility to protect patient information. The storage of electronic files, video, and images needs to be approached with the same caution as one would take with physical documents.
Consumer grade services, like Skype and Facetime, do not support HIPAA compliant video conferencing because they are not encrypted. Therefore, they should never be used for any purpose that requires the use of Protected Health Information.
In terms of telemedicine, providers looking to remain compliant with the law should look for the following features in any telemedicine technology that they consider:
In addition, the technology partner should be willing to enter into a business associate agreement.
Patients have every right to be concerned about privacy and ask how their information will be protected during a remote clinical encounter. Providers should be prepared to educate patients about the steps that they are taking, with their technology provider, to secure their confidential information. It is important to let patients know that you’ve chosen technology designed for this purpose and that you take your obligations under HIPAA very seriously.
While it is absolutely necessary to keep HIPAA in mind when setting up a telehealth program, it is possible to embrace this powerful innovation without any risk to your patient’s confidential information.