We partnered with HITRUST, One Health, and Xtelligent today for a webcast entitled, "Panel Discussion: Security and Compliance in the Era of Telehealth and Virtual Care."
During the panel, a question came up that I thought others' would want to know about.
The question was:
"Can you summarize some of the HIPAA privacy and security guidelines that are particularly relevant to telehealth?"
This post explains how I answered the question.
As you may recall, the Health Insurance Portability and Accountability Act, or HIPAA, became law in 1996.
As the internet became more popular, Congress added HIPAA provisions that mandated the adoption of privacy and security protections.
The first one was the HIPAA Privacy Rule, which went into effect in 2003. In a nutshell, it created a set of national standards for the safeguarding of certain health information, or protected health information (PHI).
The Privacy rule also gave birth to a new definition, covered entities. These are Health plans, health care clearinghouses, and certain health care providers that conduct health care transactions electronically.
The HIPAA Security rule set national standards for the confidentiality, integrity, and availability of electronic protected health information, or ePHI. It went into effect in 2005.
The Security Rule puts the Privacy Rule into practice by addressing the how of use and disclosure of PHI. These would include administrative, physical, and technical safeguards.
Now that we've summarized the HIPAA Privacy and Security Rules, let's move on to telehealth.
An apt definition of telehealth can be found via the telehealth.hhs.gov site:
"Telehealth β sometimes called telemedicine β lets your health care provider provide care for you without an in-person office visit. Telehealth is done primarily online with internet access on your computer, tablet, or smartphone."
There are three generally accepted methods to provide telehealth:
Note: With the expiration of COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023, and the subsequent 90-calendar day transition period ending on August 9, 2023, using non-compliant apps for healthcare may expose providers to penalties and privacy risks. It is crucial to evaluate current technology and procedures and transition to HIPAA compliant solutions during this period to ensure patient privacy, data security, and compliance with federal regulations.
When the pandemic first hit in March 2020, HHS quickly announced the Notification of Enforcement Discretion, which allowed health care providers to use widely available audio or video communication apps without the risk of incurring HIPAA fines.
This notice allows health care providers to use popular applications to provide telehealth services, so long as they are βnon-public facing.β
Examples of non-public facing applications include:
Prior to COVID-19, we wrote about Apple Facetime, Facebook Messenger, WhatsApp, Skype and whether they were HIPAA compliant. At the time, we deemed them not to be compliant, as none of them provided a business associate agreement (BAA).
Under the Notification of Enforcement Discretion however, they are now allowed under HIPAA, as long as they are used in a good faith effort to provide audio or video telehealth services during the pandemic.
A couple things to note here are:
In conclusion, the Notification of Enforcement Discretion provision allows healthcare providers to use popular audio or video communication apps like WhatsApp, Skype, and FaceTime to provide telehealth services without fear of incurring HIPAA fines. In the past, these apps would not have been deemed compliant, as their parent companies do not provide a BAA.
Public facing communication apps like Twitch, TikTok, and Facebook Live are not allowed under this provision.
Lastly, the Notification of Enforcement Discretion expires on May 11, 2023.
Founded in 2007, HITRUST Alliance is a not-for-profit organization whose mission is to champion programs that safeguard sensitive information and manage information risk for organizations across all industries and throughout the third-party supply chain.
In collaboration with privacy, information security and risk management leaders from both the public and private sectors, HITRUST develops, maintains and provides broad access to its widely adopted common risk and compliance management and de-identification frameworks; related assessment and assurance methodologies; and initiatives advancing cyber sharing, analysis, and resilience.
One Health is a federally qualified health center (FQHC) serving Montana and Wyoming.
As its IT Director, Ryan Schoppe has developed and now oversees both a traditional IT department and also the One Health telehealth network.
Over the last seven years that Ryan's served as IT Director, One Health has grown from one clinic and less than 30 employees to over 10 clinics and 250 employees.