What are HIPAA’s privacy requirements for telehealth?

Telehealth involves remote healthcare delivery through technology. HIPAA imposes privacy requirements for telehealth, ensuring the protection of patient data during remote healthcare. Covered entities must understand these requirements to comply with the law, maintain patient trust, and safeguard sensitive health information.

Privacy requirements for telehealth

HIPAA's privacy requirements for telehealth mirror those for traditional in-person healthcare delivery. These requirements encompass:

1. Obtaining patient consent

Before using telehealth services to collect, transmit, or store protected health information (PHI), healthcare providers must obtain informed and specific consent from patients. Patients must fully understand the implications of sharing their health information through telehealth, and their consent should be documented comprehensively in their medical records.

2. Using HIPAA compliant technology

To ensure the security and privacy of PHI during telehealth encounters, you must use technology that complies with HIPAA standards. This encompasses a range of measures, including:

• Encrypted communication: Using encrypted video conferencing software and secure data transmission channels to protect patient data during virtual consultations.
• Device and network security: Ensuring that the patient's device and network are adequately secured to prevent unauthorized access to PHI.

Patients should be reassured that their health information remains confidential and protected during telehealth interactions. 

3. Limiting access to PHI

Access to PHI should be restricted to authorized personnel only. Telehealth platforms must be configured to ensure that only authorized individuals can access patient information. This level of access control prevents unauthorized disclosure of sensitive data and contributes to maintaining patient confidentiality.

Related: What is role-based access control?

4. Staff training

Staff should be well-versed in HIPAA privacy and security requirements, focusing on how these regulations relate to telehealth practices. Training should encompass:

• Handling PHI: Proper protocols for handling and transmitting PHI securely.
• Secure data transmission: Ensuring patient data is transmitted securely during telehealth interactions.
• Protecting patient privacy: Emphasizing the importance of respecting patient privacy and adhering to HIPAA regulations at all times.

5. Privacy considerations for audio-only telehealth

While many telehealth encounters involve video conferencing, audio-only telehealth services are also widely used. In such cases, you must take precautions. While the HIPAA Security Rule may not apply to audio-only telehealth services in the same way as it does for video-based telehealth, specific measures can still protect PHI. These measures include:

• Confidential caller ID: Using confidential caller ID features to ensure patient information is not inadvertently disclosed during audio-only consultations.
• Password protection: Implementing password protection for telehealth sessions to prevent unauthorized access.

Related: Audio-only telehealth services and HIPAA compliance

6. Protecting PHI during telehealth

In addition to the specific HIPAA requirements, there are best practices that telehealth providers should follow to enhance patient privacy:

• Private locations: Encouraging patients to use private, secure locations for telehealth sessions, such as their homes or private offices, to minimize the risk of eavesdropping or unintentional disclosures.
• Avoiding public Wi-Fi: Advising patients to avoid using public Wi-Fi networks during telehealth sessions, as these networks are not secure and could potentially be intercepted by unauthorized individuals.
• Recording transparency: Being transparent about recording capabilities during telehealth sessions and obtaining patient consent before recording any sessions.