Propelled by the pandemic, healthcare organizations have risen to the occasion for the demand for more virtual care options by offering telehealth to patients. With the proliferation of telehealth platforms combined with insurance compensation for telehealth visits, video conferencing options have become popular and well-utilized, especially for routine appointments and people who have experienced barriers to in-person visits.
Despite its many benefits, several concerns still plague both patients and healthcare companies alike. Is telehealth HIPAA compliant? Are certain platforms more compliant than others? Most people already have multiple software systems downloaded on their personal computers, tablets, and mobile devices that have video conferencing capabilities, such as WhatsApp®, Facebook Messenger™, Apple FaceTime®, Skype™, and Zoom®, and they are using them in other areas of their lives and feel comfortable and familiar with them. But will these platforms adequately protect patient electronic Personal Health Information (ePHI)? How and what data do these platforms store?
Overall, many patients[¹] still do not trust healthcare companies to protect their ePHI digitally. Their concerns are well-founded: IT and hacking incidents have increased[²] over the past few years. Recent ransomware attacks[³] that target ePHI have also reinforced this concern.
There are serious implications for not providing secure means of telehealth communication. Non-secure communication could result in a security breach, putting patient data at risk. Security breaches cost healthcare organizations an average of $6.45 million[²], as well as legal and public relations issues.
What Does HIPAA Say About Telehealth?
Some of the governing laws of HIPAA do not seem to be specific in regards to telehealth. Regardless, the standard rules for the protection of ePHI, such as encryption and the implementation of a Business Associate Agreement (BAA) for third-party solutions, do apply. The current HIPAA guidelines[⁴] around telehealth are found within the HIPAA Security Rule and stipulate:
- HIPAA Standard 164.312(d): “Implement systems that verify the persons seeking access to ePHI are who they claim to be.”
- HIPAA Standard 164.306(b): “Implement appropriate security measures.”
HIPAA Compliance During Video Conferencing
Healthcare staff should be careful to only host video calls in a secure and private location to prevent unauthorized people from overhearing any PHI.
Use a HIPAA-Compliant Video Conferencing Platform
Healthcare companies can offer HIPAA-compliant video conferencing to their patients by investing in a platform that implements the necessary safeguards to meet the required standards. This ensures organizations can protect ePHI throughout the entire appointment process, including all HIPAA-compliant SMS messaging, live chat, chatbot, and emails prior to or following the HIPAA video conference.
There are several necessary components to ensure that the platform is fully HIPAA compliant:
- End-to-end encryption should meet both industry best practices and HIPAA standards.
- Authentication of the patient and any third-party participants (such as legal guardians, other healthcare providers, translators, etc.) should be required using a log-in each time there is an interaction, and automatically logging them out when the appointment is over.
- Interactions should be able to be centrally monitored, audited, managed, and reported on.
- If the company uses a third-party software vendor, there must be a BAA executed with the vendor.
- A system for monitoring communications containing ePHI should be in place to prevent data breaches.
To aid healthcare companies seeking a HIPAA-compliant video conferencing tool, the Office for Civil Rights (OCR) has compiled a list of HIPAA-compliant telemedicine software:
- Amazon Chime™
- Bridge Video Visits, powered by Zoom for Healthcare®
- Cisco® Webex Meetings / Webex Teams
- Google Hangouts™
- Skype for Business™
- Spruce Health Care Messenger™
- Zoom for Healthcare®
Healthcare organizations can provide HIPAA-Compliant video conferencing options to their patients with confidence by implementing a fully HIPAA-compliant telehealth platform integrated into their existing patient engagement solution.
Patients should also be required to complete necessary patient consent forms and agreements. Commonly used consent forms and agreements for online patient portal and telehealth platforms, include:
All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.
- Accenture. How Can Leaders Make Recent Digital Health Gains Last? (2020). [online]. Accenture. Available at: https://www.accenture.com/_acnmedia/PDF-130/Accenture-2020-Digital-Health-Consumer-Survey-US.pdf
- Seh AH, Zarour M, Alenezi M, et al. Healthcare Data Breaches: Insights and Implications. (2020). [online] Healthcare (Basel). Available at: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC7349636/
- Drees, J.(2021). Hacker had access to Georgia health system’s IT network 6 months before ransomware strike. [online] www.beckershospitalreview.com. Available at: https://www.beckershospitalreview.com/cybersecurity/hacker-had-access-to-georgia-health-system-s-it-network-6-months-before-ransomware-strike.html
- HIPAA Journal (2018). HIPAA Guidelines on Telemedicine. [online] HIPAA Journal. Available at: https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/