The telemedicine HIPAA requirements affect any medical sector employee or healthcare organization that supplies a remote service to patients in their homes or at community-based centers.
Many people wrongly believe that remotely disclosing Protected Health Information (PHI) in a telemedicine consultation is permitted without restriction when a communication is directly between a healthcare professional and a patient. This is because this is what the language of the General Rules of the HIPAA Privacy Rule imply (45 CFR §164.502).
However, HIPAA compliance for telemedicine is subject to a number of confidentiality requirements that do not always exist in one-to-one medical encounters. For example, there may be caregivers, translators, or family members present, or the patient may be attending the telemedicine consultation while at work, in the gym, or on vacation.
There may also be identity verification challenges – especially when a patient has been referred from one healthcare professional to another who is unfamiliar with the patient. The situation can become far more complicated when a patient is referred to another healthcare professional not under the control of the same Covered Entity as the minimum necessary standard may apply.
Security Rule HIPAA Telemedicine Requirements
There are also Security Rule HIPAA telemedicine requirements relating to the technology that can be used to communicate remotely with patients. Most technologies used to communicate remotely with patients are required to meet the requirements of the administrative, physical, and technical safeguards of the Security Rule (landline phone lines and paper-to-paper faxes are exceptions).
This means that access controls, event monitoring, and automatic log-off controls must be activated. It is also necessary to secure all connections and integrations with other applications that connect with the communication technology, and implement policies to prevent members of the workforce circumnavigating user controls by (for example) sharing login credentials.
Additionally, Business Associate Agreements must be in place with software vendors when their communication platforms are used to collect, store, or transmit PHI. This Security Rule HIPAA telemedicine requirement applies regardless of whether vendors have access to encrypted PHI according to guidance issued by the Department for Health and Human Services (HHS).
It is also important for healthcare providers to be aware that telemedicine services cannot be refused on the basis of a patient’s device being unsecure. Unless there is a risk to the confidentiality, integrity, and availability of other PHI maintained by a healthcare provider, HHS states Covered Entities are not liable for what happens to PHI once it has been received by the patient’s device.
Other Telemedicine HIPAA Requirements to be Aware Of
Business Associates have been mentioned previously in terms of the Security Rule HIPAA telemedicine requirements, but it can also be the case that healthcare providers under the control of a different Covered Entity can also be Business Associates if there is not an existing treatment relationship with the patient. In such cases, it is necessary to enter into a Business Associate Agreement with the healthcare provider – even if they are a Covered Entity in their own right.
If a healthcare provider provides a service on behalf of a Covered Entity as a Business Associate, this limits how much PHI can be disclosed to the healthcare provider. This can also be the case if a healthcare provider acting as a Business Associate hosts a telemedicine consultation in their facility (because the patient does not have access to technology in their home), or reviews a recording of a telemedicine consultation to help diagnose a patient’s condition.
There may also be non-HIPAA telemedicine requirements to consider in the provision of a HIPAA-compliant telemedicine service. These include (but are not limited to) state regulations regarding licensure, breach notifications, and the definition of a Covered Entity, and federal regulations regarding prescribing controlled substances remotely and disclosing substance use disorder patient records via telemedicine. There are also HIPAA changes on the way relating to attestations.
In conclusion, the telemedicine HIPAA requirements can be confusing depending on the type of telehealth provided, whether or not it is designated to a Business Associate, and the technologies used to provide remote telemedicine. If you are unsure about what steps your organization needs to take in order to comply with the telemedicine HIPAA requirements, we strongly advise you to seek professional compliance advice.