Telemedicine HIPAA requirements
The Telemedicene HIPAA requirements affect any medical sector employee or healthcare organization that supplies a remote service to patients at their homes or in community-based centers.
Many people wrongly believe that sending ePHI at distance is permitted when the communication is directly between just the physician and patient as this is, seemingly, what the HIPAA Privacy Rule implies.
However, the medium of communication that is used for sending ePHI at distance is also important if medical professionals and healthcare organizations wish to adhere with the HIPAA requirements on telemedicine. This facet of the HIPAA guidelines on telemedicine is referred to in the HIPAA Security Rule and states:
- Only authorized people should be able to access ePHI.
- A system of secure communication should be adapted to safeguard the integrity of ePHI.
- A system of monitoring communications using ePHI should be established to avoid mistaken or malicious breaches.
The first aspect is fine if the physician uses “reasonable and appropriate safeguards” to stop ePHI being shared with any unauthorized parties. However, the aspect means that unsecure channels of communication such as SMS, Skype, and email should not be employed for communicating ePHI at distance.
Lastly, as per the HIPAA guidelines on telemedicine, any system used for communicating ePHI at distance must have a process in place so that communications can be reviewed and remotely wiped if necessary. The second and third bullet aspects also refer to ePHI that is stored – a concern we will address now
Reason Why SMS, Skype or Email Should not be Used for Telemedicine
When ePHI recorded by a medical professional or a healthcare body (covered entity) is stored by a third party, the covered body must have a Business Associate Agreement (BAA) with the party holding the data. This BAA must incorporate methods used by the third party to ensure the security of the data and provisions for regular auditing of the data’s security.
As copies of communications broadcast by SMS, Skype or email are present on the service providers´ servers, and contain individually identifiable healthcare data, it would be necessary for the covered body to have a BAA with (for example) Verizon, Skype or Google in order to adhere with the HIPAA guidelines on telemedicine.
Verizon, Skype and Google, for example, will not complete BAAs with covered entities, the covered body is liable for any fines or civil action should a breach of ePHI happen due to the third party´s lack of HIPAA-compliant security controls. The covered entity would also likely fail to pass any HIPAA audit for failing to conduct a suitable risk assessment – which might also harm the prospect for the receipt of payments under the Meaningful Use incentive scheme.
Communicating ePHI at Distance Solutions
Many healthcare groups have opted to use a secure messaging solution to adhere with the HIPAA guidelines on telemedicine. Secure messaging solutions offer the same speed and convenience as SMS, Skype or email, but adhere with the Security Rule in relation to only allowing authorized users to have access to ePHI, establishing a secure means of communication, and monitoring activity on the secure channel of communication.
These solutions for transmitting ePHI from distance work via easy-to-operate apps that most healthcare workers will be familiar with, as they have a similar interface to commercially available messaging apps. Each authorized user logs into their app using centrally-issued credentials. They can then communicate with other authorized users within the covered body’s private communications network.
All communications – including images, videos and documents – are encrypted to render them unreadable and unusable if a message is captured over a public Wi-Fi service, and security measures exist to stop ePHI from being broadcast outside a covered body’s private network – either by mistake or deliberately. All activity on the network is recorded by a cloud-based platform to make sure secure messages policies (also part of the HIPAA Security Rule) are complied with.
Using Secure Messaging to Communicate with Patients
For communicating with patients, medical professionals and healthcare groups have the option of either permitting the patient to have temporary access to the network via a secure messaging app, or a secure temporary browser session can be arranged using the same platform. In many instances, medical workers and healthcare groups have integrated a secure messaging solution into the EHR to cut out time-consuming patient updates.
This has also been the scenario when patients have visited a community medical center or received visits at home from a community based nurse. Medical workers at the healthcare centers and community nurses can use the secure messaging apps to send critical patient data and escalate patient concerns safely – subject to the guidelines of the HIPAA Privacy Rule being complied to. Both when communicating with patients using secure messaging and when communicating between medical worker, secure messaging solutions have the following benefits:
- Medical workers based in the community can send and receive ePHI on the go using secure messaging.
- Pictures can be attached to secure messages, which can then be sent to accelerate diagnoses and the administration of healthcare.
- Secure messaging can also be used to speed up emergency admissions and patient discharges – lessening wait times and streamlining the administrative procedures.
- Automatically produced delivery alerts and read receipts minimize phone tag and enhance message accountability.
- Access reports make risk management analyses much easier while, when combined with an EHR, secure messaging also allows healthcare groups to meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.
Communicating ePHI at distance with secure messaging makes sure that messages are transmitted to the correct recipient, lessen the amount of time that is wasted between sending a message and receiving a response, and secure the integrity of ePHI in compliance with the HIPAA guidelines on telemedicine.
Conclusions on Telemedicine HIPAA Requirement
Secure messaging solutions were first formulated to allow messaging in compliance with HIPAA, but many of the features of secure messaging have resulted in advantages that have improved the workflows of healthcare workers, minimized expenses in medical centers, and increased the standard of healthcare received by patients.
Many healthcare groups have been most happy at the simple manner with which the HIPAA guidelines on telemedicine can be adhered with, and even more pleasantly surprised at the expense – with there being no need to spend funds on expensive hardware or complicated software, or drain the organization´s already stretched IT systems.
The HIPAA telemedicine requirements make it quite clear what processes should be implemented to secure the integrity of ePHI. With there being significant benefits to adapting a secure messaging solution, it is only a matter time before all covered bodies providing a telemedicine service are transmitting ePHI at distance with secure messaging.