Many clinical practices had been leveraging HIPAA compliant video conferencing to conduct online patient encounters well before the COVID-19 crisis made it a near-necessity. Once the concern escalated over the pandemic’s spread, it made sense for healthcare providers to provide services for ill patients via secure video conferencing instead of exposing them to potential infection in a waiting room.
However, one of the biggest concerns when using these technologies was, and remains: Can these tools keep patient information safe?
The Centers for Disease Control and Prevention (CDC) reported there was a 154% increase in telemedicine visits in the first month of the pandemic compared to the same time the year before. Health Leaders Media says telemedicine visits made up 20% of all clinical encounters in 2020. According to Becker’s Hospital Review, there were more than one billion telehealth visits in 2020.
This article will look at HIPAA compliance in these clinical encounters and answer some of the most common questions we hear from providers. For example, what is HIPAA compliance and how can a clinician be certain their telemedicine application can keep patient private health information (PHI) secure? This requires third-party vendors such as electronic medical records (EMR) companies, telemedicine vendors, insurance payers, and of course the healthcare provider, to set up IT and physical security to keep patient data safe.
What is HIPAA compliance?
The Health Insurance Portability and Accountability Act, or HIPAA, was passed by Congress in 1996. The goal was to create legislation to protect private patient information. The law requires any organization that handles healthcare data to create security measures to keep digital patient information secure. The legislation set industry standards for patient digital information, addressing both patient privacy and IT security, two important areas affecting telehealth technologies.
Is telehealth HIPAA compliant?
The answer to this is that it depends on the telehealth vendor. Healthcare providers may mistakenly assume that when communication is solely between a patient and provider, it is secure. But it is the communication channel that the video conference occurs on that ultimately controls the security of the encounter.
The HIPAA Security Rule stipulates three important requirements:
1. Only authorized users should have access to PHI.
2. A secure communication system should be in place to protect any conversations or digital information that flows between authorized users.
3. A system should exist to monitor the security of these transmissions.
Here’s where HIPAA is often misunderstood in the telemedicine space. When PHI is stored by a third party, whether it is a telemedicine vendor transmitting a conversation via online video conferencing, or an EMR vendor that passes patient data between systems, that entity must have a Business Associate Agreement (BAA) with the healthcare provider using the service. The BAA is a critical document that outlines how the third party is protecting the data that passes through their systems. A Business Associate could be:
· A third-party administrator who handles claims processing for a hospital.
· An attorney whose legal services touch PHI.
· A medical transcriptionist who works with a doctor to transcribe a patient diagnosis.
· A telemedicine video conferencing company that connects doctors and patients in a clinical encounter.
Not all telehealth vendors are HIPAA compliant. If your video conferencing vendor can meet the three Security Rules and you have a BAA with them, you are compliant.
MegaMeeting is an example of a fully HIPAA compliant telehealth vendor.
How long must HIPAA compliance records be retained?
CMS, the Centers for Medicare and Medicaid Services, says that state laws generally govern how long medical records are to be kept. However, HIPAA’s administrative simplification rules require a covered entity, whether it’s a doctor’s office, an insurance payer, or a third-party vendor, to retain compliance records for six years from the date of its creation, or the date when the agreement was last in effect, whichever is later.
While HIPAA doesn’t govern medical records, it does say that the appropriate physical and technical safeguards must be in place to protect patient data during this time. This does apply to telehealth vendors and the communications shared between provider and patient.
Given that many doctors today record their patient video conferences to ensure continuity of care for their patients, this does create concerns for the long-term storage of PHI data. Look for a HIPAA compliant telehealth vendor that has systems in place to encrypt this data while it is traveling online and while it’s stored.
The six-year rule under HIPAA is fairly straightforward, but the rules for medical records can be confusing, particularly for a large health system that operates in many different states.
What video conferencing is HIPAA compliant?
The issue of which video conferencing is HIPAA compliant is incredibly important. Providers that fail to comply with HIPAA standards during telehealth encounters run the risk of big non-compliance fines. These rules matter because in 2019, the U.S. averaged around 37 healthcare data breaches each month. Beyond the compliance fines, failing to keep patient data safe is a breach of the trust of the patients you serve.
We’ve previously covered what makes a telehealth technology vendor HIPAA compliant, but to reiterate:
1. They must meet the three HIPAA Security Rules.
2. They must have a BAA agreement with the doctor.
Patient protection should be of the utmost importance to your practice. Look for telehealth vendors that are fully HIPAA compliant. Today, some of the vendors that are compliant include:
· MegaMeeting is fully HIPAA compliant. We encrypt all patient data in transit and at rest and have the highest security protocols in place to ensure that any PHI is carefully secured. As a browser-based video conferencing solution, we comply with the most rigorous standards for physical and digital IT security and share this information in our BAAs with our valued healthcare clients.
· According to Technology Advice, GoToMeeting does not have a specific healthcare track for their commercial video conferencing solution. However, they are HIPAA compliant. The generic features of the platform were built generally for sales professionals and business owners; however, the tool could easily translate to the clinical experience.
· Technology Advice also recommends a downloadable mobile app called Medici. This secure messaging app is HIPAA compliant and the tool can integrate with an EMR.
· Fit Small Business recommends Zoom for Healthcare as the best overall HIPAA compliant provider. They also suggest that this tool starts at $200 per account per month, making it one of the highest prices for HIPAA compliant video conferencing that we’ve seen.
What is the key to success for HIPAA compliance?
Establishing policies and procedures is the key to success for HIPAA compliance. Whether you’re establishing or revising office workflows or considering a telehealth video conferencing vendor, the key to this process is understanding the rules to ensure they’re followed to the letter.
MegaMeeting can help your practice establish seamless secure HIPAA compliant video communications. Talk with our team today to find out how we can help your business.
MegaMeeting solves the biggest challenges of modern video conferencing. For users, it is an all-in-one platform that delivers both video conferencing and webinars in a single, simplified interface. For attendees, it is 100% browser-based, making it highly accessible; joining a meeting is instantaneous from a single click. For enterprises, it is highly customizable, with white-labeling options for a private branded solution. For developers, it is API-driven and easy to integrate.
Powered by WebRTC, Node.js, React, and GraphQL, it is a cutting-edge platform that is fun and easy to use for users and developers alike.