HIPAA compliant telemedicine was designed to ensure that patient data is not compromised by digitization. HIPAA has been the compliance standard for private health information since 1996. But much has changed in medicine and with technology in the past 24 years. Patient charting moved out of the file cabinet and into the cloud, and telemedicine has normalized, especially under the pressures of the COVID-19 pandemic.

For practices and medical institutions that are considering video conferencing today, how do telemedicine and HIPAA compliance interact? With new rulings on the books from the Centers for Medicare and Medicaid Services (CMS), there have been big changes to make note of. Here’s what you need to know about the status of HIPAA compliant telemedicine in the U.S. today.

History of HIPAA, Telemedicine, and ePHI

The issue of telemedicine and HIPAA compliance dates back to 1996, when the Health Insurance Portability and Accountability Act was passed by Congress and signed by the President. The entire law focused on the safety of patient data. At that time, healthcare organizations were beginning a transition to electronic medical records (EMRs) and patient healthcare was becoming digitized. The new HIPAA law was created to cut down on abuse and fraud by setting some industry-wide standards for electronic billing and other processes affecting patients.

But HIPAA was a Johnny-come-lately when compared to the birth of telemedicine, which actually dates back to the early 1960s. Remote conferencing has been a stable, accepted part of healthcare for decades; however, adoption has been slowed by legislative and regulatory roadblocks for providers that hampered payment, as well as restricted where these tools could be used. Recently, this has all changed fairly dramatically.

Fast forward to 2020, when the entire world went on lockdown due to the COVID-19 crisis. Suddenly, telemedicine usage exploded; it is predicted that one billion virtual care visits will occur this year alone. Prior to the pandemic, 82% of consumers never used telemedicine to receive healthcare treatment.

Today, telemedicine is an accepted best practice for all specialties; the U.S. Centers for Disease Control and Prevention (CDC) recommend the use of telemedicine for social distancing. But what about telemedicine and HIPAA compliance? How can data transmitted over the Internet remain safe from hackers? What does HIPAA say about telemedicine and how do those rules apply to healthcare today?

Telemedicine and HIPAA Compliance

The portions of HIPAA governing telemedicine are the Privacy Rule and the Security Rule. The HIPAA Privacy Rule sets standards to protect patient medical records or any personal health information (PHI) transmitted between health insurance companies, clinicians, testing facilities, or anywhere this data is shared.

The HIPAA Security Rule takes the Privacy Rule and digitizes it. This regulation requires healthcare providers and vendors to take steps to deal with PHI when it is transmitted electronically, whether over the Internet, during a videoconference, or in any other form of digital transmission.

HIPAA compliant telemedicine software is useful for patients and healthcare providers alike.
HIPAA compliant telemedicine software is useful for patients and healthcare providers alike.

HIPAA Compliant Telemedicine Software

How does HIPAA affect telemedicine or videoconferencing vendors or any other companies that digitally transmit PHI? While some clinicians believe that communicating PHI directly between a patient and provider makes the transmission compliant, it is the communication channel itself that can put patient data at risk. For telemedicine companies to be deemed HIPAA compliant, they must take steps to ensure the data they are transmitting and stored patient data is safe. HIPAA applies not only to telemedicine, but also to electronic health records (EHR) or any other tool that transmits patient data by phone or through the Internet.

The HIPAA Security Rule requires that vendors must take steps to ensure that a system of secure communication is in place so that only authorized parties can access patient data. This typically requires the following technical safeguards:

·         Have a system in place to restrict electronic PHI to authorized users.

·         Confirm the identity of all end users who access the electronic PHI.

·         Use secure, encrypted communication between providers, patients, and vendors.

·         Safely encrypt electronic PHI when it is transmitted and at rest.

·         Monitor these systems to ensure data security.

·         Validate the data to ensure it is accurate.

·         Regularly train staff that access PHI in appropriate data security methods.

·         Have a disaster recovery plan in case of data breach.

·         Internally monitor these systems.

·         Provide physical protection for any on-site servers or equipment.

·         Provide clients with a written record of the technical components of the network and the steps the vendor takes to protect data. This includes identification of where the PHI data is stored and how it is transmitted.

To remain HIPAA compliant, the telemedicine vendor must follow the process outlined in the Security Rule and be able to monitor and respond to any potential vulnerabilities in the network.

But there is another element to HIPAA compliance, which relates to the Business Associate Agreement (BAA) between the end-user of the telemedicine service and the videoconferencing or telecommunications vendor.

The BAA outlines the relationship between the client, the vendor, and the patient’s PHI. It should include language describing:

·         The type of PHI that the vendor will access.

·         The steps the vendor will take to protect the digital PHI.

·         How the vendor would handle a security breach, including the process and timeframe for notifying patients.

·         Disclosures of how they will access patient data during the process of transmitting or recording it.

After years of requiring any vendor in the healthcare space, including telemedicine companies, to be HIPAA compliant, the global pandemic finally caused a loosening of HIPAA restrictions.

In April, the Centers for Medicare and Medicaid Services (CMS) announced a temporary measure that loosens the rules for HIPAA compliant telemedicine. This allowed healthcare providers to quickly select from a wide range of commercial vendors that may or may not have PHI safeguards in place. There is no word on how long this temporary ruling will be in effect, which brings up the question of whether a healthcare provider should look for HIPAA compliant telemedicine software.

Should You Look for HIPAA Compliant Telemedicine Software?

Despite the CMS ruling, healthcare providers selecting a non-HIPAA compliant telemedicine vendor are putting their patients’ data security at risk. Telemedicine is a useful tool that allows a virtual house call wherever the patient or doctor may be. It eliminates the time and cost of travel to a clinician’s office. Now that doctors and patients are widely using these tools, it is likely that telemedicine will become the new normal, and many in-person visits will be replaced by telemedicine.

If CMS decides to eliminate the temporary waiver of HIPAA compliant telemedicine, many healthcare providers that selected commercial vendors may be required to switch to a vendor that fully complies with these laws.

MegaMeeting provides fully HIPAA-eligible telemedicine services to healthcare providers around the nation, playing a vital role in allowing these healthcare professionals to provide HIPAA compliant services to their patients. Our affordable web-based service can help your practice offer these services to provide your patients with the care they need, while still protecting them from exposure to COVID-19 in your office. Talk with our team about how we can help your practice today.

MegaMeeting solves the biggest challenges of modern video conferencing. For users, it is an all-in-one platform that delivers both video conferencing and webinars in a single, simplified interface. For attendees, it is 100% browser-based, making it highly accessible; joining a meeting is instantaneous from a single click. For enterprises, it is highly customizable, with white-labeling options for a private branded solution. For developers, it is API-driven and easy to integrate.

Powered by WebRTC, Node.js, React, and GraphQL, it is a cutting-edge platform that is fun and easy to use for users and developers alike.