Regulation of Medicine
article
Choosing a HIPAA-Compliant Telehealth Service
With the continued trend toward the use and adoption of telehealth platforms and an abundancy of these services advertising as HIPAA compliant, it is crucial for healthcare organizations to understand the level of HIPAA compliance required from both the healthcare organization as a “covered entity” and the telehealth vendor as a “business associate.”[1] Even though HIPAA currently does not contain telehealth-specific rules, when utilized by healthcare organizations these telehealth platforms become a part of the healthcare organization’s health information privacy and security obligations.
Healthcare organizations must thoroughly vet these vendors and receive satisfactory assurance that the services will appropriately safeguard ePHI.[2] Some platforms may not actually have safeguards required by HIPAA, and therefore would not be HIPAA compliant. To be compliant, a telehealth platform must (1) comply with the HIPAA Security Rule in managing the transmission, storage and disposal of ePHI, (2) have an internal HIPAA compliance and risk assessment policy, and (3) be willing to enter into a HIPAA Business Associate Agreement (“BAA”).[3]
A healthcare organization should not rely solely on a telehealth vendor’s advertisements that it is HIPAA compliant. Instead, the healthcare organizations should undertake the following steps in selecting a HIPAA-compliant telehealth platform:
Conduct a web search of the telehealth platform with “HIPAA.”
Most often, vendors providing telehealth services with a strong HIPAA compliance initiative will likely have a page dedicated on their website indicating that the vendor comports itself under its HIPAA obligations as a business associate. If a vendor web search only provides a blanket statement of its HIPAA compliance, this telehealth vendor may not be the best option. If a healthcare organization is still interested in this potential telehealth vendor, a healthcare organization should reach out directly to the vendor and request documentation of the vendor’s internal health information privacy and security policies.
Check if the vendor is willing to enter into a HIPAA Business Associate Agreement.
A business associate (“BA”) maintaining ePHI without a BAA is a violation of HIPAA.[4] Therefore, a vendor’s willingness to enter into a HIPAA BAA or already providing information of how a healthcare organization can enter into a BAA is a good sign of the vendor’s HIPAA compliance. A healthcare organization’s contract with its BA should:
- Contain a description of the permitted and required uses of PHI by the vendor;
- Provide that the BA will not use or further disclose PHI other than as permitted or required by the contract; and
- Require the BA to use appropriate safeguards to prevent use or disclosure of PHI other than provided by the contract.[5],[6]
Ensure the telehealth vendor has secure and compliant cloud service with data encryption.
Healthcare organizations will need to seek out secure and compliant data encryption embedded in the telehealth platform. By using encryption to protect all ePHI, BAs and healthcare organizations can reduce the chance of a HIPAA breach. Some questions to ask a potential vendor: (i) What is the encryption standard for ePHI in transit, storage, rest, and disposal? (ii) Does the vendor have policies and procedures outlining documentation of ePHI? (iii) Will there be an effective procedure in the event of a breach?
Confirm strong access control or request an implementation of access control measures.
A healthcare organization and the BA must “implement technical policies and procedures for electronic information systems that maintain electronic protected health information” to allow access only to those who are authorized users.[7] A healthcare organization should confirm how the vendor’s internal access control with user authentication protocols prevent unauthorized access or disclosure of ePHI (i.e., providing authorized individual with a unique user identification to log in, having automatic log-out systems on devices).
Assess whether the periodic risk assessment and self-audits of the vendor are appropriate.
A vendor must have auditing capabilities on its platform that document the process, transmission, storage, and proper disposal of ePHI. These self-audits should be performed, at a minimum, annually: the more data stored in the telehealth platform, the more frequent self-audits should be. In addition, a vendor that self-audits by reviewing any unusual access activity will be more prepared in providing solutions in the event of a suspected breach.
Protecting PHI and preventing the unauthorized access of PHI are the most important objectives for healthcare organizations and business associates in maintaining HIPAA compliance.[8] By identifying the necessary system requirements for telehealth compliance, a healthcare organization can become more confident in its decision when entering into a teleservices agreement.
[1] 45 CFR 160.103.
[2] Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html.
[3] Healthcare organizations should be aware of applicable state data protection laws that may be more restrictive than HIPAA.
[4] Once put in place, BAAs do not expire unless there is a change in the regulatory rule.
[5] Retrieved from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates/index.html
[6] In addition, by having a written agreement with a business associate, the healthcare organization may negotiate the terms of the agreement to ensure the vendor’s policy aligns with the healthcare organization’s health information and security policy.
[7] 45 CFR 164.312(a)(1).
[8] While OCR currently is not enforcing penalties for HIPAA violations in providing telehealth services, MagMutual advises only using HIPAA-compliant platforms as OCR may begin enforcement.
08/20
Disclaimer
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.