HIPAA and Telehealth

How did the Public Health Emergency impact HIPAA?  At the start of the PHE, the HHS Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to all health care providers that are covered by HIPAA and provide telehealth services during an emergency.  What it has meant is that covered health care providers would not be subject to penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in the good faith provision of telehealth during the PHE.  But the PHE will be coming to an end on May 11, 2023. OCR provided a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. This transition period ended on August 9, 2023

How did things change after August 9, 2023?  It is of utmost importance for all providers to understand the intersection between Telehealth and HIPAA!  To start with, check out this article we wrote on "Preparing for the End of the PHE and the End of HIPAA Enforcement Discretion".

The Center for Connected Health Policy (CCHP) has created this video on how telehealth works with HIPAA and health privacy laws.

 

What Do I Need to Do to Make Sure I am in Compliance?  HIPAA compliance is a combination of physical, administrative and technical safeguards. Technology alone does not ensure HIPAA compliance!

Understanding how telehealth intersects with HIPAA is crucial. Any information that can identify an individual is potentially Protected Health Information (PHI). HIPAA defines 18 types of PHI identifiers, including names, phone numbers, birthdates, IP addresses, email addresses, device identifiers, and photos/images.

If your organization has a dedicated risk and compliance team, leverage their expertise. Always use approved organizational resources when handling PHI with patients, caregivers, or other providers. Using personal accounts on non-approved platforms may expose you to personal liability.

If you are not part of an organization, you must conduct a risk assessment of your telehealth setup. Consider hiring a consultant to perform a HIPAA compliance review for your practice. Assess all telehealth use cases—a telehealth visit from your office may pose different risks than one from your home. If you provide services from multiple locations, conduct separate risk assessments for each setting.  Below are a number of resources to assist you:

• HIPAA & Telehealth : A Stepwise Guide to Compliance:
  • English Version
  • Spanish Version
  • Navajo Version
• HIPAA Guidelines on Telemedicine
• HIPAA and Telehealth FAQs
• Guide to Privacy and Security of Electronic Health Information
• HIPAA Compliance Roadmap
• HIPAA Security Risk Assessment Tool
• NIST Implementing the HIPAA Security Rule: A Cybersecurity Resource Guide

What Do I Need to Know About VOIP and Audio-Only Telehealth and HIPAA?

• Guidance on HIPAA Rules for Audio-Only Telehealth
• VOIP and HIPAA
• HIPAA Considerations When Using VOIP

What Do I Need to Tell My Telehealth Patients?

• Resource for Health Care Providers on Educating Patients about Privacy and Security Risks to Protected Health Information when Using Remote Communication Technologies for Telehealth

What Do I Need to Know About Business Associates and BAAs?

• Guidance on Business Associates
• Sample Business Associate Agreement Provisions

What Do I Need to Know About Risks Related to Online Tracking Technologies Found on Websites and Mobile Applications?

• Office of Civil Rights and Federal Trade Commission Letter

What Do I Need to Know About Texting and HIPAA?

• HIPAA Regulations for SMS
• Is Texting in Violation of HIPAA?
• What Are the HIPAA Rules Regarding Text Messaging
• CMS Guidance on Texting Patient Information and Patient Orders Among Members of the Heatlh Care Team
• Toolkit on Texting for Public Health: Emergency Communication, Health Promotion, and Beyond
  • Draft Policy Template