According to the American Hospital Association, more than 75 percent of hospitals offer telemedicine as a service, and 70 percent of patients feel comfortable communicating with their healthcare providers via text, email, or video. However, while patients and providers are embracing the convenience and accessibility of telehealth, security concerns still remain – especially in regards to HIPAA compliance.
Telemedicine & The Processing of Electronic Protected Health Information (ePHI)
Telemedicine – which the American Telemedicine Association defines as “medical information exchanged from one site to another via electronic communications” – includes a broad scope of platforms and services. This includes real-time video conferencing, mobile messages, “store-and-forward” communications, and remote patient monitoring.
These methods allow physicians to electronically assess and manage several forms of electronic protected health information (ePHI). Depending on the platform, this can include a patient’s name, phone number, and email address, their health plan beneficiary numbers, their medical record numbers, and biometric identifiers.
Because this data is protected under the Health Insurance Portability and Accountability Act (HIPAA), telemedicine solution providers need to ensure that their platforms are appropriately designed to handle ePHI. Meanwhile, physicians – as Covered Entities under the law – are responsible for selecting secure and compliant technologies for their telehealth practices.
HIPAA Privacy & Security Guidelines for Telemedicine
HIPAA outlines administrative, physical, and technical safeguards for ensuring the confidentiality, integrity, and availability of medical information – including data that is stored and transmitted via telemedicine platforms. While the HIPAA privacy rule covers patients’ Protected Health Information, the HIPAA Security Rule specifically covers Electronic Protected Health Information (ePHI.)
The National Telehealth Policy Resource Center notes that “telehealth provision or use does not alter a Covered Entity’s obligations under HIPAA, nor does HIPAA contain any special section devoted to telehealth.” If a Covered Entity, such as a hospital network or private physician, offers telemedicine, their technology must meet the same HIPAA requirements that would be required for an in-person consultation.
Are Telemedicine Software Vendors Considered Business Associates Under HIPAA?
Telemedicine solutions providers, including software and mobile app developers, are considered Business Associates under HIPAA regulations.
HIPAA defines a Business Associate as any entity that “creates, receives, maintains, or transmits protected health information to perform certain functions or activities on behalf of a Covered Entity,” and that “provides data transmission services to a Covered Entity and has access to PHI on a routine basis.” However, certain platforms used in the delivery of telehealth services – such as web conferencing services used to conduct a virtual consultation – are not considered Business Associates, as the platforms do not store or transmit ePHI.
Business Associate Agreements for Telemedicine Providers
If a physician uses a telemedicine solution that stores ePHI, they must enter into a formal Business Associate Agreement (BAA) with the solution provider. This agreement will document:
- The types of protected health information that the vendor can access
- The measures that the vendor will take to protect ePHI
- The actions that the vendor will take in the event of a security breach (including time frames and processes for notifying patients)
- Allowable uses and disclosures of ePHI to meet the requirements of the HIPAA Security Rule
The vendor must complete and sign this agreement before coming into contact with any patient information.
What Steps can Telehealth Providers Take to Ensure HIPAA Compliance?
To be compliant with HIPAA requirements, telemedicine providers must ensure that their platforms:
- Restrict ePHI access to authorized users
- Confirm the identity of users who request access to confidential data
- Use secure, encrypted communications
- Monitor communications that contain ePHI
- Corroborate data to ensure its integrity
Vendors must also:
- Demonstrate that they have implemented an appropriate training program for employees who have access to protected health information
- Document an appropriate disaster recovery plan
- Document the scope, frequency, and required procedures for internal audits
- Protect against inappropriate physical access to protected data
- Provide a written record of all technical configurations on all components of their network
While working to meet HIPAA regulations, telemedicine providers have some flexibility when choosing safeguards. Log management solutions, client-side data encryption, intrusion detection systems, and secure peer-to-peer network connections are all potential options to protect confidential medical information from a breach.
It’s important to note: while these standards help telehealth providers meet their obligations under the law, there is no standard certification that formally validates a solution’s compliance.
The Security Management Process outlined in the Security Rule requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations.” (45. CFR § 164.308 (a)(1).) As part of this HIPAA requirement, telemedicine software providers are required to conduct an accurate and thorough risk analysis, in which the organization must:
- Identify where ePHI is stored, received, maintained, or transmitted
- Identify and document reasonably anticipated threats to ePHI, including those that are unique to the circumstances of their environment
- Identify and document vulnerabilities which, if exploited, would create a risk of inappropriate access to or disclosure of ePHI
- Assess and document the security measures that they have in place
- Assess and document all threat and vulnerability combinations with the likelihood of each threat actually occurring
- Assess the potential impact of each threat, using qualitative or quantitative measures (or a combination of the two)
- Assign risk levels for all threat and vulnerability combinations identified during the risk analysis
Through the risk assessment process, vendors can identify potential threats to the confidentiality, security, and availability of the ePHI that is processed on their platform, then create a risk management plan based on their findings. From there, they can address the issues in order of importance.
Telemedicine providers can conduct their HIPAA risk analysis independently, or they can request assistance from a third-party assessment firm. Working with an external auditor helps vendors ensure that they are not overlooking risks or regulations; it also provides access to additional support for remediation efforts.
Independent HIPAA Compliance Assessments
After a risk analysis, telehealth vendors may choose to undergo a broader HIPAA compliance assessment. A qualified assessor will review a company’s technical, physical, administrative, and organizational safeguards, as well as their breach notification plan. The assessment may include data collection; documentation reviews; interviews with key personal; walk-throughs of processes and procedures; and tests of applicable controls.
At the end of the engagement, the assessor can issue a HIPAA Security Compliance Report, which includes:
- An executive summary
- Management’s assertion
- An explanation of the report’s scope and objectives
- An overview of the assessor’s testing methodology (including procedures performed, assumptions, and constraints)
- Control descriptions, test procedures performed, and results of the testing
Telemedicine solutions providers can use this report to demonstrate that their technologies are appropriately designed to protect ePHI. If needed, they may share this report with hospitals and/or physicians as part of their sales process.
360 Advanced – Your Dedicated Resource for HIPAA Compliance
At 360 Advanced, we can help you ensure that your telemedicine solution meets HIPAA requirements for protecting ePHI.
Our Healthcare Information Security and Privacy Practitioners (HISSPs) and Certified Information Systems Security Professionals (CISSPs) provide both HIPAA Risk Analyses and HIPAA Security Compliance Assessments, tailored to the needs of your organization. Our integrated approach allows you to complete your HIPAA Compliance Assessment at the same time as your other security efforts – such as a SOC 2 examination or HITRUST Validated Assessment – so that you can complete multiple initiatives as part of a single, seamless engagement.
To learn more, contact us today.