" HIPAA and telehealth Archives - LuxSci

Posts Tagged ‘HIPAA and telehealth’

CEO Erik Kangas Featured on Total HIPAA Podcasts

Thursday, July 16th, 2020



Erik recently sat down with our friends at Total HIPAA to discuss a variety of HIPAA topics, including:

The first of the 2-part conversation can be heard here or on a mobile device via Apple Podcasts.



The Different Types of Telehealth & How to Stay HIPAA-compliant

Thursday, October 17th, 2019

Updated May 2022.

The telehealth landscape has changed dramatically over the last few years. At the height of the pandemic closures in April 2021, 64% of US households reported using telehealth. 43% of Americans plan to continue using telehealth, and many healthcare providers continue to offer virtual care.

When telehealth took off, many privacy and security regulations were waived so that patients could quickly access care. Now that regulations are being re-implemented, it’s essential to examine how HIPAA regulations apply to the telehealth industry.

Remote Health Care

Remote health care, also known as telemedicine, involves providing medical services through video calls and other technologies. It can help provide care in rural communities and eliminate travel times for healthcare practitioners, increasing efficiency.

HIPAA regulations apply to all telemedicine because they involve transmitting and processing electronic protected health information (ePHI). Because of this, every communication channel used for telemedicine needs to be HIPAA-compliant, whether it is for video calls, voice calls, email, or other means.

These channels need to be encrypted to prevent attackers from intercepting ePHI, and access controls need to be in place so that only authorized persons can access the data. Several other safeguards should also be used, depending on the communication channel.

Remote Patient Monitoring

In-home monitoring has become more common in recent years because it allows healthcare practitioners to keep an eye on patients while they are in the comfort of their own homes.

This can have several benefits, such as allowing patients to be released from the hospital early, limiting the number of times that patients need to visit medical professionals for checkups, and reducing how frequently healthcare practitioners need to make visits to a patient’s home.

Despite these advantages, there are also many privacy issues. Remote patient monitoring often involves using internet-connected scales, blood pressure monitors, glucose monitors, and heart rate monitors to track vital signs. 

This data needs to be sent to the healthcare professionals, which means that the very nature of the process involves the transmission of ePHI. To protect the data transmission, safeguards need to be in place at each step. These measures can include access controls, encryption, and more.

Healthcare Communications

Whether or not HIPAA regulates these services will depend on their content and focus. If protective measures are required, the appropriate safeguards will vary according to the message’s delivery.

The first step is determining whether any potential healthcare communication contains ePHI. This will depend on the circumstances. If a practice administrator emails all of its patients about an update to the clinic’s hours, this is not regarded as ePHI because it does not specify any patient’s health condition, treatment, or payment details. However, if the mailing list identifies the recipient as a patient, that may imply something about their medical history. 

The situation becomes even murkier if the same administrator sends an email about depression treatments to those patients who suffer from the illness. Since this is targeted at a specific group of people who have the condition, it reveals details about their health.

Identifying ePHI is not always straightforward. We recommend that health care organizations protect every communication as if it contains ePHI to be on the safe side. 

Telehealth Reminder Messages

Many organizations send email and text messages to their patients to help remind them of upcoming appointments, take their medications, or refill prescriptions. Still, organizations need to be careful about the message contents and how they are sent.

If the organization’s reminders contain ePHI (and such reminders almost always do), they should only be sent over secure, HIPAA-compliant channels.

Delivering Telehealth Securely & within HIPAA Regulations

Telehealth can be beneficial for both healthcare providers and patients. For organizations offering these services, it’s essential to take security and HIPAA regulations into account. Otherwise, they could face a serious data breach or HIPAA penalties.

Keep your business and your patients safe by using a HIPAA-compliant provider like LuxSci. We have over 20 years of experience providing secure communications services to support the telehealth industry.

What Does HIPAA Say About Telehealth?

Tuesday, April 23rd, 2019

Telehealth is becoming a popular option for providing efficient treatment and other services. Since it’s still an emerging practice, many in the health industry wonder how telehealth fits into the existing HIPAA regulations.

You may be surprised that HIPAA doesn’t mention telehealth, but that doesn’t mean it doesn’t apply. The reason for the omission is that the HIPAA regulations were designed to be broad and flexible to suit a wide variety of situations and changes in technology.

telehealth HIPAA

What Does Telehealth Include?

Before we dive in and cover how HIPAA can apply to telehealth, it’s important to talk about what telehealth is. Many healthcare organizations adopted some form of telehealth during the pandemic, and changing consumer preferences may mean it’s here to stay.

Telehealth is a broad practice that involves using technology to deliver healthcare and related services from a distance. It most commonly refers to remote treatment (also known as telemedicine), but it encompasses much more. Telehealth also includes intervention, remote patient monitoring, and patient education.

In What Situations Does HIPAA Apply to Telehealth?

HIPAA regulations apply to both covered entities, which are those involved in the health field, and their business associates (BAs), which are the individuals or organizations that covered entities share data with. Covered entities must have business associates agreements (BAAs) with their BAs.

HIPAA law is relevant whenever electronic protected health information (ePHI) is collected, processed, transmitted, or stored.

According to the Privacy Rule, ePHI is any data that is both “individually identifiable” and concerns:

  • An individual’s current, past, or future health, whether it is mental or physical.
  • Any treatment or healthcare provided to the individual.
  • Any payment information related to healthcare, whether it is past, present, or future.

When the HIPAA regulations talk about individually identifiable information, they refer to any data which either directly or indirectly could be used to identify a person. This includes things like:

  • Name
  • Contact details
  • Address (physical or email)
  • Social security number
  • Biometric details
  • License number
  • IP address
  • Any other characteristic that could uniquely identify an individual

To summarize, HIPAA applies to organizations in the health field and any companies they share data with (such as communications providers). The regulations are relevant whenever these organizations deal with information that involves an individual’s health if it can also be used to identify them.

Your organization needs to abide by the regulations in any situation that meets the above criteria, whether they involve telehealth or not.

How Can HIPAA Apply to Telehealth?

Under HIPAA, both covered entities and their business associates must “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”

They must protect against reasonably anticipated threats, uses, and disclosures, ensuring that their employees comply with the regulations. Organizations must conduct their risk assessment to determine the appropriate technical, administrative, and physical safeguards that need to be put in place to meet the HIPAA requirements.

Mechanisms for HIPAA compliance are either deemed “required” or “addressable.” Those aspects listed as “required” are mandatory, while the regulations are flexible when it comes to “addressable” items.

Covered entities and business associates must document the implementation process and record whether or not it would be “reasonable or appropriate” to implement each specification in their circumstances.

When it comes to telehealth systems that deal with ePHI, these are some of the required technical specifications:

  • Access control
  • Unique user identification
  • Emergency access procedures
  • Audit controls
  • Integrity protection procedures
  • Authentication measures for individuals and entities
  • Transmission security

The following are some of the addressable specifications:

  • Automatic logoff
  • Encryption and decryption
  • Authentication mechanisms for ePHI
  • Audit controls

How to Make Your Organization’s Telehealth Systems HIPAA-Compliant?

Developing and maintaining HIPAA-compliant telehealth systems is a relatively complex process. Many of our most commonly used communications systems, such as Zoom or FaceTime, aren’t HIPAA-compliant by default, which makes it hard for organizations to find the right tools for the job.

The best way to implement secure and compliant telehealth systems is to use a provider that specializes in this niche. LuxSci’s services are HIPAA-compliant, and we offer secure email and communications services. A HIPAA specialist makes it easy to both stay within the regulations and offer excellent telehealth services to your patients.