" HIPAA and telehealth Archives - LuxSci FYI Blog: Learn about HIPAA email encryption, secure email encryption, and more
LUXSCI

Posts Tagged ‘HIPAA and telehealth’

The Different Types of Telehealth & How to Stay HIPAA-compliant

Thursday, October 17th, 2019

When many people think of telehealth, they tend to focus on remote medical care. Telehealth is actually a much broader field that includes these health services, but also stretches to healthcare prevention, advice, education, reminders, monitoring, and more.

Since telehealth encompasses so much, it’s important to examine how HIPAA regulations can be applied to each of these aspects.

Remote Health Care

Remote health care, also known as telemedicine, involves providing medical services through video calls and other technologies. It can help to provide care in rural communities and eliminate travel times for healthcare practitioners, which increases efficiency.

HIPAA regulations apply to all telemedicine because its very nature involves recording and processing electronic protected health information (ePHI). Because of this, every communication channel that is used for telemedicine needs to be HIPAA-compliant, whether it is for video calls, voice calls, email or other means.

These channels need to be encrypted to prevent attackers from intercepting ePHI, and access control needs to be in place so that only authorized persons can access the data. There are a number of other safeguards that should also be used, but these depend on the communication channel.

Monitoring

In-home monitoring has become more common in recent years, because it allows healthcare practitioners to keep an eye on patients while they are in the comfort of their own homes.

This can have several benefits, such as allowing patients to be released from hospital early, limiting the number of times that patients need to visit medical professionals for checkups, or reducing how frequently healthcare practitioners need to make visits to a patient’s home.

Despite these advantages, there are also a number of privacy issues. Remote monitoring can involve a range of different devices in the patient’s home, such as connected scales, blood pressure monitors, glucose monitors and heart rate monitors.

This data needs to be transmitted back to the healthcare professionals, which means that the very nature of the process creates and transmits ePHI. To protect this data, safeguards need to be in place at each step. These measures can include access control, encryption and more.

Healthcare Prevention, Advice & Education

Whether or not these services are regulated by HIPAA will depend on their content and focus. If protective measures are required, then the appropriate safeguards will vary according to how the message is delivered.

The first step is to determine whether any potential healthcare prevention, advice or education contains ePHI. This will depend on the circumstances. If a doctor’s secretary emails all of its patients about getting a flu shot ahead of winter, this is not regarded as ePHI, because it does not specify any patient’s health condition, treatment or payment details (unless being on this mailing list identifies you as a patient of this doctor and that implies something about your medical history….).

Things become murkier if the same secretary sends out an email about depression treatments to those patients who suffer from the illness. Since this is targeted to a specific group of people who have the condition, it could be seen as revealing details about their health.

It’s a bit of a gray area, so if your organization finds itself in this position, it’s best to stay on the safe side and protect the information as if it were ePHI. If the prevention, advice or education does include ePHI, then protective measures such as encryption need to be in place.

Reminders

If your organization sends reminders out to its patients, it needs to be wary of whether these contain ePHI. They can be helpful for reminding patients about upcoming appointments, to take their medication, or to refill prescriptions, but your organization needs to be careful about their content and how they are sent.

If any of your organization’s reminders contain ePHI (and such reminders almost always do), then it needs to make sure that they are only sent over secure, HIPAA-compliant channels.

Delivering Telehealth Securely & within HIPAA Regulations

Telehealth can be beneficial for both healthcare providers and patients. If your organization offers these services, it’s important to take security and HIPAA regulations into account, otherwise, it could face a serious data breach or HIPAA penalties.

Keep your business and your patients safe by using a HIPAA-compliant provider like LuxSci. It has almost 20 years of experience and offers a range of telehealth services, such as video calls, voice calls, secure chat and more.

What Does HIPAA Say About Telehealth?

Tuesday, April 23rd, 2019

Telehealth is starting to become a more popular option for providing efficient treatment and other services. Since it’s still an emerging practice, many in the health industry wonder how telehealth fits into the existing HIPAA regulations.

You may be surprised to find out that HIPAA doesn’t actually mention telehealth, but that doesn’t mean that it doesn’t apply. The reason for the omission is that the HIPAA regulations were designed to be broad and flexible, in order to suit a wide variety of situations and changes in technology.

telehealth HIPAA

What Does Telehealth Include?

Before we dive in and cover how HIPAA can apply to telehealth, it’s important to talk about what telehealth actually is. Your organization may already be using telehealth without even knowing it.

Telehealth is a broad practice that involves the use of technology to deliver healthcare and related services. It most commonly refers to remote treatment (also known as telemedicine), but it actually encompasses much more. Telehealth also includes practices like intervention, monitoring, communication and education.

In What Situations Does HIPAA Apply to Telehealth?

HIPAA regulations apply to both covered entities, which are essentially those that are involved in the health field, and their business associates (BAs), which are the individuals or organizations that covered entities share data with. Covered entities must have business associates agreements (BAAs) with their BAs.

HIPAA law is relevant whenever electronic protected health information (ePHI) is being collected, processed, transmitted or stored.

According to the Privacy Rule, ePHI is any data that is both “individually identifiable” and concerns:

  • An individual’s current, past or future health, whether it is mental or physical.
  • Any treatment or healthcare provided to the individual.
  • Any payment information related to healthcare, whether it is past, present or future.

When the HIPAA regulations talk about individually identifiable information, they refer to any data which either directly or indirectly could be used to identify a person. This includes things like:

  • Name
  • Contact details
  • Address (physical or email)
  • Social security number
  • Biometric details
  • License number
  • IP address
  • Any other characteristic that could uniquely identify an individual

To summarize, HIPAA applies to both organizations in the health field and any companies that they share data with (such as communications providers). The regulations are relevant whenever these organizations deal with information that involves an individual’s health, if it can also be used to identify them.

Your organization needs to abide by the regulations in any situation that meets the above criteria, whether they involve telehealth or not.

How Can HIPAA Apply to Telehealth?

Under HIPAA, both covered entities and their business associates must “Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.”

They must protect against reasonably anticipated threats, uses and disclosures, ensuring that their employees also comply with the regulations. Organizations must conduct their own risk assessment to determine the appropriate technical, administrative and physical safeguards that need to be put in place to meet the HIPAA requirements.

Mechanisms for HIPAA compliance are either deemed “required” or “addressable”. Those aspects that are listed as “required” are mandatory, while the regulations are flexible when it comes to “addressable” items.

Covered entities and business associates must document the implementation process and record whether or not it would be “reasonable or appropriate” to implement each specification in their own circumstances.

When it comes to telehealth systems that deal with ePHI, these are some of the required technical specifications:

  • Access control
  • Unique user identification

  • Emergency access procedures
  • Audit controls
  • Integrity protection procedures
  • Authentication measures for individuals and entities
  • Transmission security

The following are some of the addressable specifications:

  • Automatic logoff
  • Encryption and decryption
  • Authentication mechanisms for ePHI
  • Audit controls

How to Make Your Organization’s Telehealth Systems HIPAA-Compliant?

Developing and maintaining HIPAA-compliant telehealth systems is a relatively complex process. Many of our most commonly used communications systems, such as Skype or FaceTime, aren’t HIPAA-compliant by default, which makes it hard for organizations to find the right tools for the job.

The best way to implement both secure and compliant telehealth systems is to use a provider who specializes in this niche. All of LuxSci’s services are HIPAA-compliant, and we offer secure video, text and chat, on top of our email and other services. A HIPAA specialist makes it easy to both stay within the regulations and offer excellent telehealth services to your patients.

LUXSCI