Offering telehealth services means more convenient access to healthcare for your patients and the possibility of more billable services for you. But, it also introduces significant security threats to your patients’ electronic private health information (ePHI) that can lead to massive fines if there is a breach.
Your practice is responsible for protecting your patients’ ePHI at both the origination site (where the patient is located) and the distant site (where the provider is located). You must ensure that both locations have appropriate administrative, physical, and technical safeguards in place as outlined in the HIPAA Security Rule.
To make sure your telehealth services and your patients’ ePHI are protected, and that you are compliant with HIPAA regulations, follow these Administrative, Physical and Technical Safeguard pointers.
While you may already have established policies and procedures in place to protect your patients’ ePHI, it’s good to take a second look at a few areas to ensure you have adequate Administrative Safeguards in place as you plan your telehealth programs.
- Contracts: It is estimated that 30% of privacy breaches happen through your vendors that have access to your patients’ ePHI. HIPAA calls these vendors business associates, and it’s essential that you have a solid Business Associate Agreement in place for every single one of them. If not, you will be on the hook for any breaches they may cause. This is even more important in telemedicine. Finally, be sure to include all vendors responsible for maintaining your communication networks and thos who may provide your communication software.
- Coordinated Response for Security Breaches: If you have a documented response plan for security breaches in place, it may not be sufficient for your telemedicine services. Your plan isn’t complete unless it considers how you’ll respond to a breach at your remote site as well. Your plan should include details such as how you will identify and resolve remote site breaches, who will be the key contact to coordinate a response, and what activities the remote site will need to take to contain a breach. (If you don’t have a documented response plan in place, you can learn how by listening to this training).
- Staff Training: HIPAA security training is essential to protecting your patients’ ePHI. Conduct training with all staff who will be involved in your telemedicine services, and be sure to document who received the training, the date and the specific subjects covered.
It’s also important that you review your processes for protecting your computer hardware and software from unauthorized usage and natural disasters. Zeroing in on these areas of your plan is the only way to ensure you don’t end up accidentally violating HIPAA.
- Service Locations: Assess the locations where your telemedicine services will be provided. Both the patient and the provider should be in a private setting, preferably an office or exam room, out of earshot of unauthorized individuals. Include policies that specify where these services should be rendered and what steps should be taken to protect the privacy of these conversations.
- Access to ePHI: You must document specifically who will have access to your patients’ data and for how long at both the originating and distant sites. For example, you should have a policy in place regarding how to handle when staff at remote sites are terminated so that you can promptly revoke access.
Perhaps the most important area to focus on in your HIPAA compliance plan for your telemedicine services are Technical Safeguards (processes, policies, and tools that you have in place to protect access to patient data). The transmission of data, voice, video, and images associated with your patients’ care can easily lead to serious violations if not handled appropriately.
Here are a few things to consider:
- Communication Services: While there are many commercial applications that enable two-way voice and video communication, it’s essential that you choose one that is HIPAA compliant. Avoid programs such as Skype and FaceTime, which are not intended for medical purposes and don’t have the appropriate security measures in place.
- Encryption: Any software or service that you use to exchange data between your origination and distant sites (including email) must be encrypted before it’s transmitted. You should train your staff on how to use all encrypted services before sending any electronic communications including private health information. Note: Don’t forget to document your training just in case you get audited.
- Audit Controls: Ensure that you have technology that allows you to see which records are accessed, when, and by whom. You should also have systems in place that alert you to any significant data exports or downloads as this could be a red flag that someone is stealing your patient information.
Offering telemedicine services is a great way to improve the quality of care and convenience that you offer your patients. Just make sure that your privacy policies solidly address the additional risks these services may introduce.
For more expert tips on protecting your practice from HIPAA violations, check out Coding Leader's HIPAA Training Library:
- Data Breach Warning: Tod Ferran, CISSP, QSA, a Certified Information Systems Security Professional and Qualified Security Assessor, gives you the practical, step-by-step solutions you need to protect both your patients’ personal information and your practice’s survival.
- HIPAA Risk Assessment Requirements: Learn how to conduct a thorough HIPAA risk assessment, write and implement solid security policies, and ensure effective ongoing management processes from Brian L Tuttle, CPHIT, CHP, CHA, CBRA, CISSP, CCNA, nationally recognized and certified HIPAA auditor.
- Get Paid for Telemedicine: Non Face-to-Face Services: Catrena Smith, CCS, CCS-P, CPC, CIC, CPC-I, CRC, CHTS-PW, walks you through exactly how to correctly code and bill for telemedicine (non-face-to-face) services so you can finally get paid more of what you deserve.