New HIPAA Guidelines in Telemedicine
Policies are quickly trying to catch up with the growing public health crisis as well as the technology of the digital age. Healthcare regulatory organizations have created three specific policies surrounding patient health information, privacy, and security in response to current healthcare issues. These policy changes created unexpected efficiencies in healthcare processes and profitability.
3 HHS Policies Affected by Telemedicine
The following three policies have been (and will continue to be) affected by recent changes:
The Health Insurance Portability and Accountability Act (HIPAA), created in 1996 to reduce healthcare fraud and abuse, sets industry-wide standards for the protection and secure handling of specific patient health information.
The Privacy Rule defines and governs the use and disclosure of Protected Health Information (PHI). Providers who are covered by HIPAA must comply with processes that secure PHI whenever it is received, handled, transferred, or shared. These processes must be in compliance whether the information is stored on paper or electronically.
The Security Rule is shorthand for the Protection of Electronic Protected Health Information. It specifically establishes the security standards for patient information that is stored or transferred by electronic methods.
During COVID-19 remote communications and telemedicine standards for HIPAA compliance have been altered to meet the nationwide public health emergency. Here are some changes of which healthcare organizations should be aware so they can continue to protect patient information.
Office for Civil Rights (OCR) Outlines Telehealth Dos and Don’ts
The Office of Civil Rights (OCR) as part of the U.S. Department of Health and Human Services (HHS) recently announced that in light of the COVID-19 healthcare emergency, that they “will waive potential penalties for HIPAA violations and will not impose penalties for non-compliance against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
This means that covered health care providers may employ widely-used communication tools such as FaceTime and Skype. These audio and video communication tools may be used to provide any telemedicine services, not just those directly related to the diagnosis and treatment of health conditions related to COVID-19.
When using the approved communication tools, providers are encouraged to notify their patients of security measures to take when using third-party applications, including enabling encryption and privacy mode. Providers should also advise patients to reset passwords or improve password strength.
Applications that MAY be used for telehealth include:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
In contrast, public-facing communication tools cannot be used. Applications that MAY NOT be used for telehealth include:
- Facebook Live
Telemedicine and Securing Your Patient Information
Third-party applications can pose significant security risks to patient information. When working with audio and video communication products for telehealth, providers should be aware of HIPAA compliance before entering into business associate agreements (BAAs) and only work with secure messaging platforms.
Options for non-public facing communication channels that are HIPAA-compliant include:
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
ePHI and the Future of Telemedicine
Secure messaging via new electronic tools have improved remote access and HIPAA compliance, and it has resulted in additional benefits, including reduced costs and an increased standard and access to healthcare for more patients. The once-difficult task of making telemedicine HIPAA compliant has pleasantly surprised many healthcare organizations with its ease and cost.
With minimal investment in IT resources and training, technology met the challenge with many significant advantages. Communicating ePHI (electronic protected health information) at a distance with secure messaging will likely continue to streamline and improve processes for the foreseeable future.
While telemedicine has created significant streamlining and cost reduction, there are some increased challenges that will continue to develop as the industry expands. Continued investment into data security and verification will become even more important as patient information and communications increasingly move online. By adopting constantly updated, real-time provider credentialing software healthcare providers can mitigate non-compliance in their organizations and stay current with HIPAA guidelines in telehealth.
|Written by Juliette Willard
Healthcare Communications Specialist
Being creative is my passion! Writer. Painter. Problem Solver. Optimist.
Connect with Juliette on LinkedIn