By TERRY MCFARLAND
In the midst of all the chaos caused by the COVID-19 pandemic, one bright spot is the increased availability of HIPAA compliant telehealth options. Quarantines and travel restrictions created a need for patients to be able to access health care remotely. The Department of Health and Human Services (HHS) has scaled down HIPAA enforcement as it relates to telehealth, but that won’t always be the case.
What should you do now to ensure that you are offering HIPAA compliant telehealth services?
HIPAA Compliant Telehealth: HHS Giveth, but When Will They Take Away?
On March 15, 2020, U.S. states began shutting down in response to COVID-19. The Centers for Disease Control (CDC) reported a 154 percent increase in telehealth services during the last week of March 2020 over March 2019. As providers worked to provide quality telehealth care for patients during the shutdown, new options had to be considered, some of which had a steep learning curve.
In recognition of the need, HHS issued guidance stating, “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
When the public health emergency is rescinded, normal enforcement of HIPAA rules and regulations is expected to return. Earlier this year, the American Medical Association sent a letter to the Director of HHS’s Office for Civil Rights (OCR), asking for a “one-year glide path to compliance, during which physicians and other affected parties shall not be subject to HIPAA audits and other HIPAA enforcement activity related to telemedicine.”
HIPAA Compliant Telehealth Platforms: The Non-Negotiables
While we wait for OCR’s response to the request, there are things that providers and business associates should do now to eliminate potential violations. The overarching principle should be to base any decisions regarding telehealth service platforms or apps on the same criteria you would any other vendor with whom you work.
Here are five must-haves for HIPAA compliant telehealth platforms:
- The telehealth service, platform, or app should be HIPAA compliant. That means they have gone through the same type of process to achieve HIPAA compliance that you have, including Security Risk Assessments, effective policies, procedures, and training for their employees, and all of the other requirements of the law.
Most companies who are HIPAA compliant will proudly state that somewhere on their website or in their marketing materials because it differentiates them from their competitors and tells potential partners that they are committed to safeguarding the protected health information (PHI) entrusted to them.
- They are willing to sign a Business Associate Agreement (BAA). Here’s a quick HIPAA 101 refresher. Under HIPAA, healthcare providers and insurance companies are considered covered entities. They are responsible for creating and using patient PHI for treatment, billing, and diagnosis. If electronic protected health information (ePHI) is transferred to another company for purposes such as storage, scheduling, or telehealth, those companies are considered business associates.
If a business associate is HIPAA Compliant, they understand that a Business Associate Agreement (BAA) must be signed before any ePHI is transmitted. Failure to do so is a violation of HIPAA. A BAA should specifically address how ePHI is to be protected and the responsibilities of both parties.
- They have a secure and compliant cloud service with data encryption. Your telehealth partner must be able to securely store and protect your ePHI. Their network and services must meet all of the requirements of the HIPAA Security Rule.
- They have strong access controls or can effectively implement access control measures. Access controls help fulfill the requirements of the HIPAA Privacy Rule and the Security Rule by limiting access of information to only authorized individuals.
- They conduct periodic risk assessments and self-audits as appropriate. A HIPAA compliant telehealth platform or application will be able to track and audit the processing, transmission, storage, and proper disposal of ePHI that they possess.
At a minimum, assessments and self-audits should be conducted annually. A good rule of thumb is that the more data that is being stored by the telehealth app or platform, the more often self-audits should be conducted. Self-audits should also include scanning for unusual activity on the network. This can assist with preparing an effective response to a cyberattack or breach incident.
HIPAA Compliant Telehealth: Nailing it vs. Failing it
As an MSP who has earned our HIPAA compliancy shield, we understand the importance of not only being a compliant business partner, but also ensuring that your policies, procedures, and training stand up to the test should an audit occur. Contact us if you need assistance in this regard.
Terry McFarland is president of SeamlessCS, which strives to create a better work environment that enhances small businesses and helps them to thrive. We get to know our customers on a deeper, more personal level, to better understand how we can best help your business/organization enhance with technology support and services. You aren’t just another number with our company. For more information visit us at www.SeamlessCS.com