Believe it or not, healthcare is going computer-based. Medical treatment is one of the procedures that seem less likely to be turned digital. However, now patients can communicate with their doctors and be treated through their mobile devices, be it anything from telepsychiatry to teleradiology.
Remote patient monitoring and teleparamedicine are some of the most important current healthcare industry trends. As the interaction between doctors and their clients involves protected health information (PHI), increased cybersecurity is necessary for such communication.
More than 75 percent of U.S. hospitals use teletherapy as of now. Besides making the lives of many people a lot easier, telemedicine might cause healthcare data breaches. To avoid that, any tool used to share PHI must comply with the HIPAA guidelines.
In February 2020 only, 39 healthcare data breaches resulted in the privacy of over a million and a half records being violated. These numbers are bigger than those of the three previous months combined, which means the situation is getting worse.
Events like the COVID-19 pandemic are making HIPAA compliant telemedicine more relevant than ever before. As protected health information is being shared by doctors and patients more often, e-health becomes the leading solution to provide security of such data. In this article, we want to provide you with the latest HIPAA compliant teletherapy guidelines.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law, which resulted in the creation of national standards to protect healthcare data from being disclosed without the consent or knowledge of patients.
The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule and The HIPAA Security Rule that are the main regulations when it comes to HIPAA compliance.
What is the HIPAA Privacy Rule?
Any medical professional or organization must follow each HIPAA guideline when providing a remote service to patients. The HIPAA Privacy Rule sets the national standard of PHI protection, including medical records and other similar data. Some believe that sharing healthcare data directly with a doctor is safe, but that is incorrect.
The Privacy Rule addresses the use and disclosure of protected health information by covered entities. Moreover, it provides standards for patients’ privacy rights, so they can understand and control how their medical data are used.
There has to be a safe and secure way to transfer medical records to ensure people can be treated properly. The main objective of the HIPAA Privacy Rule is to allow the flow of required healthcare data while protecting the privacy of patients.
What is the HIPAA Security Rule?
While the HIPAA Privacy Rule covers protected health information in general, the HIPAA Security Rule provides directions on using electronic protected health information (ePHI) specifically. Any telemedicine platform must adhere to these regulations.
Any software used for remotely communicating ePHI has to be HIPAA compliant. Here are three principal clauses of the HIPAA Security Rule:
- Only authorized users should have access to ePHI.
- A system of secure communication should be implemented to protect the integrity of ePHI.
- A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
The first point suggests only authorized individuals have the right to use electronic protected health information. The second point implies traditional channels of communication, such as text messaging, Skype, and email, should not be used for sharing ePHI. Lastly, the third point means not only special software should be utilized, but it must be of the highest level of security.
Why You Shouldn’t Use Text Messages, Email or Skype for Telehealth
Text messages, emails, or Skype are unsuitable for teletherapy use. This is due to the fact that copies of all the information sent with these methods remain on service providers’ servers, which is not secure and violates the HIPAA guidelines.
All shared medical data must be stored during the communication process. The healthcare provider is required to have a Business Associate Agreement (BAA) with the third party storing ePHI, and the BAA should cover methods used to provide data protection and security.
To ensure the shared medical records are protected, it would be necessary for the covered entity to have a BAA with, for example, Skype or any other telecommunications carrier. However, not every company is willing to have such an agreement. If there is no BAA, and the HIPAA regulations are disregarded, the healthcare provider is fully responsible for any data disclosure and breaches.
How to be HIPAA Compliant
Using secure teletherapy solutions is the key to providing high-quality remote healthcare services. Such tools offer the same functionality as conventional communication channels while being HIPAA compliant. E-health software should also be user-friendly and have features to allow doctors and patients to use telemedicine to the fullest.
Many medical organizations opt to create their own telehealth app. Having a separate application means it can have specific functions necessary for those who will use it. When it comes to HIPAA compliance, there are a few main guidelines to remember.
- Authorization. Each app user has a username and a password. Doctors, for example, could have access to more medical information, so there should be different levels of authorization. Also, an automatic log-off capability has to be implemented for added security.
- Data encryption. Ensuring secure message policies is necessary. Anything shared through the application, be it messages, images, or documents, must be encrypted to restrict third-party access.
- Activity audit. The in-app activity should be closely monitored by a cloud-based platform to guarantee security and prevent data breaches.
- Third-party data storage. Communicated data has to be stored by a third party. The main requirement is that the healthcare organization has a BAA with the third party. When sharing ePHI through a specific service, users need to know their data is protected and can be managed by them.
The Best HIPAA Compliant Teletherapy Platforms
If a medical organization decides to use a teletherapy solution to treat patients, it must cooperate with a verified HIPAA compliant communication provider. This is done to ensure data protection and the overall security of the tool.
There are two common solutions when it comes to software suitable for e-health use. The first option is to enter into a BAA with an existing company and use its services for telemedicine. The alternative to this would be developing a new app that is used specifically for remote healthcare purposes.
Some communication providers offer HIPAA compliant products and will enter into a BAA. Here are a few of the traditional tools that can be used for telemedicine:
- Skype for Business/Microsoft Teams;
- Cisco Webex Meetings/Webex Teams;
- Zoom for Healthcare;
- Amazon Chime;
- Google G Suite Hangouts Meet.
These well-known services present organizations that offer remote healthcare with a set of necessary features.
While the first solution seems easier to implement, it might be rather insufficient. Not every telecommunications provider is willing to have a BAA, and if it does, the services might be costly or of poor quality.
Alternatively, an app created particularly for medical communication can be used. Besides complying with the HIPAA guidelines, such applications offer features that make teletherapy easy and convenient.
Developing a new app does require initial funding and time. Nevertheless, it is ultimately the better option for medical organizations providing remote services. Spruce and Kego are great examples of telemedicine applications.
Spruce is one of the HIPAA compliant telehealth platforms. It provides a wide range of communication options: calls, text chat, video conferencing, and more. The company enters a BAA with healthcare providers using it, so data security is ensured.
Some other features include telemedicine questionnaires and scheduled and template messages. There are different applications for doctors and their clients, and the app for patients is free. Spruce is available on mobile and desktop for more convenience.
Another e-health solution example is Kego, an online urgent care clinic our team developed. Patients can schedule an online doctor’s appointment right in the app. Of course, the application is HIPAA compliant.
We developed two separate apps, one for doctors and one for patients. Users can communicate with each other via text or audio and video calls. There is no health insurance required to use the app. Moreover, the user’s prescription can be sent straight to the pharmacy to get the necessary medication.
Doctors are offered an iOS application, while the app for patients is available for iOS, Android, and web. Each of them offers a user-friendly interface combined with extensive functionality. We built a Django backend to provide secure data sharing and storage.
How to Make Your Own Telemedicine App HIPAA Compliant
Telemedicine and HIPAA compliance go hand in hand. To build a proper medical communication app, you need to keep in mind the described Privacy and Security Rules. There are technologies that will provide data confidentiality and can guarantee the application can be used for e-health.
Elements of a HIPAA Compliant App
- Workstation Use Protection. Any device used by medical professionals, like desktops, smartphones, or tablets, must be logged out of the system when a worker leaves it unattended. Proper safeguards must be present in the app to prevent data breaches. The system must be password-protected to avoid unauthorized use of the software.
- Device and Media Controls. When deleting a teletherapy application from a device, all data should be permanently deleted to make sure no protected health information is left behind.
- Web Application Protection. A Web Application Firewall (WAF) is the best way to protect medical websites and apps. The WAF offers protection from possible intrusions into the system and alerts users if such accidents happen.
- Intrusion Detection Systems. Similar to WAF, Intrusion Detection Systems (IDS) provide various types of security checks, anything from host-based to network-based detection.
Informed Consent of Patients
Patient consent is another important aspect to consider when creating a HIPAA compliant app. In certain states, it is not required. However, informed consent is still a recommended telemedicine best practice.
These are the points a consent form should include:
- informing patients of their rights when receiving remote treatment, including the right to stop or refuse medical assistance;
- informing patients of their responsibilities when receiving remote treatment such as providing accurate and complete medical information;
- having a possibility to file a complaint to resolve any potential issues that might come up when receiving remote treatment;
- describing the potential benefits, constraints, and risks of remote medical treatment;
- inform users of what could happen if technology or equipment fails during remote treatment sessions and how such situations can be resolved;
- outlining app policies on billing, scheduling, and cancellations.
Telemedicine Remote Communications During the COVID-19 Outbreak
In the times of a pandemic, remote medicine is in much higher demand. The concerns arising from the increased popularity of e-health are, unsurprisingly, mostly related to security telehealth solutions and data breaches.
People are worried because no disease outbreak like with the COVID-19 has been experienced since the HIPAA establishment. When a public health emergency like this is declared, HHS may choose to suspend some penalties for not complying with the HIPAA Privacy Rule.
Recently, the HHS’ Office for Civil Rights (OCR) announced in its Notice of Enforcement Discretion that sanctions and penalties for noncompliance will be lifted in certain cases of telemedicine use during the nationwide coronavirus outbreak.
OCR declared the HIPAA enforcement discretion is only partial. It applies to remote medical services provided for any reason, whether it is the diagnosis and treatment of COVID-19 or any other disease. The Notice applies to all organizations covered by HIPAA, which provide telehealth services.
The Office for Civil Rights has confirmed bad intentions in teletherapy provision are still going to result in fines and sanctions. Some of the examples of ill-willed actions include:
- conducting or furtherance of a criminal act;
- intentional invasion of privacy;
- further uses of PHI transmitted during remote medical treatment;
- violations of state licensing laws and professional ethical standards.
Remote medical treatment is an excellent modern way to treat patients. To ensure e-health leads only to desired outcomes and does not result in privacy violations, HIPAA compliant telemedicine must be used.
When choosing a platform, healthcare organizations should remember the HIPAA Privacy and Security Rules. They also should only work with communication providers that have signed a BAA with them. Finally, if creating a new telemedicine app, all the necessary security features must be implemented.
The HIPAA guidelines offer all the important information about teletherapy compliance. However, if you still need help with developing a remote healthcare application, Riseapps is happy to help.
We specialize in telemedicine solutions and can create just the application you need. Don’t hesitate to contact us if you have any questions, we’ll gladly discuss how we can create a great telemedicine app for your company!