Mobile Telemedicine and HIPAA Laws - How to be Compliant
HIPAA, the Health Insurance Portability and Accountability Act, is a compilation of laws in the U.S. that, in part, provides measures to protect patient privacy in the transmission and storage of e-PHI, electronic patient health information. HIPAA was passed by U.S. congress in 1996, and, while it has created important safeguards for information sharing in the health industry, it has also created a hard-to-navigate minefield of regulations that healthcare providers must comply with. HIPAA has sharp teeth too, with violations costing up to $50,000 per infraction in fines alone.
Mobile telemedicine, the use of video-conferencing software for the medical consultation, examination, and monitoring, is a rising trend among private-practice physicians and hospitals. While mobile telemedicine provides many benefits to both patients and providers by allowing services to be rendered remotely, mobile telemedicine also presents challenges to providers in terms of maintaining HIPAA compliance within their telemedicine offerings. In this article, we will detail several ways providers can help ensure HIPAA compliance for their telemedicine services.
Encrypted Communication Channels
First, providers must use secure end-to-end encrypted communication channels for providing telehealth with patients. “Encrypted communication” helps ensure that video transmissions or patient files cannot be intercepted and interpreted by hackers or other unauthorized third-parties. When communications are encrypted, any intercepted communications would be lines of unreadable gibberish to unauthorized third-parties, and thus patient privacy for e-PHI would be maintained.
Business Associate Agreements Between Providers & Third Parties
Second, HIPAA dictates that providers must sign Business Associate Agreements (BAA) with any third party that handles e-PHI. A signed BAA is an agreement between the provider and third party service that details the third party’s practices, procedures, and technical-safeguards for maintaining patient privacy with e-PHI transmitted by the provider. BAAs also detail the third party’s obligations to inform the provider in the occurrence of any data breach. Popular, free video-conferencing services such as Skype, Google Hangouts, and FaceTime will not sign BAA’s with health providers. While these services provide encrypted communication, the lack of a BAA or protocols for protecting e-PHI make these services a no-go for providers wishing to offer telemedicine services.
Technical Best Practices
Third, there are some technical details that help ensure a provider’s HIPAA compliance in their telemedicine offerings. Telemedicine software should employ peer-to-peer data transmission between the provider and patient. This means that patient data does not pass through third party servers, which helps minimize the risk of e-PHI being obtained by unauthorized users. Also, to maintain HIPAA compliance, the providers, patients, and staff of the private practice must each have unique usernames and passwords to access and use the telemedicine software. Practices should not use shared usernames and passwords for staff or patients for the sake of convenience, as, if credentials are shared, providers will not be able to monitor or terminate user access.
In conclusion, providers can help ensure HIPAA compliance with their telemedicine services by using encrypted communication, signing BAA’s with any third party communication provider, and using technical best-practices to help ensure the privacy of e-PHI. Providers can read HIPAA laws directly here to see how their specific practice workflows fit within HIPAA guidelines, or they can contact their telemedicine software providers directly for more information on how their specific software solution maintains HIPAA compliance.
If you are interested in reading more on telemedicine and learning how telemedicine may be used in your practice or hospital, check out our development work with telemedicine app “FaceTalk” here.