Choosing the best HIPAA-compliant telehealth platform is one of the first considerations for clinicians seeking to expand services beyond in-office therapy. And with 2021 research showing telehealth use surging 38 times that of pre-COVID levels, it’s apparent that telehealth is becoming more mainstream. A more recent study indicates that 53% of providers said adding telehealth drove up patient visits.
This shift is attributed to a trifecta of favorable conditions including consumer adoption, regulatory changes and providers’ willingness to adopt telehealth. While providers may be willing to adopt new HIPAA-compliant telehealth platforms, choosing the best platform for your private practice requires an understanding of HIPAA, security, privacy and technology and a knowledge of best telehealth session practices. Sound intimidating? Don’t worry. We have you covered.
HIPAA-Compliant Telehealth: Privacy vs Security
First up. HIPAA. In 1996, Congress passed a law, known as the Health Insurance Portability and Accountability Act (HIPAA) to protect an individual’s medical information from being disclosed without knowledge or consent. In other words, health business entities have an obligation to keep client or patient information private. But what does privacy mean?
Privacy refers to an individual’s right to control his or her personal information and how personal information is used. Think about privacy as using data responsibly. Clients should be informed of what data will be collected, why it’s being collected and with whom. Individuals must consent to this process.
The American Medical Association (AMA) categorizes types of patient privacy into physical privacy, informational privacy, decisional privacy and associational privacy. Protected Health Information (PHI) breaks down these categories into concrete individual identifying information such as names, locations or email addresses and also includes past, present or future data related to conditions, care or payment.
Additionally, PHI includes oral or recorded information, in any medium that is created or received by a healthcare provider, health plan or health care clearinghouse, and business associates. In addition to providers, covered entities and business associates, such as health plans and clearing houses are also required to adhere to HIPAA regulations.
If privacy refers to how personal information is controlled and used, security refers to how personal information is protected, especially against malicious threats and unauthorized access. HIPAA’S Security Rule establishes administrative, physical and technical safeguards to be adopted to protect electronic identifiable health information. For example, encryption of data at rest and in transit is found in HIPAA-compliant platforms.
Failing to protect client personal health information can be troublesome for providers resulting in potential civil, criminal and financial penalties ranging from $50 up to a max of $1.5 million annually and 10 years in prison for extreme cases, which makes choosing the best HIPAA-compliant platform critical.
When considering different HIPAA-compliant telehealth platforms, providers need to be aware of a few key factors including a company or vendor’s technology and location, the terms of their contracts, the security of additional features and administrative factors. A list of questions providers need to weigh when choosing a HIPAA-compliant telehealth platform are:
- What are the technical requirements? (e.g., minimum Internet Speed)
- Do clinicians and clients need to download software on the computer vs the cloud (web-based)?
- Is the platform HIPAA compliant?
- What security measures are taken? (e.g., firewall, encryption, back-ups, etc.)
- What level of encryption does it have? (e.g., bank-level security)
- Where is the company based?
- Where are the servers and database located?
- Are they in the U.S. or another country?
- If you have clients outside the United States, can you connect with clients outside the U.S.A. on the platform?
Costs and contracts
- What is the cost and what protections does it include for HIPAA-compliant telehealth?
- Is a contract required?
- If so, what are the terms?
- Are other features such as chat, the client portal, EMR, billing and document management also secure?
- Does the company provide a Business Associate Agreement (BAA)?
- Is there an additional BAA fee?
This last question is important with regards to HIPAA-compliant platforms as the purpose of a BAA is to ensure that any party providing services/activities on behalf of the covered entity (in this case the provider) will adhere to high standards of PHI protection. If the business you’re using does not require signing a BAA, your practice could be at risk.
Once a HIPAA-compliant platform option is selected for telehealth, providers can take numerous steps at the individual level to ensure that client information is kept confidential. Understanding HIPAA privacy and security violations as related to telehealth is one such example.
HIPAA telehealth violations include:
- Discussing a patient’s care with family and/or friends
- Leaving hard copies of patient’s records where unauthorized individuals may access them
- Looking at your colleague's patient’s records out of curiosity
- Allowing family members or friends in the same room during telehealth session with a client without client’s consent
- Conducting telehealth sessions with a group of other patients without a client’s consent
- Posting client’s care or PHI
- Working with vendors or individuals who perform functions related to PHI for covered entities who have not provided a signed BAA
- Sharing passwords
- Hacking into software that holds/transmits PHI (i.e., phishing incident, network server hack, video platform, EMR hack)
- Giving an unauthorized person access to PHI
- Stolen or loss of an unencrypted device (i.e., laptop, desktop, tablet, or another portable electronic device)
To avoid these situations, privacy and security best practices can be implemented.
- Ensure that the clinician is the only person in the office/room during a video call unless you provide services that require another clinician to be present.
- If the clinician shares an office with another clinician (who is not treating the client), use headphones, a white noise machine and/or privacy screens.
- If you work from a home office, do not allow friends, family members, or roommates to be present in the room with you during video calls. If they are present at home, they should stay in a different room and follow the best privacy precautions listed above.
- Ask the client if he/she is the only one in the room during a video call. If not, ask who is the person and if the client is OK with this person being present. Document it.
- Never discuss the client’s case, etc. with anyone without the client’s permission (this includes your client’s family, caregivers, etc.)
- When using an interpreter, make sure that the interpreter understands the importance of patient confidentiality and signs an agreement with you to keep your patient’s records confidential. Make sure that the client agrees and consents to an interpreter being present on the video call.
- Group therapy: Members of a therapy group should not take photos or record tele-sessions. Clinicians should have a policy in place and educate members about privacy and security. During a group therapy session, unauthorized individuals should not be in the room. (Have them scan the room with a webcam if possible).
Security and Technology
- Do not use any browser extensions (you, your staff and your clients). Most of the time browser extensions can access everything you do online, and can download your passwords and your personal information. Moreover, you could be unintentionally downloading an extension that could turn out to be malware or virus.
- Keep your machine clean. Any machine (e.g., desktop, laptop, mobile) should have the most up-to date operating system, up-to date antivirus, and firmware software available.
- Use your own private Wi-Fi network that is secured, and password protected
- Do not use public Wi-Fi if exchanging any kind of sensitive information or PHI
- Passwords should never be shared.
- Use software that offers encryption to secure PHI (including your EMR and HIPAA- compliant telehealth platform, and any other software that handles PHI.)
- Daily data back-up (e.g., partner with EMR that provides back-ups, such as TheraPlatform www.theraplatform.com)
- Consider installing a firewall in your office.
While there is no shortage of platforms providing video conferencing software, not all are appropriate for telehealth. Ensure your private practice software is HIPAA compliant for telehealth and save yourself time and headaches in the future. TheraPlatform is HIPAA-compliant video conferencing software that also offers an integrated EMR and practice management software used by thousands of clinicians for therapy. They’re offering a 30-day trial where you can see its security measures in action. No credit card required. Cancel anytime.
This blog is only educational in nature and there are a lot of security and privacy measures that your private practice can implement to ensure HIPAA compliant telehealth. In addition to TheraPlatform, the U.S. Department of Health and Human Services, offers great resources and HIPAA training. One may also consider reaching out to a lawyer that specializes in HIPAA to help your practice ensure HIPAA compliant telehealth and practice.