Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Learn More
866.254.0000
Contact Us
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
Build Your Compliance Roadmap
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

How to Ensure Your Telehealth Platform is HIPAA Compliant Blog Feature

By: Schellman

Print/Save as PDF

How to Ensure Your Telehealth Platform is HIPAA Compliant

Healthcare Assessments

When the COVID-19 pandemic spread across the globe in 2020, the need for social distancing and isolation impacted the availability of in-person, non-emergency healthcare appointments. As a result, telehealth became a common way for healthcare providers to serve their patients without seeing them in-person, and with its rise came related HIPAA compliance concerns.

COVID-19 accelerated the adoption of smartphones in hospitals, electronic health records (EHRs), and the digital transmission of electronic protected health information (ePHI), but all that electronic communication about health information created unique implications on security and patient privacy that continue as healthcare organizations continue to rely on telehealth even as the pandemic has eased somewhat.

Given our breadth of experience as HIPAA assessors, we’re very familiar with what organizations need to do to achieve compliance whether they use telehealth or not. As it’s become very popular, we’re going to offer some valuable insight to healthcare organizations—in this article, we’ll look back on the changes to healthcare brought about by the pandemic before delving into how you can ensure your telehealth measures stay HIPAA-compliant.

 

The Emergence of Telehealth and Changes Due to COVID-19

When the pandemic first began impacting medical practices in 2020, many healthcare providers scrambled to get their telehealth systems up and running as, to that point, not many offered telemedicine services.

And they weren’t the only ones adjusting—healthcare regulators were too. On March 17, 2020, the Department of Health & Human Services (HHS) released Notices of Enforcement Discretion (NED) announcing the temporary flexibilities for the use of telehealth. More specifically, the NED allowed healthcare providers to use video conferencing or other communication platforms to deliver telehealth services without having to first assess and address the vulnerabilities of those platforms or requiring those platform vendors to agree to certain security standards.

But nearly four years later, those flexibilities have been removed. The White House announced the official end of the COVID-19 public health emergency (PHE) as May 11, 2023, and the provided a 90-calendar-day transition period covered healthcare providers were permitted to bring their telehealth into full compliance with the HIPAA Rules has come and gone.

 

What are the HIPAA Telehealth Requirements?

But even with the end of the pandemic, it seems that its transformation of healthcare was permanent, as telehealth has now become a norm in modern practices, and that means that telehealth must now adhere to and continue to adhere to pre-COVID privacy and security policies related to telehealth use.

That includes ensuring your third-party telehealth platform is HIPAA-compliant—any practice using popular video chat applications, or any other non-compliant platform, will be at risk for potential HIPAA violations.

So how can you ascertain that the electronic communication platform(s) you’re using meet the HIPAA rigorous standards? We can tell you that it’s more complex than simply opting to use products claiming to be “HIPAA-compliant.”

Per the HIPAA guidelines on telemedicine within the HIPAA Security Rule, you must ensure that your telehealth platform—or the electronic channel of communication—meets this criteria for HIPAA compliance: 

1. Only authorized users should have access to patient health information.

 

2. A system of secure communication should be implemented to protect the integrity of electronic protected health information (ePHI).


3. A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

 

5 Questions to Answer When Evaluating Telehealth Vendors

So, when choosing a telehealth vendor, you should look for one that is HIPAA compliant and whose product meets those criteria. To feel even better about it, include your telehealth platform in your annual HIPAA risk assessment.

But there are also some more specific features you should look for when initially vetting any telehealth vendors—let’s explore nine important ones.

1. Will They Sign a Business Associate Agreement (BAA)?

 

When you allow a third party to store ePHI you’ve created, you’re required to enter into a BAA with that third party storing the data, as HIPAA rules require that what are technically considered business associates enter into this type of contract to ensure that all PHI is safeguarded by everyone who may be able to access it.

When you’re evaluating telehealth vendors, you need to be sure that they’ll sign a BAA—some won’t, but that will make you liable for any fines or civil action should an unauthorized disclosure of ePHI occur due to the third party´s lack of HIPAA-compliant security measures. Not only that, but you’ll also likely fail any HIPAA audit as well.

2. Do They Offer a Secure Connection? (No Matter the Medium)

 

One of the essential elements for ensuring HIPAA compliance in telemedicine is a secure connection between a doctor and a patient—everything needs to be secure, whether they communicate by phone or video chat, messaging, etc.

To help ensure that, when vetting a telehealth platform, confirm that anything shared through the platform—be it messages, images, or documents, through video, phone, or messaging—is encrypted to restrict any unauthorized access.

When PHI is transmitted through unsecured platforms sans encryption, it creates opportunities for your patient's information to fall into the wrong hands, whether it’s accidental or malicious. Not only do hackers take advantage of unencrypted platforms to access information, but if you communicate with patients through other unsecured methods like text messaging, it can also put them at greater risk of falling prey to phishing attempts. 

For all these reasons, we recommend avoiding using apps like Zoom, email apps, or Skype to establish a connection between a doctor and a patient because those third parties do not ensure telemedicine HIPAA compliance. Moreover, if you do opt to use a video platform for virtual visits, ensure that those videos will not be stored (recorded) on the platform. 

3. How Do They Differentiate Access to Data?

 

When it comes to the overall safeguarding of your PHI, any platform you engage with should allow you—the healthcare organization—to control access to data, though part of HIPAA compliance involves limiting access to the minimum necessary required to complete a job function.

So, as you decide the different levels of access to PHI to fulfill that requirement, your chosen tool(s) must allow you to do so through varied login credentials so that only authorized users have any access to your ePHI. For example, doctors likely need more access to more extensive medical information, so you should be able to assign doctors specific credentials for that access, while others who don’t need it get separate licenses for the access they’re allotted.

Other general telehealth data access tips include:

 

  • If you’re saving any recordings or transcripts from your telehealth visits, you must protect those stored conversations by password-protecting them, and—whenever possible—encrypting them.
  • Anyone who wants to access the stored PHI should have to go through an authentication process before being able to bring up the encrypted, protected ePHI.

 

4. Do They Keep Audit Logs?

 

In the same vein, any telehealth platform you use should also have the ability to track data use and disclosure—to ensure adherence to this minimum necessary standard and facilitate early detection of breaches, opt only for platforms that will allow you to keep audit logs which distinguish PHI access on a per user basis.

5. Are They Healthcare-Specific?

 

Not all platforms are specifically designed for healthcare, and while these solutions may work for one-off issues—like using a video conferencing platform for a routine appointment with a patient—they will also present challenges when you attempt to adapt them into your workflows.

Platforms that were designed specifically for healthcare don't have these issues. They're also much more likely to be HIPAA compliant, so when choosing which software platforms to use for telehealth, it’s best to use one designed with healthcare in mind.

Specific ways to tell if that’s the case? Per the HIPAA guidelines on telemedicine:

  • Any system of communicating ePHI at distance must have mechanisms in place so communications can be monitored and remotely deleted if necessary; and
  • The system should also have automatic log-off capabilities if the system is not used for some time.

 

Moving Forward with Telehealth

Whether you’ve been using telehealth for a time or you’re thinking about adding it to your services, healthcare organizations must have a specific HIPAA compliance plan to ensure your telehealth adheres to all the guidelines and requirements outlined in the HIPAA Privacy and Security Rules.

Now that you have a place to start in vetting and double-checking your platform vendors so that you maintain your compliance, you may want to also conduct a HIPAA assessment to determine where your organization currently stands with the regulations—in this, Schellman can help, should you want an outside perspective.

In the meantime, you can also reference HHS’s guidance on how HIPAA rules permit healthcare providers to use electronic communication technologies for audio-only telehealth, as well as our other articles that can further serve your ongoing HIPAA compliance as a healthcare organization:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.