Schellman becomes The First ISO 42001 ANAB Accredited Certification Body!

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

How to Ensure Your Telehealth Platform is HIPAA Compliant

Healthcare Assessments

When the COVID-19 pandemic spread across the globe in 2020, the need for social distancing and isolation impacted the availability of in-person, non-emergency healthcare appointments. As a result, telehealth became a common way for healthcare providers to serve their patients without seeing them in-person, and with its rise came related HIPAA compliance concerns.

COVID-19 accelerated the adoption of smartphones in hospitals, electronic health records (EHRs), and the digital transmission of electronic protected health information (ePHI), but all that electronic communication about health information created unique implications on security and patient privacy that continue as healthcare organizations continue to rely on telehealth even as the pandemic has eased somewhat.

Given our breadth of experience as HIPAA assessors, we’re very familiar with what organizations need to do to achieve compliance whether they use telehealth or not. As it’s become very popular, we’re going to offer some valuable insight to healthcare organizations—in this article, we’ll look back on the changes to healthcare brought about by the pandemic before delving into how you can ensure your telehealth measures stay HIPAA-compliant.

 

The Emergence of Telehealth and Changes Due to COVID-19

When the pandemic first began impacting medical practices in 2020, many healthcare providers scrambled to get their telehealth systems up and running as, to that point, not many offered telemedicine services.

And they weren’t the only ones adjusting—healthcare regulators were too. On March 17, 2020, the Department of Health & Human Services (HHS) released Notices of Enforcement Discretion (NED) announcing the temporary flexibilities for the use of telehealth. More specifically, the NED allowed healthcare providers to use video conferencing or other communication platforms to deliver telehealth services without having to first assess and address the vulnerabilities of those platforms or requiring those platform vendors to agree to certain security standards.

But nearly four years later, those flexibilities have been removed. The White House announced the official end of the COVID-19 public health emergency (PHE) as May 11, 2023, and the provided a 90-calendar-day transition period covered healthcare providers were permitted to bring their telehealth into full compliance with the HIPAA Rules has come and gone.

 

What are the HIPAA Telehealth Requirements?

But even with the end of the pandemic, it seems that its transformation of healthcare was permanent, as telehealth has now become a norm in modern practices, and that means that telehealth must now adhere to and continue to adhere to pre-COVID privacy and security policies related to telehealth use.

That includes ensuring your third-party telehealth platform is HIPAA-compliant—any practice using popular video chat applications, or any other non-compliant platform, will be at risk for potential HIPAA violations.

So how can you ascertain that the electronic communication platform(s) you’re using meet the HIPAA rigorous standards? We can tell you that it’s more complex than simply opting to use products claiming to be “HIPAA-compliant.”

Per the HIPAA guidelines on telemedicine within the HIPAA Security Rule, you must ensure that your telehealth platform—or the electronic channel of communication—meets this criteria for HIPAA compliance: 

1. Only authorized users should have access to patient health information.

 

2. A system of secure communication should be implemented to protect the integrity of electronic protected health information (ePHI).


3. A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

 

5 Questions to Answer When Evaluating Telehealth Vendors

So, when choosing a telehealth vendor, you should look for one that is HIPAA compliant and whose product meets those criteria. To feel even better about it, include your telehealth platform in your annual HIPAA risk assessment.

But there are also some more specific features you should look for when initially vetting any telehealth vendors—let’s explore nine important ones.

1. Will They Sign a Business Associate Agreement (BAA)?

 

When you allow a third party to store ePHI you’ve created, you’re required to enter into a BAA with that third party storing the data, as HIPAA rules require that what are technically considered business associates enter into this type of contract to ensure that all PHI is safeguarded by everyone who may be able to access it.

When you’re evaluating telehealth vendors, you need to be sure that they’ll sign a BAA—some won’t, but that will make you liable for any fines or civil action should an unauthorized disclosure of ePHI occur due to the third party´s lack of HIPAA-compliant security measures. Not only that, but you’ll also likely fail any HIPAA audit as well.

2. Do They Offer a Secure Connection? (No Matter the Medium)

 

One of the essential elements for ensuring HIPAA compliance in telemedicine is a secure connection between a doctor and a patient—everything needs to be secure, whether they communicate by phone or video chat, messaging, etc.

To help ensure that, when vetting a telehealth platform, confirm that anything shared through the platform—be it messages, images, or documents, through video, phone, or messaging—is encrypted to restrict any unauthorized access.

When PHI is transmitted through unsecured platforms sans encryption, it creates opportunities for your patient's information to fall into the wrong hands, whether it’s accidental or malicious. Not only do hackers take advantage of unencrypted platforms to access information, but if you communicate with patients through other unsecured methods like text messaging, it can also put them at greater risk of falling prey to phishing attempts. 

For all these reasons, we recommend avoiding using apps like Zoom, email apps, or Skype to establish a connection between a doctor and a patient because those third parties do not ensure telemedicine HIPAA compliance. Moreover, if you do opt to use a video platform for virtual visits, ensure that those videos will not be stored (recorded) on the platform. 

3. How Do They Differentiate Access to Data?

 

When it comes to the overall safeguarding of your PHI, any platform you engage with should allow you—the healthcare organization—to control access to data, though part of HIPAA compliance involves limiting access to the minimum necessary required to complete a job function.

So, as you decide the different levels of access to PHI to fulfill that requirement, your chosen tool(s) must allow you to do so through varied login credentials so that only authorized users have any access to your ePHI. For example, doctors likely need more access to more extensive medical information, so you should be able to assign doctors specific credentials for that access, while others who don’t need it get separate licenses for the access they’re allotted.

Other general telehealth data access tips include:

 

  • If you’re saving any recordings or transcripts from your telehealth visits, you must protect those stored conversations by password-protecting them, and—whenever possible—encrypting them.
  • Anyone who wants to access the stored PHI should have to go through an authentication process before being able to bring up the encrypted, protected ePHI.

 

4. Do They Keep Audit Logs?

 

In the same vein, any telehealth platform you use should also have the ability to track data use and disclosure—to ensure adherence to this minimum necessary standard and facilitate early detection of breaches, opt only for platforms that will allow you to keep audit logs which distinguish PHI access on a per user basis.

5. Are They Healthcare-Specific?

 

Not all platforms are specifically designed for healthcare, and while these solutions may work for one-off issues—like using a video conferencing platform for a routine appointment with a patient—they will also present challenges when you attempt to adapt them into your workflows.

Platforms that were designed specifically for healthcare don't have these issues. They're also much more likely to be HIPAA compliant, so when choosing which software platforms to use for telehealth, it’s best to use one designed with healthcare in mind.

Specific ways to tell if that’s the case? Per the HIPAA guidelines on telemedicine:

  • Any system of communicating ePHI at distance must have mechanisms in place so communications can be monitored and remotely deleted if necessary; and
  • The system should also have automatic log-off capabilities if the system is not used for some time.

 

Moving Forward with Telehealth

Whether you’ve been using telehealth for a time or you’re thinking about adding it to your services, healthcare organizations must have a specific HIPAA compliance plan to ensure your telehealth adheres to all the guidelines and requirements outlined in the HIPAA Privacy and Security Rules.

Now that you have a place to start in vetting and double-checking your platform vendors so that you maintain your compliance, you may want to also conduct a HIPAA assessment to determine where your organization currently stands with the regulations—in this, Schellman can help, should you want an outside perspective.

In the meantime, you can also reference HHS’s guidance on how HIPAA rules permit healthcare providers to use electronic communication technologies for audio-only telehealth, as well as our other articles that can further serve your ongoing HIPAA compliance as a healthcare organization:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.