What is HIPAA compliant telemedicine?

Telemedicine includes any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centres. The HIPAA Privacy Rule has created some ambiguity about the circumstances and conditions in which it is suitable to transfer ePHI to a patient. Medical professionals often mistakenly believe that communicating ePHI is acceptable when the communication is directly between physician and patient.

Often, little regard is given to the channel of communication that is used for communicating ePHI. Medical professionals who wish to comply with the HIPAA guidelines on telemedicine must adhere rigorous standards for such communications to be deemed compliant.

The HIPAA guidelines on telemedicine is contained within the HIPAA Security Rule and stipulate:

  • Only authorized users should have access to ePHI.
  • A system of secure communication should be implemented to protect the integrity of ePHI.
  • A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

Once physicians use “reasonable and appropriate safeguards” to prevent ePHI being disclosed to any unauthorized parties, HIPAA deems them compliant with the first rule. However, if medical professionals use channels of communication such as SMS, Skype, and email, they would be deemed as violating the rule stipulating the use of “a system of secure communication”, and thus in violation of HIPAA.

Finally, according to the HIPAA guidelines on telemedicine, any system of communicating ePHI at distance must have a system in place so that communications can be monitored and remotely deleted if necessary.

Third Parties and Data Storage

When ePHI created by a medical professional or a healthcare organization (covered entity) is stored by a third party, the covered entity is required to have a Business Associate Agreement (BAA) with the party storing the data. This BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.

As copies of communications sent by SMS, Skype or email remain on the service providers´ servers, and contain individually identifiable healthcare information, it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype or Google to be compliant with the HIPAA guidelines on telemedicine.

As these companies are unwilling to enter BAAs with covered entities, the covered entity is liable for any fines or civil action should a breach of ePHI occur due to the third party´s lack of HIPAA-compliant security measures. The covered entity would also likely fail any HIPAA audit they are subject to for failing to conduct a suitable risk assessment – which might also affect the receipt of payments under the Meaningful Use incentive scheme.

Solutions for Communicating ePHI at Distance

There has been a massive drive to create secure messaging solutions to comply with the HIPAA guidelines on maintaining ePHI integrity in telemedicine. Secure messaging solutions offer the same speed and convenience as SMS, Skype or email, but comply with the Security Rule in respect of only allowing authorized users to have access to ePHI. As well as implementing a secure channel of communication, they allow for the monitoring of activity regarding to the ePHI.

These solutions for communicating ePHI at distance work via apps that healthcare professionals can download onto their smartphones with ease. As up to 80% of healthcare professionals claim that they are “heavily reliant” on their devices at work, this appears to be a very promising solution. Each authorized user logs into their app using a centrally-issued username and password. They can then communicate with other authorized users within the covered entity´s private communications network.

All communications – including images, videos and documents – are encrypted to make them unreadable and unusable if a message is intercepted over a public Wi-Fi service. Furthermore, safeguards exist to prevent ePHI from being communicated outside of a covered entity´s private network – either accidentally or maliciously. All activity on the network is monitored by a cloud-based platform to ensure the secure messages policies in HIPAA’s Security Rule are not violated.

Patients Using Secure Messaging

Medical professionals and healthcare organizations can authorize the patient to have temporary access to the network holding their ePHI data via a secure messaging app. If that is not possible, they can organise a secure temporary internet browser session using the same platform. In many cases, medical professionals and healthcare organizations have integrated a secure messaging solution into the EHR to eliminate time-consuming patient updates.

This also applies to patients who have attended a community medical centre or received visits at home from a community nurse. Staff at the medical centres and community nurses can use the secure messaging apps to relay critical patient data and escalate patient concerns securely.

Secure messaging solutions are widely seen to have many advantages. One of the primary benefits they offer is the massive increase in workplace efficiency. Medical professionals in the community can send and receive ePHI on-the-go using secure messaging, instead of having to wait to be at a desktop to log into a secure network. Images can be attached to secure messages, which can then be shared to accelerate diagnoses and the administration of treatment. Secure messaging also offers the potential to accelerate emergency admissions and patient discharges. Many healthcare institutes often struggle with patient waiting times, but increasing the efficiency in which patients are discharged offers the potential to reducing wait times and streamlining the administrative process.

Secure message apps also automatically produced delivery notifications and read receipts reduce phone tag and increase message accountability. Information access reports make risk management analyses much simpler while, when integrated with an EHR, secure messaging also enables healthcare organizations to meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.

Communicating ePHI at distance with secure messaging ensures that messages are communicated to the correct recipient, reduces the amount of time that is wasted between sending a message and receiving a reply, and protects the integrity of ePHI in compliance with the HIPAA guidelines on telemedicine.

HIPAA Guidelines on Telemedicine

Secure messaging solutions were initially developed to facilitate messaging in compliance with HIPAA, but many of the features of secure messaging have resulted in benefits that have enhanced the workflows of healthcare professionals. These increases in efficiency have also led to reduced costs in medical facilities and increased the standard of healthcare received by patients. These solutions offer easy ways for healthcare organisations to comply HIPAA guidelines on telemedicine in an inexpensive manner.

The HIPAA guidelines on telemedicine make it quite clear what measures should be introduced to secure the integrity of ePHI. With there being significant advantages to implementing a secure messaging solution, it is almost certain that all covered entities will be providing a telemedicine service to their patients for communicating ePHI at distance with secure messaging.