What is HIPAA compliant telemedicine?


The term HIPAA compliant telemedicine relates to the remote delivery of healthcare to patients and remote collaboration between healthcare providers while complying with the standards of the Privacy Rule and the safeguards of the Security Rule. Due to the nature of remote healthcare delivery and collaboration, it is not always easy to comply with the HIPAA rules for telemedicine.

Many people consider telemedicine to consist of physician-to-patient communications conducted remotely by audio and video. However, it can consist of much more. Telemedicine can include remote patient monitoring (for example, via a wearable app), medical imaging, remote consulting (between healthcare providers), and “store and forward” collaboration for diagnoses and treatments.

When these interactions involve uses or disclosures of Protected Health Information (PHI), the interactions are subject to the HIPAA Privacy and Security Rules, or – if an app sends healthcare data via a third party software vendor – the FTC Act. Additionally, if PHI is disclosed impermissibly, the event may qualify as a reportable data breach under the HIPAA Breach Notification Rule.

Telemedicine and HIPAA Compliance

Strictly speaking, HIPAA does not distinguish between the face-to-face delivery of healthcare and the remote delivery of healthcare. Nonetheless, telemedicine has some unique challenges that healthcare providers and business associates need to be aware of when using or disclosing PHI. These include recipient verification, the privacy of data, and treatment relationships.

In the context of telemedicine and HIPAA compliance, recipient verification not only means checking the person a healthcare professional is remotely communicating with is the patient they claim to be. It can also mean verifying the identity of a person claiming to be a healthcare provider waiting for test results or claiming to be a member of a healthcare management or operations team.

Many healthcare providers also find it difficult to maintain HIPAA compliant telemedicine when a patient takes a call in a public location. There are many stories on the Internet about patients taking telemedicine calls at work, at the gym, or on vacation. It may also be the case that healthcare providers have privacy issues when they take calls from patients at home, at the gym, or on vacation.

With regards to treatment relationships, the issue of telemedicine and HIPAA compliance can become even more complicated due to the definitions of “direct” and “indirect” treatment relationships. This can result in healthcare providers restricting disclosures of PHI to the minimum necessary or requiring a healthcare professional to enter into a Business Associate Agreement.

5 Tips for HIPAA Compliant Telemedicine

If your organization is involved in the provision of remote healthcare services, these tips for HIPAA compliant telemedicine can help the organization avoid HIPAA violations and impermissible disclosures of PHI that qualify as a data breach – either under federal law or state law. Please note, these tips for HIPAA compliant telemedicine are not exhaustive.

  • Conduct an audit of how healthcare professionals communicate remotely with patients and business associates.
  • Analyze and remediate risks to the privacy of PHI via Security Rule safeguards, policies, and HIPAA training.
  • Ensure business associate agreements exist before PHI is disclosed to a business associate or software vendor.
  • Develop identity verification procedures to avoid disclosing PHI to an individual acting under false pretenses.
  • Record and retain patient requests to use unsecure channels of communication or continue with a remote consultation when the confidentiality of PHI cannot be guaranteed.

As mentioned in the introduction to this article, it is not always easy to comply with the HIPAA Rules for telemedicine. Therefore, if your organization experiences challenges with telemedicine and HIPAA compliance, or requires assistance implementing our 5 tips for HIPAA compliant telemedicine, it is recommended you seek advice from a HIPAA compliance professional.