Telehealth and HIPAA Compliance

What does it all mean and what you should know?

I want to try and provide a guide to understanding the basics of telehealth for the non-nerdy, non-legal, average people who use it. Telehealth, also known as, Telemental Health or Telebehavioral Health in the field of therapy, is the delivery of healthcare services using digital technology. It also sometimes is referred to as Telemedicine, but this more covers delivery of medicine or medical services, whereas telehealth is a broader terminology and includes all healthcare, not just medical services. Telehealth include all transmission of services, predominately via video, but also covers phone, fax, and even email. Additionally, it can encompass the use of EHR (Electronic Healthcare Record) software, like SimplePractice which I use, because many of these platforms offer direct messaging between client and provider, electronic transmission of files, electronic signing of documents, and many more transmissions of PHI (Protected Health Information) via digital technology. For many, this brings up the question of privacy and security. The common phrase you hear and many ask about is “HIPAA Compliance“.

Privacy & Security

HIPAA (Health Insurance Portability and Accountability Act of 1996) is a robust federal mandate from 1996 that governs the privacy and security of PHI, long before the advent of many of the technologies we have become so accustomed to using in our daily lives and to reap telehealth services. Without getting into all the ins-and-outs of compliance, let me just assure that there are two basic things that make a telehealth platform private and secure - Encryption and a BAA (Business Associate Agreement).
Encryption is a simple yet effective way to ensure that data is securely transmitted (AKA encryption in transit via options like an SSL using HTTPS - for non-geeks like me, that means the little green lock in the address bar of your browser) or stored (AKA encryption at rest - again for non-geeks that means without credentials, even those with access to the data and servers, cannot see it). Simply put, almost every platform you use these days from email, video chat, instant messengers, etc. encrypt data in transit, and many offer encryption at rest as well. In fact as a software and technology buff myself, I can ensure it is actually harder from a software development and deployment perspective to not encrypt data in transit. When both criteria of encryption (in transit and at rest) are met, you will often see the term end-to-end encryption. End-to-end encryption is not required to be HIPAA Compliant, albeit it is preferred. As long as the transmission is secure, you are usually safe. Think of a call on your cell phone - the carrier cannot listen to or hear your call (save a government tap on your phone, which unless you are criminal you have nothing to worry about), but on either end of the call anyone can hear if they are listening to the earpiece or speakerphone. In essence, the phone companies need to make sure your conversation is safe across lines and towers, but whoever you choose to let listen to your conversation is your provocative; so this would be an example of encryption in transit but not at rest. HIPAA, since it was written in 1996, does not exactly detail encryption as we know it today, but it does talk about a 2-lock level of security. This means PHI, like charts, are stored behind at least 2 locks, but anyone with access to keys and combos can technically see the PHI. Encryption is far above the 2-lock security as it requires much more than 2 levels to access PHI. But then you may ask, is encryption all that is required to be HIPAA secure?
This is where BAA's come into play. In layman terms, Business Associates are parties with access to PHI that are not the provider or office staff, and consequentially are considered Covered Entities (CE). This means CE's with a BAA are equally responsible for maintaining the privacy and security of PHI. We could open a Pandora's box about who is considered a CE and require a signed BAA, but let me do my best to keep it on topic about Telehealth and simplify it to put your mind at ease. The provider needs to have a BAA with any EHR software and Teleheatlh platform companies, as they are CE's because they transmit and/or store PHI, and thus are equally liable for the privacy and security of PHI.
If you want to dive even deeper into the legal aspects, you can can even consider the HITECH Act (Health Information Technology for Economic and Clinical Health Act of 2009) which has a whole other set of rules to govern PHI. Again, rest assured, most platforms and software that work with PHI are also HITECH secure.

So take a deep breath and relax, as almost all telehealth and EHR platforms have your privacy and security covered. Now if you want to know if your healthcare provider is being HIPAA Compliant when using telehealth, just ask about the use of encryption and a signed BAA (not only will you look smart and educated, but you can vet your provider’s competence as well). If they cannot answer that, which most could as they should be abundantly aware of BAA’s, CE’s and the like, feel free to ask me.

PS: Long before all this COVID-19 situation, I have been offering telehealth to reach my clients both locally and across the state. I use multiple software platforms based on client need and participate in a few managed telehealth networks. If you have more questions about which platform or network will work best for you, which often depends on your insurance coverage, please contact me and we will figure it out together.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.