Telehealth, HIPAA and Compliant Telehealth Platforms
X

Telehealth, HIPAA and Compliant Telehealth Platforms

Telehealth, HIPAA, and Compliant Telehealth Platforms

By Ann Tran-Lien, JD,
Managing Director of Legal Affairs

HIPAA Considerations for Telehealth and HIPAA Compliant Platforms
Many clinicians have been practicing Telehealth for decades. Others have just recently started to explore how adding Telehealth options to their current practice might open up new opportunities and new ways to engage with clients. Now, with the emergence of the COVID-19 Coronavirus pandemic, thousands of therapists who had not previously utilized Telehealth modalities are rushing to implement Telehealth as an emergency measure to support clients while adhering to state and federal Social Distancing mandates.

There are many legal and ethical considerations regarding Telehealth, including HIPAA compliance and regulation issues. This article provides an overview of HIPAA considerations for implementing Telehealth, as well as options for HIPAA compliant Telehealth platforms.  It is important to note that therapists who utilize Telehealth platforms should ensure Telehealth is within their scope of competence, meaning they have had training and feel professionally secure in providing online or phone-based services. It is also imperative that clinicians assess the clients they serve to ensure they are appropriate for Telehealth care. This article focuses on HIPAA considerations. For further reading on the BBS regulations on the Standards of Practice for Telehealth regulations, visit: https://www.camft.org/Resources/Legal-Articles/Chronological-Article-List/regulatory-and-legal-considerations-for-telehealth.

HIPAA Compliance and Covered Entities
The Health Insurance Portability and Accountability Act (HIPAA) legislated provisions to protect health information in 1996. HIPAA only applies to organizations and providers who qualify as “covered entities.” Health care providers who transmit protected health information (“PHI”) in connection with certain administrative or financial transactions (“covered transactions”) are covered entities and must comply with HIPAA regulations. To read more about covered entities, visit: https://www.camft.org/Resources/Legal-Articles/Chronological-Article-List/are-you-a-covered-entity. Examples of typical covered transactions by health care providers include the use of the Internet to electronically transmit insurance claims, to conduct benefit eligibility inquiries, or to make referral authorization requests with insurance plans.

The mere use of electronic technology to provide Telehealth services does not transform a health care provider into a covered entity. Therapists who are not covered entities do not have to comply with HIPAA requirements. Still, BBS regulations require therapists to utilize industry best practices for Telehealth to ensure both client confidentiality and the security of the communication medium. Therefore, it is recommended that California therapists who offer Telehealth services utilize HIPAA compliant Telehealth platforms. 

HIPAA and the Security Rule
HIPAA requires covered entities to follow the Security Rule when transmitting protected health information electronically (“e-PHI”). Essentially, the Security Rule requires providers to assess the risks to client confidentiality when utilizing videoconferencing, and then implement reasonable administrative, physical, and technical safeguards to protect against an unauthorized access. The Security Rule aims to mitigate potential risks to offering telehealth services, including unauthorized third-party intercepting / listening-in on a videoconferencing session and unauthorized access to recorded videoconferencing sessions.

Because it is best practice to follow HIPAA guidelines when utilizing Telehealth platforms, the following administrative, physical and technical safeguards outlined by the Security Rule should be followed as closely as possible:

Administrative Safeguards for Videoconferencing
Administrative safeguards are administrative policies and procedures implemented by the covered entity to reduce risks of unauthorized access to e-PHI to a reasonable and appropriate level. Some examples of administrative safeguards include:

  • Changing passwords to device(s) regularly
  • Drafting and maintaining written internal policies on security measures; ensuring employees are aware
  • Requiring a Business Associate Agreement (“BAA’”) with the videoconferencing platform
  • For covered entities who are employers, designating a security official who will be responsible for developing and implementing the practice’s security policies and procedures

Physical Safeguards for Videoconferencing
Physical safeguards are policies and procedures that protect the work station and the devices (such as computers, laptops, or mobile devices) which are used by the covered entity for videoconferencing. Some examples include:

  • Requiring locked office doors and requiring devices to be kept in a locked cabinet when provider/staff leaves for the day
  • Requiring a secured, confidential space while videoconferencing to not allow for third- parties to view the screen or hear the audio
  • Implementing policies on how and when videoconferencing sessions are recorded and the proper disposal of any recordings

Technical Safeguards for Videoconferencing
Technical safeguards are technical policies and procedures that allow only authorized persons to access the e-PHI stored or transmitted electronically to patients and guard against unauthorized access to confidential information that is being transmitted over an electronic network. Some examples include:

  • Installing and regularly updating anti-malware software on the computer/mobile device
  • Downloading or installing regular security updates for your computer/mobile device
  • Setting complicated passwords on the computer/mobile device or videoconferencing platform
  • Conducting telehealth using a Virtual Private Network connection, which encrypts data to and from the computer or mobile device and is not readable if it is intercepted on the public network; or using another form of secured network connection

Business Associate Agreements
HIPAA Rules require that a covered entity who utilizes a vendor to transmit or maintain protected health information, or who utilizes a vendor who has routine access to protected health information, must have a Business Associate Agreement (BAA) with each vendor. Because Telehealth vendors transmit confidential information, therapists should obtain a BAA from their Telehealth vendor. Many HIPAA compatible videoconferencing platforms will have a BAA available for the provider to review/sign. It is recommended that therapists review the BAA to ensure they are comfortable with the terms. For more information about BAAs and sample provisions, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

Insurance Considerations when Using Telehealth
California state law requires that by 2021, insurance companies will reimburse for telehealth services as if they were provided face-to-face. Many insurance providers already meet this mandate, but many do not. Additionally, not all insurance plans are subject to CA law. Providers are encouraged to check with individual insurance companies about how to bill for these services. Verifying benefits is necessary to find out if patient is subject to CA law. For CPT codes to utilize for Telehealth care, visit: https://www.camft.org/Portals/0/PDFs/insurance/CPT-codes-2017.pdf?ver=2019-06-07-173530-830.

Telehealth / Videoconferencing Vendors
For therapists using Telehealth for the first time, finding the best Telehealth vendor can be intimidating. The following are a few videoconferencing platforms that offer HIPAA-compatible Telehealth services, including a BAA.

Disclosure: CAMFT has an affinity partnership with Simple Practice. CAMFT does not endorse or have a partnership with the other listed vendors.