The HIPAA guidelines on telemedicine are relevant for all medical professional or healthcare groups that provide a remote service to patients in their homes or in community centers. Many people wrongly think that communicating ePHI at distance is allowable when the communication is directly between physician and patient – and this would be what the HIPAA Privacy Rule would suggest.
However, the medium of communication that is used for sending ePHI at distance is also important if medical workers and healthcare groups want to comply with the HIPAA guidelines on telemedicine. This element of the HIPAA guidelines on telemedicine is referred to within the HIPAA Security Rule and says:
- Only authorized users should be able to access to ePHI.
- A system of safe communication should be put in place to safeguard the integrity of ePHI.
- A system of reviewing communications containing ePHI should be put in place to prevent accidental or malicious breaches.
The first bullet point is fine if physicians use “reasonable and appropriate safeguards” to stop ePHI being shared to any unauthorized parties. However, the second bullet point means that unsecure channels of communication such as SMS, Skype, and email should not be used for sending ePHI at distance.
Lastly, according to the HIPAA guidelines on telemedicine, any way of communicating ePHI at distance must have mechanisms in place so communications can be rewiewed and remotely deleted if necessary. The second and third bullet points also relate to ePHI that is maintained – a problem we will address in the next section.
Why You Should Not Implement SMS, Skype or Email for Telemedicine
When ePHI created by a medical worker or a healthcare group (covered entity) is stored by a third party, the covered entity must have a Business Associate Agreement (BAA) with the party storing the data. This BAA must include methods used by the third party to ensure the security of the data and provisions for regular auditing of the data’s security.
As duplicates of communications sent by SMS, Skype or email remain on the service providers´ servers, and include individually identifiable healthcare information, it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype or Google in order to be compliant with the HIPAA guidelines on telemedicine.
As (for instance) Verizon, Skype and Google will not enter into BAAs with covered entities for these services, the covered entity is responsible for any fines or civil action should a breach of ePHI occur due to the third party’s lack of HIPAA-compliant security measures. The covered entity would also likely do not pass any HIPAA audit they are subject to for failing to conduct a suitable risk assessment – which might also impact the receipt of payments under the Meaningful Use incentive scheme.
HIPAA Compliant Telehealth
There are some solutions available for physicians who want to provide a HIPAA compliant telehealth service for patients, but these are usually both complicated and expensive. For instance, Microsoft will offer physicians a Business Associate Agreement if they want to implement the HIPAA-compliant Skype for Business video service. However, in order to take advantage of this chance, each patient must also have an Office365 account connected to the cloud-based Skype for Business service.
The cost of implementing the service (up to $35.00 per user per month) may deter some patients from wishing to use a HIPAA compliant telehealth service; and, although cheaper options exist, they generally tend to be of too poor a quality for physicians to accurate diagnose patients´ complaints. Additionally, if patients have other applications running in the background, these may exhaust their bandwidth and make the service unusable.
Best Solutions for Communicating ePHI at Distance
Many healthcare groups have elected to use a secure messaging solution to adhere with the HIPAA guidelines on telemedicine. Secure messaging solutions provide the same speed and convenience as SMS, Skype or email, but adhere with the Security Rule in respect of only allowing authorized users to have access to ePHI, using a secure channel of communication, and reviewing activity on the secure channel of communication.
These solutions for sending ePHI at distance work via easy-to-operate apps that most healthcare workers will be familiar with, as they have a similar interface to commercially available messaging apps. Each authorized user logs into their app using a centrally-issued username and password. They can then communicate with other authorized users within the covered entity’s private communications network.
All communications – including images, videos and documents – are encrypted to make them unreadable and unusable if a message is captured over a public Wi-Fi service, and safeguards exist to prevent ePHI from being sent outside of a covered entity’s private network – either accidentally or maliciously. All activity on the network is reviewed by a cloud-based platform to ensure secure messages policies (also part of the HIPAA Security Rule) are adhered to.
Communicating with Patients Using Secure Messaging
In order to communicate with patients, medical workers and healthcare groups have the option of either authorizing the patient to have temporary access to the network via a secure messaging app, or a secure temporary browser session can be sorted using the same platform. In many instances, medical workers and healthcare organizations have integrated a secure messaging solution into the EHR to eliminate time-consuming patient updates.
This has also been the case when patients have used a community medical center or received visits at home from a community nurse. Staff at the medical centers and community nurses can use the secure messaging apps to share critical patient data and escalate patient concerns safely – subject to the guidelines of the HIPAA Privacy Rule being complied to. Both when communicating with patients using secure messaging and when communicating between medical workers, secure messaging solutions have the following advantages:
- Medical workers in the community can send and receive ePHI on the go using secure messaging.
- Images can be included in secure messages, which can then be shared to accelerate diagnoses and the administration of treatment.
- Secure messaging can also be used to quicken emergency admissions and patient discharges – cutting wait times and streamlining the administrative process.
- Automatically produced delivery notifications and read receipts cut phone tag and increase message accountability.
- Access reports make risk management analyses much simpler while, when integrated with an EHR, secure messaging also enables healthcare organizations to meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.
Sending ePHI at distance with secure messaging ensures that messages are communicated to the proper recipient, cuts the amount of time that is wasted between sending a message and receiving a reply, and safeguards the integrity of ePHI in compliance with the HIPAA guidelines on telemedicine.
Conclusion: HIPAA Guidelines on Telemedicine
Secure messaging solutions were first created to facilitate messaging in compliance with HIPAA, but many of the features of secure messaging have lead to benefits that have enhanced the workflows of healthcare workers, reduced costs in medical facilities and increased the standard of healthcare received by patients.
Many healthcare groups have been pleasantly surprised at the simplicity with which the HIPAA guidelines on telemedicine can be complied with, and even more pleasantly shocked at the cost – with there being no need to spend funds on expensive hardware or complicated software, or drain the organization’s IT resources.
The HIPAA guidelines on telemedicine make it quite obvious what measures should be brought in to safeguard the integrity of ePHI. With there being significant advantages to putting in place a secure messaging solution, it is only a question of time before all covered groups providing a telemedicine service are communicating ePHI at distance via secure messaging.