Imagine a holistic nutritionist is on a telehealth call with a client. The client is describing unpleasant gastrointestinal symptoms related to a suspected food intolerance they are trying to diagnose.
Suddenly, the practitioner realizes a third person who shouldn’t be there is listening in on the call. She promptly removes the unauthorized visitor, but not before her client notices.
This scenario isn’t just embarrassing for the client, it’s risky for the nutritionist because it violates HIPAA (Health Insurance Portability and Accountability Act) regulations. If the nutritionist had a HIPAA compliant telehealth platform, she would have avoided this embarrassing and disruptive situation.
The Security Rule under HIPAA requires the implementation of safeguards to protect the confidentiality, integrity, and availability of protected health information, also known as PHI. Violations can lead to severe penalties for covered healthcare providers, including fines and legal action.
The above situation is fictional, but it demonstrates the real consequences for nutrition and wellness professionals who provide telehealth services that aren’t HIPAA compliant.
If you don’t know where to start evaluating telehealth software, don’t worry – this article outlines the features to look for and offers tips for navigating the HIPAA Rules when evaluating HIPAA compliant telehealth platforms.
There are a few non-negotiable features healthcare providers should insist on in their telehealth software:
1. End-to-end data encryption
Data transmitted over the platform – whether video, audio, or messaging – should be off-limits to unauthorized users. The platform should encrypt both data in transit (i.e., traveling between users and servers) and data at rest (i.e., when it’s stored on servers).
Robust encryption protocols like TLS (Transport Layer Security) and AES 256-bit encryption (Advanced Encryption Standard) are considered industry gold standards for preventing unauthorized access or eavesdropping during telehealth sessions.
Practice Better is an example of a platform that encrypts data during transfer and at rest using the industry-standard TLS 1.2 and AES 256-bit encryption. It also encrypts backups and log data.
2. Access controls
Strong access controls prevent unauthorized users from viewing or tampering with PHI. Role-based access control (RBAC) also ensures that individuals can only access the information necessary for their roles, reducing the risk of unauthorized access.
Anyone entering the platform should have a unique username and strong password. Multi-factor authentication (MFA) can also add an extra layer of security by requiring users to provide two or more separate forms of identification to gain access to an account or system.
If you’ve ever had a unique code texted to you that you need to enter before gaining access to an account, that’s MFA in action.
3. Business Associate Agreement (BAA)
A Business Associate Agreement is a legal contract you have with a software provider. You should sign it before any electronic PHI (e-PHI) is transmitted. Failing to sign a BAA is considered a HIPAA violation. Fortunately, Practice Better customers can easily review and sign a BAA directly from their portal.
4. Secure messaging
Messaging tools should encrypt messages to protect the content of the conversation. They may include user authentication and identity verification features to ensure that participants are legitimate. Sending a client’s treatment plan over email, for example, is not HIPAA compliant, but an encrypted client portal can allow you to share notes securely with clients.
5. Risk assessments and security audits
Having comprehensive audit trails is essential in a HIPAA compliant telehealth platform. Audit logs record all actions and interactions involving PHI, including who accessed the data, when, and what they did with it.
These logs serve as a valuable tool for monitoring security and compliance and conducting investigations in the event of a security incident or breach.
Offering HIPAA compliant telehealth services isn’t just for medical practice management – it can help wellness pros grow their practices, too.
You should always weigh the pros and cons of any new service offering you add to your business, but here are some top-line advantages:
A telehealth platform is only as HIPAA compliant as the team using it.
1. Understand the basics. You need to understand your obligations under the HIPAA Rules, which were developed and implemented by the US Department of Health and Human Services (HHS) to govern the use and disclosure of PHI.
2. Identify PHI. Know what constitutes PHI in your telehealth practice. PHI includes names, addresses, medical records, and other personal identifiers. You need robust encryption and access controls in place to protect electronic PHI.
3. Get client consent. Ensure you obtain informed consent for telehealth services, including acknowledging potential privacy risks and the secure handling of each client’s PHI.
4. Train your people. If you work with staff or partners who have access to PHI, train them thoroughly on HIPAA compliance, including the proper handling of PHI, security protocols, and incident reporting. You can also develop HIPAA policies and procedures specific to your practice and make sure anyone handling PHI is aware of them.
5. Conduct a risk assessment. A great way to reduce risk is to identify potential vulnerabilities in your telehealth setup before you get started. Strong encryption and file storage are must-haves, but you may be overlooking other areas.
For example, if you are conducting telehealth sessions without using headphones in an environment where others could overhear, then you could be unintentionally exposing PHI.
Or, if you run a group practice, your team needs to use strong passwords, or they could be leaving your platform vulnerable to access by unauthorized users.
6. Stay up to date. Tap into resources that keep you up to date on changes to HIPAA that may affect you. The Health Care Compliance Association offers multiple resources for staying in the know.
Note that there are also non-HIPAA guidelines around providing telemedicine. According to the HIPAA Journal, “no two states are identical in how they define and regulate telemedicine and some states may have laws that preempt HIPAA because they offer stronger privacy protections or greater patient rights.” So make sure you’re aware of the specific rules about the state where you practice.
The Centers for Disease Control (CDC) reported a 154% increase in telehealth service during the last week of March 2020 when compared to the previous March. While the COVID-19 pandemic was the adoption accelerant, the practicality of telehealth has endured.
For example, healthcare providers who offer telehealth service can conduct remote consultations with patients who have COVID-19 symptoms or need advice. It’s also an effective tool for monitoring and follow-up while sick people are quarantining.
Clients with chronic health conditions at a higher risk of severe COVID-19 might also prefer ongoing telehealth appointments over sitting in a crowded waiting room, particularly when cases are surging.
Telehealth was also instrumental in allowing behavioral health providers to offer mental health services to individuals experiencing pandemic-related stress, anxiety, and depression. Behavioral health providers found they could easily conduct virtual sessions to provide continuity to their clients through COVID-19 lockdowns. And it seems many of them liked the experience.
An American Psychological Association survey found that 96% of psychologists agreed or strongly agreed that the use of telehealth during the pandemic has proven its worth as a therapeutic tool, and 93% agreed or strongly agreed that they intend to continue providing telehealth as an option in their practice.
There are a few ways you can ensure PHI doesn’t get into the wrong hands when you’re offering telehealth sessions:
If you’re unsure how to properly dispose of PHI, consult HIPAA compliance experts. It can increase confidence that your practices are in full compliance with current HIPAA regulations and any state-specific requirements.
Around 25% of patients used telehealth last year and that number is expected to keep rising. However, one potential growth inhibitor of telehealth capabilities is reimbursement.
CMS announced new codes for telehealth home services effective January 2023, but more are needed to increase widespread adoption of telehealth by covered healthcare providers. The AMA is also fighting to fix restrictions on telehealth coverage and payment because they believe it’s critical to the future of healthcare.
Telehealth platforms that keep pace with evolving HIPAA guidelines and continue to strengthen their protection of PHI will be well poised to support practitioners’ increasing adoption of telehealth.
For example, Practice Better is a fully HIPAA compliant practice management software. Built-in telehealth capabilities are fully integrated with a full suite of features, including charting, scheduling, protocols, and billing. Here are a few telehealth features of note:
You wouldn’t want a stranger listening in on your private health conversations. Your clients don’t either. HIPAA exists to protect their PHI from being exposed.
A HIPAA compliant practice management platform, like Practice Better, with telehealth capabilities built-in will help you safeguard client privacy no matter how you interact with them. See all the ways Practice Better prioritizes privacy and security.
Still have questions? Check out the health and wellness pro’s guide to understanding HIPAA compliance.
It can be compliant as long as HIPAA-covered healthcare providers enter into a BAA with Zoom before using the platform.
According to the HIPAA Journal, “Google Meet is HIPAA compliant subject to certain conditions being met.
These conditions include that a Business Associate Addendum is in place with Google, that the service is configured correctly, and that Google Meet is used in a HIPAA-compliant manner.”
Face ID can be considered HIPAA compliant when implemented and used appropriately.
It should be used alongside strong encryption, access controls, data protection measures, and proper training and policies.
The free version of Skype is not HIPAA compliant. Skype for Business can be HIPAA compliant if the Enterprise E3 or E5 package is purchased and the automatic log-off feature is enabled.
Yes, Doxy.me is HIPAA compliant.
Practice Better is the complete practice management platform for nutritionists, dietitians, and wellness professionals. Streamline your practice and begin your free trial today.
Try any paid plan free.