October 27, 2023

Top Features of a HIPAA Compliant Telehealth Platform in 2023

Top Features of a HIPAA Compliant Telehealth Platform in 2023

Imagine a holistic nutritionist is on a telehealth call with a client. The client is describing unpleasant gastrointestinal symptoms related to a suspected food intolerance they are trying to diagnose.

Suddenly, the practitioner realizes a third person who shouldn’t be there is listening in on the call. She promptly removes the unauthorized visitor, but not before her client notices.

This scenario isn’t just embarrassing for the client, it’s risky for the nutritionist because it violates HIPAA (Health Insurance Portability and Accountability Act) regulations. If the nutritionist had a HIPAA compliant telehealth platform, she would have avoided this embarrassing and disruptive situation.

The Security Rule under HIPAA requires the implementation of safeguards to protect the confidentiality, integrity, and availability of protected health information, also known as PHI. Violations can lead to severe penalties for covered healthcare providers, including fines and legal action.

The above situation is fictional, but it demonstrates the real consequences for nutrition and wellness professionals who provide telehealth services that aren’t HIPAA compliant.

If you don’t know where to start evaluating telehealth software, don’t worry – this article outlines the features to look for and offers tips for navigating the HIPAA Rules when evaluating HIPAA compliant telehealth platforms.

Key Takeaways

  • HIPAA compliant telehealth platforms should include end-to-end encryption, access controls, secure messaging, and a Business Associate Agreement (BAA).
  • Offering appointments through a HIPAA compliant telehealth platform can help you grow your practice.
  • The future of telehealth is strong – 25% of patients used the tech last year to communicate with healthcare providers and that number is expected to keep rising.

Essential Features of HIPAA Compliant Telehealth Platforms

Practice Better's HIPAA compliant app UI screenshot and a cropped image of hands typing on a laptop

There are a few non-negotiable features healthcare providers should insist on in their telehealth software:

1. End-to-end data encryption

Data transmitted over the platform – whether video, audio, or messaging – should be off-limits to unauthorized users. The platform should encrypt both data in transit (i.e., traveling between users and servers) and data at rest (i.e., when it’s stored on servers).

Robust encryption protocols like TLS (Transport Layer Security) and AES 256-bit encryption (Advanced Encryption Standard) are considered industry gold standards for preventing unauthorized access or eavesdropping during telehealth sessions.

Practice Better is an example of a platform that encrypts data during transfer and at rest using the industry-standard TLS 1.2 and AES 256-bit encryption. It also encrypts backups and log data.

2. Access controls

Strong access controls prevent unauthorized users from viewing or tampering with PHI. Role-based access control (RBAC) also ensures that individuals can only access the information necessary for their roles, reducing the risk of unauthorized access.

Anyone entering the platform should have a unique username and strong password. Multi-factor authentication (MFA) can also add an extra layer of security by requiring users to provide two or more separate forms of identification to gain access to an account or system.

If you’ve ever had a unique code texted to you that you need to enter before gaining access to an account, that’s MFA in action.

3. Business Associate Agreement (BAA)

A Business Associate Agreement is a legal contract you have with a software provider. You should sign it before any electronic PHI (e-PHI) is transmitted. Failing to sign a BAA is considered a HIPAA violation. Fortunately, Practice Better customers can easily review and sign a BAA directly from their portal.

4. Secure messaging

Messaging tools should encrypt messages to protect the content of the conversation. They may include user authentication and identity verification features to ensure that participants are legitimate. Sending a client’s treatment plan over email, for example, is not HIPAA compliant, but an encrypted client portal can allow you to share notes securely with clients.

5. Risk assessments and security audits

Having comprehensive audit trails is essential in a HIPAA compliant telehealth platform. Audit logs record all actions and interactions involving PHI, including who accessed the data, when, and what they did with it.

These logs serve as a valuable tool for monitoring security and compliance and conducting investigations in the event of a security incident or breach.

Benefits of Using HIPAA Compliant Telehealth Services

Offering HIPAA compliant telehealth services isn’t just for medical practice management – it can help wellness pros grow their practices, too.

You should always weigh the pros and cons of any new service offering you add to your business, but here are some top-line advantages:  

  • Offering telehealth services frees you to serve clients across a wider geographical area. Be mindful of state licensing requirements, insurance rules, and tax regulations to avoid regulatory issues.
  • Sometimes clients might prefer to check in with you remotely by telehealth. For example, a new client might prefer to do the initial consultation face-to-face, but a remote appointment might do the trick when it comes to their two-month check-in.  
  • If your client base is overwhelmingly keen on telehealth, you could eliminate the need for a physical office, saving big on overhead costs like rent, furniture, and utilities.

Navigating Telehealth HIPAA Compliance for Healthcare Providers

A telehealth platform is only as HIPAA compliant as the team using it.

1. Understand the basics. You need to understand your obligations under the HIPAA Rules, which were developed and implemented by the US Department of Health and Human Services (HHS) to govern the use and disclosure of PHI.

2. Identify PHI. Know what constitutes PHI in your telehealth practice. PHI includes names, addresses, medical records, and other personal identifiers. You need robust encryption and access controls in place to protect electronic PHI.

3. Get client consent. Ensure you obtain informed consent for telehealth services, including acknowledging potential privacy risks and the secure handling of each client’s PHI.

4. Train your people. If you work with staff or partners who have access to PHI, train them thoroughly on HIPAA compliance, including the proper handling of PHI, security protocols, and incident reporting. You can also develop HIPAA policies and procedures specific to your practice and make sure anyone handling PHI is aware of them.

5. Conduct a risk assessment. A great way to reduce risk is to identify potential vulnerabilities in your telehealth setup before you get started. Strong encryption and file storage are must-haves, but you may be overlooking other areas.

For example, if you are conducting telehealth sessions without using headphones in an environment where others could overhear, then you could be unintentionally exposing PHI.    

Or, if you run a group practice, your team needs to use strong passwords, or they could be leaving your platform vulnerable to access by unauthorized users.

6. Stay up to date. Tap into resources that keep you up to date on changes to HIPAA that may affect you. The Health Care Compliance Association offers multiple resources for staying in the know.  

Note that there are also non-HIPAA guidelines around providing telemedicine. According to the HIPAA Journal, “no two states are identical in how they define and regulate telemedicine and some states may have laws that preempt HIPAA because they offer stronger privacy protections or greater patient rights.” So make sure you’re aware of the specific rules about the state where you practice.

The Role of Telehealth in Addressing Health Conditions Related to COVID-19

A hand holding a mobile phone showing a HIPAA compliant screening tool.

The Centers for Disease Control (CDC) reported a 154% increase in telehealth service during the last week of March 2020 when compared to the previous March. While the COVID-19 pandemic was the adoption accelerant, the practicality of telehealth has endured.  

For example, healthcare providers who offer telehealth service can conduct remote consultations with patients who have COVID-19 symptoms or need advice. It’s also an effective tool for monitoring and follow-up while sick people are quarantining.

Clients with chronic health conditions at a higher risk of severe COVID-19 might also prefer ongoing telehealth appointments over sitting in a crowded waiting room, particularly when cases are surging.

Telehealth was also instrumental in allowing behavioral health providers to offer mental health services to individuals experiencing pandemic-related stress, anxiety, and depression. Behavioral health providers found they could easily conduct virtual sessions to provide continuity to their clients through COVID-19 lockdowns. And it seems many of them liked the experience.

An American Psychological Association survey found that 96% of psychologists agreed or strongly agreed that the use of telehealth during the pandemic has proven its worth as a therapeutic tool, and 93% agreed or strongly agreed that they intend to continue providing telehealth as an option in their practice.

How to Ensure Proper Disposal of Protected Health Information in Telehealth

There are a few ways you can ensure PHI doesn’t get into the wrong hands when you’re offering telehealth sessions:

  • If you have physical documents containing PHI, such as printed telehealth session notes, appointment schedules, or consent forms, shred them using a cross-cut shredder before disposal in a secure trash container.
  • For e-PHI, use secure deletion methods like overwriting or degaussing, which destroys data by removing magnetism.
  • Keep thorough records of your disposal practices, including dates and methods used. This helps to show your commitment to HIPAA compliance if you get audited in the future.
  • Your telehealth platform provider should outline their procedures for proper disposal in your signed BAA.
  • If you work with partners or staff, make sure they’re trained on the disposal of PHI. Everyone associated with your practice should understand the importance of securely deleting or destroying PHI.

If you’re unsure how to properly dispose of PHI, consult HIPAA compliance experts. It can increase confidence that your practices are in full compliance with current HIPAA regulations and any state-specific requirements.

The Future of Care with HIPAA Compliant Telehealth Platforms

Image of Practice Better's HIPAA compliant telehealth interface.

Around 25% of patients used telehealth last year and that number is expected to keep rising. However, one potential growth inhibitor of telehealth capabilities is reimbursement.

CMS announced new codes for telehealth home services effective January 2023, but more are needed to increase widespread adoption of telehealth by covered healthcare providers. The AMA is also fighting to fix restrictions on telehealth coverage and payment because they believe it’s critical to the future of healthcare.

Telehealth platforms that keep pace with evolving HIPAA guidelines and continue to strengthen their protection of PHI will be well poised to support practitioners’ increasing adoption of telehealth.

For example, Practice Better is a fully HIPAA compliant practice management software. Built-in telehealth capabilities are fully integrated with a full suite of features, including charting, scheduling, protocols, and billing. Here are a few telehealth features of note:

  • Start appointments with one click on any computer or laptop, Android or iOS device – no extra downloads required for clients.
  • Share your screen during a session and use the Client Hub to view information and take notes during a call.
  • View client history during sessions so you can consult with confidence.
  • Access past notes and create new notes while in session.
  • Type in the chat field to communicate with your clients in real-time on calls.

HIPAA Compliant Telehealth Platforms Keep You Safe and Secure

You wouldn’t want a stranger listening in on your private health conversations. Your clients don’t either. HIPAA exists to protect their PHI from being exposed.

A HIPAA compliant practice management platform, like Practice Better, with telehealth capabilities built-in will help you safeguard client privacy no matter how you interact with them. See all the ways Practice Better prioritizes privacy and security.

Still have questions? Check out the health and wellness pro’s guide to understanding HIPAA compliance.

Frequently Asked Questions

Is Zoom telehealth HIPAA compliant?

Image of Zoom platform. Source: Zoom website

It can be compliant as long as HIPAA-covered healthcare providers enter into a BAA with Zoom before using the platform.

Is Google Meet HIPAA compliant?

According to the HIPAA Journal, “Google Meet is HIPAA compliant subject to certain conditions being met.

These conditions include that a Business Associate Addendum is in place with Google, that the service is configured correctly, and that Google Meet is used in a HIPAA-compliant manner.”

Is Face ID HIPAA compliant?

Face ID can be considered HIPAA compliant when implemented and used appropriately.

It should be used alongside strong encryption, access controls, data protection measures, and proper training and policies.

Is Skype HIPAA compliant?

The free version of Skype is not HIPAA compliant. Skype for Business can be HIPAA compliant if the Enterprise E3 or E5 package is purchased and the automatic log-off feature is enabled.

Is Doxy.me HIPAA compliant?

Image of the Doxy.me interface. Source: Doxy.me website.

Yes, Doxy.me is HIPAA compliant.


Practice Better is the complete practice management platform for nutritionists, dietitians, and wellness professionals. Streamline your practice and begin your free trial today.

Start your free trial