How to Keep Your Telemedicine Platform HIPAA Compliant eHealth rules for the Covid generation

Telemedicine and the technologies that provide the service delivery have swiftly become the essential, everyday apparatus keeping the US healthcare system afloat in 2020. Patients have adapted well to the rapid switch to teleconferencing appointments and assessments with their general practitioner.

HIPAA compliance is difficult to achieve under normal circumstances but during a global pandemic, healthcare institutions have faced an uphill struggle. As hospitals, practices, and clinics closed, a seismic shift towards telemedicine was embarked upon. For many healthcare entities, this was something completely new, for others it was a simple change of routine.

Keeping telemedicine HIPAA compliant when many medical teams are being asked to work from home is a huge undertaking. However, rules are rules and the safeguards implemented to uphold protected health information are compulsory, and this includes telemedicine.

HIPAA-Compliance is an ongoing process, evolving legislation that under normal operating conditions enforces many-core mandatory and recommended safeguards upon telemedicine services. Some of the principal safeguards are:

1. Risk Assessment - This mandatory prerequisite is implemented to ensure the compliance of telemedicine applications. Regular reviews must be conducted on existing solutions, and a top-to-bottom review must be completed if onboarding a new telemedicine provider
2. Access Controls - Upstanding telehealth platforms create multi-layered access per user, everyone has individual accounts, meetings are password protected and not open to the public
3. Authentication - The telemedicine app must only authenticate with the covered entities domain and authorized users
4. Auditing  - telehealth software must create detailed logging and enable auditing of user logins and meeting connections
5. Business Associate Agreement - A signed BAA must be completed between the healthcare organization and the telemedicine provider. The BAA outlines the responsibilities of all involved
6. Data Integrity - Digitally signed applications are required for authenticity, to ensure data transmission is protected and PHI cannot be altered
7. End-to-end encryption - AES encryption standards, despite not being mandatory, are often implemented to protect all audio, video, files, and screen sharing data. This protects the integrity of PHI and ensures that data is not modified

Naturally, we have only scratched the surface of the HIPAA compliant safeguards needed to protect a telemedicine platform. There are many other physical, technical, and administrative layers incorporated into these requirements. One of the easiest ways to strengthen compliance is to outsource infrastructure to a HIPAA compliant hosting provider. That way the infrastructure is already protected to HIPAA best practice by default.

During the early stages of the COVID-19 pandemic, the enforcement of these guarantees was relaxed to help struggling healthcare entities. There is no doubt that healthcare organizations being allowed to use off the shelf video conferencing technology greatly benefitted patients, and propelled telemedicine as a credible everyday healthcare solution.

This significant change was announced on the 17th March 2020, when the Office for Civil Rights (OCR) released a statement advising that “enforcement discretion and waiving penalties for HIPAA violations” were being introduced.

Medical professionals were for the first time authorized to use third-party tools for telemedicine appointments, such products such as Let's Talk, Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, or Skype.

There were some exceptions to this loosening of enforcement protocol. Tools such as TikTok, Snapchat, and Facebook Messenger were excluded, but the change enabled the telemedicine services to be provisioned without the risk of the OCR enforcing penalties for using a non-compliant provider.