HIPAA Rules for Telehealth Once Again in Effect

Telehealth rules under the Health Insurance Portability and Accountability Act (HIPAA) that were relaxed during the Public Health Emergency went back into effect on August 9.

Shabana Khan, M.D., chair of the APA Committee on Telepsychiatry, said health care professionals practicing telehealth must comply with HIPAA’s Security Rule and cannot use standard video technologies such as Zoom, Skype, or Facebook to meet with patients. They need to pay attention to state rules about HIPAA compliance as well as the requirements of their institution, organization, or practice.

HIPAA, which was signed into law in 1996 by President Bill Clinton, sets national standards for health information protections. The U.S. Department of Health and Human Services (HHS) established these standards to ensure protected health information (PHI) processed and utilized by “covered entities” is private and secure. The Office of Civil Rights is responsible for implementing and enforcing this rule. HIPAA requirements cover a broad range of patient data and information, including making an appointment, conducting the appointment, and billing the patient’s insurance.

HIPAA encompasses two major rules: the Privacy Rule and the Security Rule. The Privacy Rule protects all identifiable data of an individual patient; the Security Rule, a subset of the Privacy Rule, protects information that a covered entity creates, receives, maintains, or transmits in electronic form.

So what does it mean to be HIPAA compliant when providing telehealth services? Importantly, it’s not just about technology. It also means having physical or environmental and process security measures in place to ensure that only those who are supposed to have access to patients’ information are able to get it.

“Environmental privacy best practices include clinicians connecting from a private space and letting patients know if there are others in the room with them—for instance, a nurse or medical student who may be off screen,” Khan said. “Clinicians should also provide guidance to their patients on the importance of connecting to telehealth visits from a private space and avoiding public or semi-public settings. Clinicians can also ask patients if there is anyone in the room with them at the start of the visit. This demonstrates to patients that their telehealth clinician values protecting their health information.”

Technology features that can help a HIPAA-covered entity meet compliance requirements include the following:

• Fully encrypted data transmission.

• Additional authentication and security through required passwords.

• Secure point-to-point connection.

• Private high-speed network.

• Administrative, physical, and technical safeguards for electronic protected health information.

• Audit controls.

• Breach notification.

John Torous, M.D., chair of the APA Committee on Mental Health IT, said psychiatrists must use vendors of telehealth technology who can assure HIPAA compliance and have a signed business associate agreement (BAA).

“Often you can use the same product (such as Zoom) without a BAA, but to make it HIPAA compliant, a psychiatrist needs to use the version of Zoom that requires the signature of a BAA,” he wrote in an email. “Regardless of the technology, being HIPAA compliant means the psychiatrist still has to offer reasonable physical safeguards (such as keeping computer passwords secure) and have process safeguards in place too (restricting access to patient files, creating plans for appropriate use of data).” ■