HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HIPAA Guidelines on Telemedicine

HIPAA Guidelines on Telemedicine

Communicating ePHI at Distance

The HIPAA guidelines on telemedicine affect any medical professional or healthcare organization that provides a remote service to patients in their homes or in community centers. Many people mistakenly believe that communicating ePHI at distance is acceptable when the communication is directly between physician and patient – and this would be what the HIPAA Privacy Rule implies.

However, the channel of communication used for communicating ePHI at distance also has to be HIPAA-compliant if medical professionals and healthcare organizations want to comply with the HIPAA guidelines on telemedicine. This element of the HIPAA guidelines on telemedicine is contained within the HIPAA Security Rule and stipulates:

  • Only authorized users should have access to ePHI.
  • A system of secure communication should be implemented to protect the integrity of ePHI.
  • A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

The first bullet point is fine provided physicians use “reasonable and appropriate safeguards” to prevent ePHI being disclosed to any unauthorized parties. However, the second bullet point means that unsecure channels of communication such as SMS, Skype, and email should not be used for communicating ePHI at distance.

Finally, according to the HIPAA guidelines on telemedicine, any system of communicating ePHI at distance must have mechanisms in place so communications can be monitored and remotely deleted if necessary. The system should also have automatic log-off capabilities if the system is not used for a period of time. The second and third bullet points also relate to ePHI that is stored – an issue we will address in the next section.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Why You Should Not Use SMS, Skype or Email for Telemedicine

When ePHI created by a medical professional or a healthcare organization (covered entity) is stored by a third party, the covered entity is required to have a Business Associate Agreement (BAA) with the third party storing the data. This BAA must include methods used by the third party to ensure the protection of the data and provisions for regular auditing of the data’s security.

As copies of communications sent by SMS, Skype or email remain on service providers´ servers, and contain individually identifiable health information, it would be necessary for the covered entity to have a BAA with (for example) Verizon, Skype, or Google in order to be compliant with the HIPAA guidelines on telemedicine.

As (for example) Verizon, Skype, and Google will not enter into BAAs with covered entities for these services, the covered entity is liable for any fines or civil action should an unauthorized disclosure of ePHI occur due to the third party´s lack of HIPAA-compliant security measures. The covered entity would also likely fail any HIPAA audit for failing to conduct a suitable risk assessment – which might also affect the receipt of payments under the Promoting Interoperability incentive scheme.

HIPAA Compliant Telehealth

There are some options for physicians who want to provide a HIPAA compliant telehealth service for patients, but these tend to be both complicated and expensive. For example, Microsoft will offer physicians a Business Associate Agreement if they want to use the HIPAA-compliant Skype for Business video service. However, in order to take advantage of this opportunity, each patient must also have an Office365 account linked to the cloud-based Skype for Business service.

The cost of using the service (up to $35.00 per user per month) may deter some patients from wishing to use a HIPAA compliant telehealth service; and, although cheaper options exist, they generally tend to be of insufficient quality for physicians to accurate diagnose patients´ complaints. Furthermore, if patients have other applications running in the background, these may exhaust their bandwidth and make the service unusable.

Better Solutions for Communicating ePHI at Distance

Many healthcare organizations have elected to use a secure messaging solution to comply with the HIPAA guidelines on telemedicine. Secure messaging solutions offer the same speed and convenience as SMS, Skype or email, but comply with the Security Rule in respect of only allowing authorized users to have access to ePHI, implementing a secure channel of communication, and monitoring activity on the secure channel of communication.

These solutions for communicating ePHI at distance work via easy-to-operate apps that most healthcare professionals will be familiar with, as they have a similar interface to commercially available messaging apps. Each authorized user logs into their app using a centrally-issued username and password. They can then communicate with other authorized users within the covered entity´s private communications network. If the authorized user forgets to log out of the app at the end of the communication, the automatic log-off capability signs them out.

All communications – including images, videos and documents – are encrypted to make them unreadable and unusable if a message is intercepted over a public Wi-Fi service, and safeguards exist to prevent ePHI being communicated outside of a covered entity´s private network – either accidentally or maliciously. All activity on the network is monitored by a cloud-based platform to ensure secure messages policies (also part of the HIPAA Security Rule) are adhered to.

Communicating with Patients Using Secure Messaging

In order to communicate with patients, medical professionals and healthcare organizations have the option of either authorizing the patient to have temporary access to the network via a secure messaging app, or a secure temporary browser session can be organized using the same platform. In many cases, medical professionals and healthcare organizations have integrated a secure messaging solution into the EHR to eliminate time-consuming patient updates.

This has also been the case when patients have attended a community medical center or received visits at home from a community nurse. Staff at the medical centers and community nurses can use the secure messaging apps to relay critical patient data and escalate patient concerns securely – subject to the guidelines of the HIPAA Privacy Rule being adhered to. Both when communicating with patients using secure messaging and when communicating between medical professionals, secure messaging solutions have the following advantages:

  • Medical professionals in the community can send and receive ePHI on the go using secure messaging.
  • Images can be attached to secure messages, which can then be shared to accelerate diagnoses and the administration of treatment.
  • Secure messaging can also be used to accelerate emergency admissions and patient discharges – reducing wait times and streamlining the administrative process.
  • Automatically produced delivery notifications and read receipts reduce phone tag and increase message accountability.
  • Access reports make risk management analyses much simpler while, when integrated with an EHR, secure messaging also enables healthcare organizations to meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.

Communicating ePHI at distance with secure messaging ensures that messages are communicated to the correct recipient, reduces the amount of time that is wasted between sending a message and receiving a reply, and protects the integrity of ePHI in compliance with the HIPAA guidelines on telemedicine.

Some Final Thoughts about the HIPAA Guidelines on Telemedicine

Secure messaging solutions were initially developed to facilitate messaging in compliance with HIPAA, but many of the features of secure messaging have resulted in benefits that have enhanced the workflows of healthcare professionals, reduced costs in medical facilities, and increased the standard of healthcare received by patients.

Many healthcare organizations have been pleasantly surprised at the ease with which the HIPAA guidelines on telemedicine can be complied with, and even more pleasantly surprised at the cost – with there being no need to invest in expensive hardware or complicated software, or drain the organization´s IT resources.

The HIPAA guidelines on telemedicine make it quite clear what measures should be introduced to secure the integrity of ePHI. With there being significant advantages to implementing a secure messaging solution, it is only a question of time before all covered entities providing a telemedicine service are communicating ePHI at distance with secure messaging.

HIPAA Guidelines on Telemedicine during the Coronavirus COVID-19 Outbreak

For the latest HIPAA guidelines on telemedicine during the Coronavirus COVID-19 outbreak, please refer to this page.

HIPAA Guidelines on Telemedicine FAQs

I heard that Google and Skype will sign BAAs. Is this true?

Google and Skype will sign BAAs for some of their services, but not all. For example, Google will sign a BAA for some elements of the Google Workspaces productivity suite, but not Gmail. Similarly, Skype will sign a BAA with organizations that subscribe to the Microsoft Teams platform, but each patient must also have an Office365 account linked to the Skype service.

Does HHS endorse any secure messaging providers?

HHS does not endorse any service provider or technology. However, when the agency announced its enforcement discretion during the Covid-19 pandemic, it listed a selection of service providers “that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA”. You will find the list at the end of this article.

If a secure channel is established between a physician and a patient, is that enough to satisfy the HIPAA requirements?

No. The Security Rule has detailed requirements related to auditing capabilities, data back-up procedures, and disaster recovery mechanisms. All communications must be tracked, logged, and stored securely to ensure the confidentiality, integrity, and availability of ePHI and support business continuity in the event of a man-made or natural disaster.

How likely are Man-in-the-Middle attacks in telemedicine?

A survey conducted in 2020 claimed that 62% of respondents that worked in the healthcare industry had been the victim of a Man-in-the-Middle attack in the past five years. It is not known how many respondents this amounted to (the survey was conducted across all industries), what percentage of the attacks were telemedicine-related, or how the respondents knew they were the victims of a Man-in-the-Middle attack. Nonetheless, if true, this is a worrying statistic.

What if a patient is not technology minded and can only use a non-compliant service such as Facebook Live?

It is understandable that some patients will not have the technical knowledge to download and install apps or navigate new software. In cases such as this, Covered Entities should use a communications channel similar to the one the patient is familiar with. For example, Google Meet could be used as a replacement for Facebook Live as the invitation to join a meeting is sent via a Gmail link, so all the patient would need to do is click on the link to connect with their physician.

HIPAA Compliance Infographics