Telemedicine HIPAA Guidelines

The HIPAA guidelines in relation to telemedicine impact affect any medical professional or healthcare group that provides a remote service to patients in their homes or in community centers.

A lot of people mistakenly think that communicating ePHI at distance is acceptable when the communication is directly between physician and patient – and this would be what the HIPAA Privacy Rule would suggest.

However, the medium of communication that is used for communicating ePHI at distance is also crucial if medical professionals and healthcare groups want to adhere with the HIPAA guidelines on telemedicine. This factor of the HIPAA guidelines on telemedicine is included within the HIPAA Security Rule and stipulates:

  • Only permitted users should have access to ePHI.
  • A system of secure communication should be put in place to protect the integrity of ePHI.
  • A system of monitoring communications including ePHI should be adapted to stop accidental or malicious breaches.

The first bullet point is achievable simply through physicians using “reasonable and appropriate safeguards” to  stop ePHI being disclosed to any unauthorized parties. However, the second bullet point means that unsafe channels of communication such as SMS, Skype, and email should not be implemented for communicating ePHI at distance.

Lastly, according to the HIPAA guidelines on telemedicine, any method of communicating ePHI at distance must include mechanisms that can be monitored and remotely deleted if necessary. The last two bullet points also relate to ePHI that is stored.

Do Not Use SMS, Skype or Email for Telemedicine

When ePHI created by a medical worker or a healthcare group is stored by a third party, the covered entity must have a Business Associate Agreement (BAA) with the party storing the data. This BAA must incorporate methods used by the third party to ensure the protection of the data and provisions for constant auditing of the data’s security.

As copies of communications share by SMS, Skype or email remain on the service providers´ servers, and contain individually identifiable healthcare data, it would be necessary for the covered group to have a BAA with (for example) Verizon, Skype or Google in order to be compliant with the HIPAA advice on telemedicine.

As (for instance) Verizon, Skype and Google will not complete BAAs with covered groups for these services, the covered entity is liable for any penalties or civil action should a breach of ePHI occur due to the third party´s lack of HIPAA-compliant security tactics. The covered entity would also likely fail any HIPAA audit they are subject to for not competing an acceptable risk assessment – which might also impact the receipt of payments under the Meaningful Use incentive scheme.

Telehealth & HIPAA Compliance

There are some options for physicians who want to conduct a HIPAA compliant telehealth service with patients, but these tend to be both complicated and costly. For instance, Microsoft will offer physicians a Business Associate Agreement if they want to implement the HIPAA-compliant Skype for Business video service. However, in order to do so, each patient must also have an Office365 account connected to the cloud-based Skype for Business service.

The cost of implementing the service (up to $35.00 per user per month) may steer some patients away from wishing to use a HIPAA compliant telehealth service; and, although cheaper options exist, they are normally of insufficient quality for physicians to accurately diagnose patients’ complaints. Additionally, if patients have other applications running in the background, these may exhaust their bandwidth and make the service terrible.

Better Solutions for Sending ePHI

Many healthcare groups have chosen to use a secure messaging solution to adhere with the HIPAA guidelines on telemedicine. Safe messaging solutions provide the same speed and convenience as SMS, Skype or email, but adhere with the Security Rule in respect of only permitting authorized users to have access to ePHI, implementing a secure channel of communication, and reviewing activity on the safe channel of communication.

These solutions for sending ePHI at distance operate via easy-to-operate apps that most healthcare workers will be familiar with, as they have a similar interface to commercially available messaging applications. Each authorized user logs into their app using a centrally-issued username and password. They can then correspond with other authorized users within the covered entity´s private communications database.

All communications – such as images, videos and documents – are encrypted to make them undecipherable and unusable if a message is intercepted over a public Wi-Fi service, and safeguards exist to stop ePHI from being sent outside of a covered entity´s private network – either accidentally or maliciously. All activity on the network is reviewed by a cloud-based platform to ensure safe messages policies (also an element of the HIPAA Security Rule) are adhered to.

Secure Messaging & Communicating with Patients

In order to communicate with patients, medical worker and healthcare groups have the option of either authorizing the patient to have temporary access to the network via a secure messaging app, or a secure temporary browser session can be set up using the same platform. In many instances, medical professionals and healthcare groups have integrated a secure messaging solution into the EHR to cut out time-consuming patient updates.

This has also been the case when patients have visited a community medical center or received visits at home from a community nurse. Employees at the medical centers and community nurses can use the secure messaging apps to send critical patient data and escalate patient concerns safely – subject to the guidelines of the HIPAA Privacy Rule being adhered to. Both when communicating with patients via secure messaging and when communicating between medical professionals, secure messaging solutions have the following benefits:

  • Medical workers in the community can send and receive ePHI on the go through secure messaging.
  • Pictures can be linked to secure messages, which can then be sent to accelerate diagnoses and the administration of treatment.
  • Secure messaging can also be implemented to accelerate emergency admissions and patient discharges – cutting wait times and streamlining the administrative process.
  • Automatically generated delivery notifications and read receipts lessen phone tag and increase message accountability.
  • Access reports lead to risk management analyses being much easier while, when connected with an EHR, secure messaging also enables healthcare groups to meet the requirements for patient electronic access under Stage 2 of the Meaningful Use incentive program.

Communicating ePHI at distance with secure messaging makes sure that messages are communicated to the proper recipient, minimizes the amount of time that is wasted between sending a message and receiving a reply, and protects the integrity of ePHI in compliance with the HIPAA rules for telemedicine.


About James Keogh
James Keogh is an experienced journalist specializing in healthcare compliance with a particular focus on cybersecurity. With several years of experience in the field, he has developed a deep understanding of the challenges and developments related to protecting patient data and ensuring regulatory compliance in the healthcare sector. James is on Twitter and LinkedIn