HIPAA and Telemedicine: key compliance criteria

HIPAA compliance

HIPAA compliance

Telemedicine platforms and providers must follow and meet the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in the United States. HIPAA is mainly legislated to streamline healthcare practices and ensure the preservation of patient privacy and information security. HIPAA has two fundamental rules applicable to telemedicine service providers:

  1. The HIPAA Privacy Rule of 2000, which sets “national standards for the protection of individually identifiable health information“, and
  2. The HIPAA Security Rule of 2003, which sets “national standards for protecting the confidentiality, integrity, and availability of electronic protected health information“.

Consumer telemedicine service providers enable people to access expert and customized healthcare from health professionals.

When consumers or patients register with these providers, they share Personally Identifiable Information (PII) and Protected Health Information (PHI) in electronic format. Therefore, it is critical that all telemedicine service providers and their platforms, including mobile apps, be HIPAA compliant, both in terms of patient privacy (HIPAA Privacy Rule) and patient data safety and security (HIPAA Security Rule). Like any other law, breaking HIPAA rules is punishable, and in 2019, the average penalty for a HIPAA violation was US$1.2m.

PHI has a specific definition by HIPAA and includes data that could potentially lead to the disclosure of a person’s identity. PHIs cannot be disclosed by providers other than for treatment, payment or healthcare operation purposes. PHI identifiers are displayed in the picture below.

PHI Identifiers

HIPAA applies to anyone that deals with PHIs, including Covered Entities and Business Associates per its Privacy Rule. Covered entities include “(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards“. A Business Associate is a “person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information“. Telemedicine providers are HIPAA covered entities who may need to use services of other IT companies as their business associates, which should be transparently conducted under a Business Associate Agreement.

Based on HIPAA’s Security Rule, it is advised by law that providers perform a security risk analysis to detect risks and vulnerabilities and adequately address them. HIPAA requires telemedicine providers to:

  • Restrict access to PHIs to the authorized users only.
  • Set up a secure communication channel to protect the integrity of data.
  • Set up a system to monitor communication to prevent a data breach.

PHIs are the most lucrative target for hackers and can be sold at the premium price of US$250-$1000 per record on the Dark Web. This makes the job of telemedicine providers and associates very critical to ensure patient identity and data safety. From the HIPAA data security guidance materials, it can be interpreted that data should be reasonably protected when stored or transmitted using encryption, and keys and secrets should be safeguarded.

This blog is part 4 of a series on Telehealth and Telemedicine Security. In the next and final blog of this series, we will wrap up with a summary and synopsis of key points discussed throughout this series.

Follow us here to stay up to date! You can also read more here to get the latest content about Connected Health!

Click here to get in touch with Irdeto to learn more!

About Steeve Huin

Steeve Huin, Vice President of BD, Marketing and Strategic Partnerships, Irdeto

Steeve is VP of Business Development, Marketing and Strategic Partnerships at Irdeto. He is a seasoned cybersecurity industry executive with more than 15 years of experience in driving engagement, business and revenue across video entertainment and connected industries. He transformed the Conditional Access landscape by launching the world’s first, and market-leading, one-way, software-only CA solution, Cloaked CA. Steeve is well-versed in the international business landscape, having held key strategic positions based out of the Netherlands, Canada and China throughout his career. Prior to his current leadership role at Irdeto, Steeve was Co-Chief Executive Officer at International Datacasting Corporation (IDC), a technology provider to the world’s premiere broadcasters based out of Canada. Steeve holds a master’s degree in Software Engineering from the École Nationale Supérieure of Bordeaux (France).