HIPAA compliance

Telemedicine platforms and providers must follow and meet the Health Insurance Portability and Accountability Act (HIPAA) of 1996 in the United States. HIPAA is mainly legislated to streamline healthcare practices and ensure the preservation of patient privacy and information security. HIPAA has two fundamental rules applicable to telemedicine service providers:

  1. The HIPAA Privacy Rule of 2000, which sets “national standards for the protection of individually identifiable health information“, and
  2. The HIPAA Security Rule of 2003, which sets “national standards for protecting the confidentiality, integrity, and availability of electronic protected health information“.

Consumer telemedicine service providers enable people to access expert and customized healthcare from health professionals.

When consumers or patients register with these providers, they share Personally Identifiable Information (PII) and Protected Health Information (PHI) in electronic format. Therefore, it is critical that all telemedicine service providers and their platforms, including mobile apps, be HIPAA compliant, both in terms of patient privacy (HIPAA Privacy Rule) and patient data safety and security (HIPAA Security Rule). Like any other law, breaking HIPAA rules is punishable, and in 2019, the average penalty for a HIPAA violation was US$1.2m.

PHI has a specific definition by HIPAA and includes data that could potentially lead to the disclosure of a person’s identity. PHIs cannot be disclosed by providers other than for treatment, payment or healthcare operation purposes. PHI identifiers are displayed in the picture below.

PHI Identifiers

HIPAA applies to anyone that deals with PHIs, including Covered Entities and Business Associates per its Privacy Rule. Covered entities include “(1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards“. A Business Associate is a “person or entity who, on behalf of a covered entity, performs or assists in the performance of a function or activity involving the use or disclosure of individually identifiable health information“. Telemedicine providers are HIPAA covered entities who may need to use services of other IT companies as their business associates, which should be transparently conducted under a Business Associate Agreement.

Based on HIPAA’s Security Rule, it is advised by law that providers perform a security risk analysis to detect risks and vulnerabilities and adequately address them. HIPAA requires telemedicine providers to:

  • Restrict access to PHIs to the authorized users only.
  • Set up a secure communication channel to protect the integrity of data.
  • Set up a system to monitor communication to prevent a data breach.

PHIs are the most lucrative target for hackers and can be sold at the premium price of US$250-$1000 per record on the Dark Web. This makes the job of telemedicine providers and associates very critical to ensure patient identity and data safety. From the HIPAA data security guidance materials, it can be interpreted that data should be reasonably protected when stored or transmitted using encryption, and keys and secrets should be safeguarded.

This blog is part 4 of a series on Telehealth and Telemedicine Security. In the next and final blog of this series, we will wrap up with a summary and synopsis of key points discussed throughout this series.

Follow us here to stay up to date!