It is important to understand the HIPAA rules surrounding telehealth video platforms. Although Giva does not have a product in this market space it is important that our customers understand the rules and to prepare. Giva is in the business of HIPAA-compliant IT help desk and customer service software that can be used in conjunction with telehealth video platforms.
Guidelines for a HIPAA-Compliant Video Platform for Telehealth
For the last decade, industry prognosticators have been predicting that "next year" will be the year of explosive growth for telemedicine. Although telehealth hardware and software have been making impressive feature improvements, these forecasts have never come true until the start of COVID-19 in 2020. The HIPAA rules on telemedicine have an important and wide reaching impact on clinical healthcare professionals and the patients they serve remotely or in community settings. Even though direct communication is between a healthcare professional and a patient in order to be HIPAA compliant the communication channel has to also be HIPAA compliant.
Telemedicine HIPAA guidelines mandate that:
- Access to PHI should only be by those authorised.
- Using encrypted communication channels to protect PHI.
- Logging and monitoring to reduce the risk of breaches.
HIPAA rules state that "reasonable and appropriate safeguards" should be implemented safeguard PHI from accidental breaches. SMS, Skype, and email are insecure and should not be used. The HIPAA guidelines on telemedicine mandate that systems must have a way of monitoring and deleting information remotely, if necessary. Automatic log-off capabilities should also be a feature of the system.
Telemedicine and SMS, Skype or Gmail
If PHI is created by a healthcare organisation (covered entity) and stored by a third party (business associate), then there must be a business associate agreement (BAA) in place to assure the protection and privacy of the data. These third parties are responsible for ensuring data privacy and confidentiality. They must also allow the covered entity to periodically audit the business associate for data security.
SMS, Skype or Gmail communications will always have a copy on vendors' servers. If any communications contain PHI, then the covered entity needs to have a BAA with Verizon, Skype/Microsoft or Google in order to be HIPAA compliant. Currently, these vendors will not sign BAAs with covered entities, so entities are liable for any fines should PHI be disclosure.
HIPAA-Compliant Telehealth at a Cost
For solo physicians who want to offer HIPAA compliant telehealth services to patients there are some complicated and expensive options. Microsoft will sign a BAA with physicians for HIPAA-compliant Skype for Business video. Unfortunately, patients must also have an Office365 account linked to the cloud-based Skype for Business service and so for most environments this is not practical or cost effective.
Better Telehealth Solutions for PHI Using Secure SMS Messaging
Secure SMS messaging (texting)
offers healthcare organisations compliance with HIPAA guidelines on telemedicine. Texting is a simple application that is ubiquitous and most clinical professionals and patients know how to use texting. All the information is encrypted meaning that it is unreadable and unusable, if accessed by an unauthorised party. Secure SMS messaging is offered in cloud-based application platforms, so it is a closed private network. Patients can quickly download the application onto their smartphones. There are many excellent use cases for secure SMS messaging such as in community medical centres or home healthcare when nurses want to quickly escalate a patient situation. Secure SMS messaging solutions also have the added benefits of better workflows reducing costs and improving patient outcomes.
The benefits of using secure SMS messaging:
- Unrestricted sending and receiving PHI securely while outside of a hospital or healthcare office.
- Images and videos attached to messages can provide better health outcomes in the form of accelerated diagnoses and fast collaboration on appropriate treatments.
- Accelerated ER intake and patient discharges and reduced waiting. Moving patients more quickly through a hospital or healthcare system also minimises the spreading of contagious diseases.
- Automated notifications and read receipts reduce telephone tag and accountability.
- Audit and logging reports make it easy to monitor and perform risk management.
- Integration with ehealth records allows for Stage 2 Meaningful Use incentive programmes.