On May 11, 2023, the United States public health emergency (PHE) will come to an end. For telehealth providers, one major change will be the end of HIPAA enforcement discretion.
This article will give you an overview of telehealth HIPAA compliance, and how you can prepare for the upcoming changes.
Best practices for following HIPAA rules and regulations
Telehealth HIPAA compliance can be complex, and exceptions do exist. However, these are some general guidelines that can help you prepare for the end of the PHE.
1. Learn cyber security basics
Keeping patient communication secure means maintaining a high level of cyber security. Here are a few tips:
- Use encrypted email or a secure platform to share patients’ healthcare information.
- Avoid using a shared computer for telehealth calls. If you do use a shared computer, be careful about accessing and saving personal information such as login credentials and PHI.
- Find a HIPAA-compliant telehealth software option (and stick to it).
- Have a business associate agreement (BAA) with your telehealth platform (see tip two for more on BAAs).
2. Get a business associate agreement
A BAA is a contract between you and businesses you work with that may have access to your patients’ Protected Health Information (PHI). This contract requires that these companies keep PHI private.
You will need a BAA with any telehealth software you use—even if the software is HIPAA-compliant. Telehealth software companies should have BAA paperwork readily available.
3. Make sure you’re talking to the right person
When meeting virtually with a patient, make confirming their identity a routine. This can include having them:
- Upload an image of their ID.
- Show their ID at the beginning of the call.
- Confirm personal identifiers (two or more are recommended), like date of birth or home address.
Confirming patient identity does not need to be complex, and it can save you from making a serious mistake.
4. Keep patient visits private
Telehealth means that you can take a call from just about anywhere. That doesn’t mean you should start working from the beach though—telehealth visits should generally be taken in a private setting. Here are a few ways to help your patients feel that their visits are confidential:
- Let your patient know if anyone is in the room with you. If you are inside, it’s a good idea to keep the door closed.
- Ask and document who is in the same room as (or within earshot of) your patient.
- Do not take patient phone calls in public spaces or use speakerphone.
Be considerate when talking about personal health with a patient. If your patient is not alone, use discretion when asking personal questions.
5. Train your staff on HIPAA telehealth requirements
If you have any staff, you are responsible for providing the resources needed to make sure they understand HIPAA telehealth requirements. Because HIPAA is complex, it’s best to find the most relevant training for your practice.
Train employees when they first join your practice and when there are any relevant regulatory changes. We also recommend making HIPAA training an annual requirement for employees (although more frequent training never hurts!).
What is a HIPAA violation?
As a quick review, let’s look at some examples of potential HIPAA violations:
- Texting, or using another unsecure form of messaging, to share PHI.
- Taking video calls over WhatsApp, FaceTime, or other non-HIPAA compliant platforms.
- Not asking for verification of a patient’s identity.
- Leaving telehealth login credentials in a place where others have access.
- Not getting a BAA with your telehealth platform.
See more examples of potential HIPAA violations.
Will telehealth still be important after the PHE ends?
Virtual care has opened up a lot of opportunities for many patients. It’s made it easier for people to get care from the comfort of their own homes, without having to travel or take off work. For some, it has made health care more accessible. For others who already had access to health care but avoided doctor visits, it has allowed for a more convenient and approachable experience.
Wondering if your patients are likely to seek out virtual care? See which patients are using telehealth the most.
Doxy.me is a HIPAA-compliant platform
Doxy.me was created specifically for healthcare professionals and is HIPAA compliant. Learn more about doxy.me’s security, privacy policy, and how we follow HIPAA regulations, including third-party verification of HIPAA compliance. Rest assured that we’ve gone the extra mile to ensure your patients’ information is secure.
Looking for a HIPAA-compliant telehealth solution? Sign up for a doxy.me account.