Telemedicine in the Age of HIPAA Hyper-Awareness

The HIPAA Realities of Virtual Care and Instant Connections

Technology is powering a new generation of connected, collaborative care using telephonic and video conference call technology. But with this great power comes even greater responsibility for HIPAA-HITECH compliance. We are currently observing many providers utilizing cell phones and other common technologies to deliver care without realizing the implications of transferring PHI through a network that does not have  adequate security controls.

According to the American Telemedicine association, over half of all U.S. hospitals now use some form of telemedicine. As the use of telemedicine increases, so do security concerns around establishing extended protection for PHI. If your healthcare organization is leveraging technology to facilitate provider-to-patient activities, and/or to collaborate on patient care among providers, it is important to closely evaluate the security controls of your chosen solution(s) – which, we must point out – are not in place for most readily available telephonic and video conferencing solutions.

Here are a few helpful tips to help you navigate the promise – and potential pitfalls – of connected care:

  • Be sure your organization’s HIPAA Security Risk Analysis and Risk Management efforts are given continuing focus in your organization and with Business Associates.
  • Always ensure there is a BAA in place for any client-server based solution. For instance, using Skype for audio or audio/visual communications where PHI is transferred requires a BAA with Microsoft to ensure you are compliant under HIPAA.
  •  Your IT/Information Security group should conduct a comprehensive security assessment of all existing assets with PHI, potential security gaps and known solutions. A good resource for identifying vendor partners can be accessed here.
  •  Patients should sign a separate consent for a Telemedicine appointment approving the electronic transfer of PHI, among other factors.
  •  Stay up to date on federal guidelines and recommendations regarding telemedicine. The most recently released guidance from the State Federation of Medical Boards can be found by clicking here.
  •  As always, any contracts and informed consent documents should be thoroughly reviewed by Legal Counsel.

Is your organization increasing its use of technologies to deliver remote care? What steps has your organization taken to ensure long distance care solutions align with HIPAA compliance efforts?


Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.