Expanded Use of Telehealth Solutions
The Illinois Department of Healthcare and Family Services has seen telehealth utilization grow during the pandemic, says Jon Hoffman, director of communications and public affairs for the IDHFS.
“For example, during March and April, provided telehealth services increased tenfold over the same time period last year, to $1.5 million,” he says. “However, it should be noted that it is too early in the billing process to thoroughly capture and quantify any utilization changes throughout the Medicaid program.”
The department does not directly provide telehealth solutions, Hoffman notes, but did issue emergency rules allowing Medicaid providers to expand the types of services and the ways in which services can be delivered to its members via telemedicine.
“All providers are required to follow HIPAA standards, including the use of HIPAA-compliant equipment and software when delivering services via telehealth,” he says.
As The Wall Street Journal reports, the goal of expanded telehealth solutions “is to keep people with symptoms at home and to practice social distancing if their condition doesn’t warrant more intensive hospital care.” The newspaper notes that almost 80 percent of hospitals in the U.S. have some sort of telehealth service.
HHS says its exercise of discretion in enforcing HIPAA compliance for telehealth “applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
As HIPAA Journal notes, HIPAA-compliant solutions need to ensure that electronic protected health information (e-PHI), whether at rest or in transit, is “encrypted to NIST standards once it travels beyond an organization’s internal firewalled servers. This is so that any breach of confidential patient data renders the data unreadable, undecipherable and unusable.”
HIPAA’s Security Rule is “shorthand for the Protection of Electronic Protected Health Information,” telemedicine company Chiron Health notes. “It sets the standards for securing patient data that is stored or transferred by electronic methods. It outlines three areas of protection required for compliance; administrative, physical, and technical. The rule establishes security standards for each.”
The technical safeguards, according to HHS, include several elements. One is access control, meaning that healthcare providers must “implement technical policies and procedures that allow only authorized persons to access electronic protected health information.”
Another is audit controls, in which providers must “implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI.”
Integrity controls are designed to “ensure that e-PHI is not improperly altered or destroyed,” and “electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed.”
Another critical element is transmission security, requiring “technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.”
HIPAA Compliant Telehealth Vendors
According to HHS, there are several vendors that “represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement.” They include:
- Skype for Business/Microsoft Teams
- Zoom for Healthcare
- Google Meet
- Cisco Webex Meetings/Webex Teams
- Amazon Chime
- Care Messenger from Spruce Health
HHS says it has “has not reviewed the BAAs [business associate agreements] offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products.”
“There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity,” HHS states. “Further, OCR does not endorse any of the applications that allow for video chats listed above.”