Telemedicine and HIPAA

Any time information is transmitted, there is a risk that it will be seen by someone who is not supposed to see it. That risk seems like it is even greater when the information is transmitted electronically. News reports and spreading anecdotes of data security breaches are enough to make anyone think that the internet is a sieve, letting private information leak out without anything or anyone to stop it.

Telemedicine poses a special challenge for data security and privacy. Medical information is to be kept undisclosed except to those who have a reason or permission to see it. Privacy is a matter of professionalism, and a matter of respect for the patient. It is also, of course, a matter of law: HIPAA, the Health Insurance Portability and Accountability Act, establishes strict national standards for the privacy of medical information. Another law, the Health Information Technology for Economic and Clinical Health (HITECH) Act, signed by the President in 2009, addresses the privacy and security concerns that come with the electronic transmission of health information. The HITECH Act, which was enacted to promote the use of electronic medical records, includes a number of provisions that make enforcement of the HIPAA rules stronger.

The security rules adopted by the Department of Health and Human Services apply to telemedicine providers just as they apply to any other covered health care provider. Providers are required to have four types of safeguard in place:

  • Administrative, such as policy and procedures relating to data protection;
  • Physical, relating to the physical access to patient information;
  • Human, training employees to protect privacy; and
  • Technical, relating to the technology and mechanics of data protection.

Telemedicine relies heavily on technology, so the technical safeguards may pose a particular challenge for an organization. The HHS rule sets out the technical requirements that will be considered adequate safeguards. Providers who want to use telemedicine for their patients obviously need to verify that the communications method they use meets the standards. You may be surprised to learn that some popular means of electronic communication are not necessarily going to be compliant. At least one physician has been disciplined for using a common communications tool that turned out not to be compliant. Checking for alternatives is a simple matter that can avoid a lot of trouble.


You may also be interested in the following Legal Insights White Paper:

The Affordable Care Act: Mandated Benefits Compliance Standards