top of page

HIPAA Compliance in Telehealth: Key Requirements and Common Pitfalls

  • David Larsen
  • Aug 9, 2024
  • 8 min read

Vol. 1, No. 25     |     August 9, 2024     |     By Dave Larsen, Väsentlig Consulting LLC

As a home-based solo mental health practitioner using telehealth, ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA) is crucial for protecting your clients' privacy and maintaining the integrity of your practice (Kaplan, 2020).

HIPAA is a federal law that sets standards for the protection of sensitive patient health information, known as protected health information (PHI) (U.S. Department of Health and Human Services, 2021).

In this post, we'll explore the key HIPAA requirements for telehealth, discuss common pitfalls to avoid, and examine the consequences of data breaches for small practices, helping you navigate the complexities of compliance in the digital age.

Understanding HIPAA Requirements for Telehealth

HIPAA compliance in telehealth involves meeting several key requirements related to the privacy, security, and breach notification rules (Kaplan, 2020). These requirements apply to all forms of electronic PHI (ePHI), including video, audio, and text-based communications (U.S. Department of Health and Human Services, 2021).

  1. Privacy Rule: The HIPAA Privacy Rule establishes standards for the protection of PHI, including how it can be used and disclosed (Tovino, 2017). In telehealth, this means ensuring that:

    • PHI is only accessed, used, or disclosed for permitted purposes, such as treatment, payment, or healthcare operations (Kaplan, 2020).

    • Patients are provided with a Notice of Privacy Practices (NPP) that explains their rights and how their PHI will be used (U.S. Department of Health and Human Services, 2021).

    • Reasonable safeguards are in place to protect PHI from unauthorized access, use, or disclosure (Tovino, 2017).

  2. Security Rule: The HIPAA Security Rule sets standards for the protection of ePHI, focusing on the confidentiality, integrity, and availability of this information (Kaplan, 2020). In telehealth, this means implementing:

    • Administrative safeguards, such as risk assessments, staff training, and incident response plans (U.S. Department of Health and Human Services, 2021).

    • Physical safeguards, such as secure workstations, device and media controls, and facility access controls (Tovino, 2017).

    • Technical safeguards, such as access controls, audit controls, integrity controls, and transmission security (Kaplan, 2020).

  3. Breach Notification Rule: The HIPAA Breach Notification Rule requires covered entities to notify patients, the U.S. Department of Health and Human Services (HHS), and, in some cases, the media, in the event of a breach of unsecured PHI (U.S. Department of Health and Human Services, 2021). In telehealth, this means having procedures in place to:

    • Identify and respond to potential breaches (Kaplan, 2020).

    • Conduct a risk assessment to determine if a breach has occurred (Tovino, 2017).

    • Notify the appropriate parties within the required timeframes (U.S. Department of Health and Human Services, 2021).

By understanding and adhering to these key HIPAA requirements, you can create a solid foundation for compliance in your telehealth practice (Kaplan, 2020).

Common HIPAA Pitfalls in Telehealth

While the shift to telehealth has brought many benefits, it has also introduced new challenges and potential pitfalls related to HIPAA compliance (Lustig, 2012). Here are some common HIPAA pitfalls to watch out for in your telehealth practice:

  1. Unsecured Communication Platforms: One of the most significant HIPAA risks in telehealth is the use of unsecured communication platforms, such as Skype, FaceTime, or Facebook Messenger (Kaplan, 2020). These platforms may not provide the necessary encryption, access controls, or audit trails to protect PHI (Lustgarten et al., 2020). To avoid this pitfall, use only HIPAA-compliant telehealth platforms that offer Business Associate Agreements (BAAs) and meet the required security standards (Tovino, 2017).

  2. Insufficient Training and Policies: Another common HIPAA pitfall is the lack of sufficient staff training and policies related to telehealth (Kaplan, 2020). All members of your team, including yourself, must be trained on HIPAA requirements and your practice's specific policies and procedures for protecting PHI in a telehealth setting (Lustgarten et al., 2020). Failing to provide this training or establish clear policies can lead to unintentional HIPAA violations (Tovino, 2017).

  1. Inadequate Risk Assessments: Conducting regular risk assessments is a key requirement of the HIPAA Security Rule (U.S. Department of Health and Human Services, 2021). In telehealth, this means assessing the risks and vulnerabilities associated with your telehealth platform, devices, and processes (Kaplan, 2020). Failing to conduct these assessments or address identified risks can leave your practice open to potential HIPAA violations and data breaches (Lustgarten et al., 2020).

  1. Insecure Remote Work Environments: With the rise of remote work, many mental health practitioners are conducting telehealth sessions from their homes or other remote locations (Tovino, 2017). However, these environments may not have the same level of security as a traditional office setting (Kaplan, 2020). To avoid HIPAA pitfalls, ensure that your remote work environment has secure Wi-Fi, encrypted devices, and physical safeguards to protect PHI (Lustgarten et al., 2020).

  1. Improper Disposal of PHI: The proper disposal of PHI is a critical aspect of HIPAA compliance, even in a telehealth setting (U.S. Department of Health and Human Services, 2021). This includes securely deleting electronic files, shredding physical documents, and properly sanitizing or destroying devices containing PHI (Kaplan, 2020). Failing to dispose of PHI properly can lead to unauthorized access and potential HIPAA violations (Lustgarten et al., 2020).

By being aware of these common HIPAA pitfalls and taking proactive steps to address them, you can significantly reduce the risk of non-compliance in your telehealth practice (Tovino, 2017).

Consequences of Data Breaches for Small Practices

Data breaches can have severe consequences for small practices, including solo mental health practitioners using telehealth (HIPAA Journal, 2021a). In addition to the potential harm to patients whose PHI is compromised, practices may face significant financial penalties, legal liabilities, and reputational damage (Kaplan, 2020).

The HHS Office for Civil Rights (OCR) is responsible for enforcing HIPAA rules and investigating potential violations (U.S. Department of Health and Human Services, 2021). When a breach occurs, the OCR may impose civil monetary penalties (CMPs) based on the severity of the violation and the practice's level of culpability (HIPAA Journal, 2021b). These penalties can range from $100 to $50,000 per violation, with an annual maximum of $1.5 million for identical violations (Tovino, 2017).

In recent years, several small practices have faced substantial fines for HIPAA violations related to data breaches. For example:

  1. In 2019, a small dental practice in Colorado was fined $111,400 for disclosing PHI on a social media platform without obtaining patient authorization (HIPAA Journal, 2021c).

  2. In 2020, a solo psychiatric practice in Florida was fined $62,500 for failing to implement appropriate safeguards to protect ePHI, resulting in a data breach affecting over 6,000 patients (HIPAA Journal, 2021d).

  1. In 2021, a small medical practice in New Jersey was fined $100,000 for failing to conduct a risk analysis and implement appropriate security measures, leading to a breach of over 76,000 patient records (HIPAA Journal, 2021a).

These examples demonstrate the significant financial consequences that small practices can face for HIPAA violations and data breaches. In addition to these fines, practices may also incur costs related to breach notification, legal fees, and the implementation of corrective measures (Kaplan, 2020).

To avoid these consequences, it is essential for solo mental health practitioners using telehealth to prioritize HIPAA compliance and implement robust security measures to protect PHI (Lustgarten et al., 2020). By staying informed about HIPAA requirements, conducting regular risk assessments, and adhering to best practices for data security, small practices can minimize the risk of data breaches and maintain the trust of their patients (Tovino, 2017).

Best Practices for HIPAA Compliance in Telehealth

To help you navigate the complexities of HIPAA compliance in telehealth, here are some best practices to consider:

  1. Choose a HIPAA-Compliant Telehealth Platform: Select a telehealth platform that is specifically designed for healthcare and offers robust security features, such as end-to-end encryption, access controls, and audit trails (Kaplan, 2020). Ensure that the platform provider offers a BAA and is willing to share responsibility for HIPAA compliance (Lustgarten et al., 2020).

  2. Develop and Implement HIPAA Policies: Create comprehensive HIPAA policies and procedures that address the unique aspects of telehealth, including secure communication, remote work environments, and the proper use of telehealth platforms (Tovino, 2017). Regularly review and update these policies to ensure they remain current with evolving HIPAA requirements and telehealth best practices (Kaplan, 2020).

  1. Provide Regular HIPAA Training: Offer regular HIPAA training to all members of your team, including yourself, to ensure everyone understands their roles and responsibilities in protecting PHI (U.S. Department of Health and Human Services, 2021). This training should cover the specific HIPAA requirements for telehealth, as well as your practice's policies and procedures (Lustgarten et al., 2020).

  1. Conduct Risk Assessments: Perform regular risk assessments to identify potential vulnerabilities in your telehealth setup, including your devices, networks, and processes (Kaplan, 2020). Use the results of these assessments to implement appropriate safeguards and mitigate identified risks (Tovino, 2017).

  1. Use Secure Devices and Networks: Ensure that all devices used for telehealth, including computers, smartphones, and tablets, are encrypted and password-protected (U.S. Department of Health and Human Services, 2021). Use secure, private networks for telehealth sessions, and avoid public Wi-Fi or unsecured connections (Lustgarten et al., 2020).

  1. Obtain Patient Consent: Obtain informed consent from your patients before engaging in telehealth services (Kaplan, 2020). This consent should include information about the potential risks and benefits of telehealth, as well as how their PHI will be protected (Tovino, 2017). Document this consent in the patient's medical record and provide them with a copy of your telehealth policies (U.S. Department of Health and Human Services, 2021).

  1. Properly Dispose of PHI: Develop and implement procedures for the proper disposal of PHI in a telehealth setting (Kaplan, 2020). This may include securely deleting electronic files, shredding physical documents, and sanitizing or destroying devices containing PHI (Lustgarten et al., 2020). Ensure that all members of your team are trained on these procedures and follow them consistently (Tovino, 2017).

By implementing these best practices, you can create a strong foundation for HIPAA compliance in your telehealth practice and protect the privacy and security of your patients' sensitive health information (U.S. Department of Health and Human Services, 2021).

Conclusion

HIPAA compliance is a critical aspect of providing telehealth services as a home-based solo mental health practitioner. By understanding the key HIPAA requirements for privacy, security, and breach notification, being aware of common pitfalls, and recognizing the consequences of data breaches for small practices, you can take proactive steps to ensure the confidentiality and integrity of your patients' PHI.

Implementing best practices, such as choosing a HIPAA-compliant telehealth platform, developing comprehensive policies, providing regular training, conducting risk assessments, using secure devices and networks, obtaining patient consent, and properly disposing of PHI, can help you navigate the complexities of HIPAA compliance in the digital age.

Remember, HIPAA compliance is an ongoing process that requires continuous attention and effort. By staying informed about evolving HIPAA requirements, seeking guidance from experts when needed, and prioritizing the privacy and security of your patients' information, you can build a successful and compliant telehealth practice that provides high-quality care while safeguarding sensitive data.


References

HIPAA Journal. (2021a). Small medical practice fined $100,000 for HIPAA security rule violations. https://www.hipaajournal.com/small-medical-practice-fined-100000-for-hipaa-security-rule-violations/

HIPAA Journal. (2021b). What are the penalties for HIPAA violations? https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/

HIPAA Journal. (2021c). Dental practice fined $111,400 for disclosing PHI on social media. https://www.hipaajournal.com/dental-practice-fined-111400-for-disclosing-phi-on-social-media/

HIPAA Journal. (2021d). Florida psychiatric practice pays $62,500 to settle HIPAA security rule case. https://www.hipaajournal.com/florida-psychiatric-practice-pays-62500-to-settle-hipaa-security-rule-case/

Kaplan, B. (2020). Revisiting health information technology ethical, legal, and social issues and evaluation: Telehealth/telemedicine and COVID-19. International Journal of Medical Informatics, 143, 104239. https://doi.org/10.1016/j.ijmedinf.2020.104239

Lustgarten, S. D., Colbow, A. J., & Zinns, L. E. (2020). The law, privacy, and technology in telemedicine: Navigating the complex landscape of state and federal laws. Journal of Health & Life Sciences Law, 13(3), 64-103.

Lustig, T. A. (2012). The role of telehealth in an evolving health care environment: Workshop summary. National Academies Press. https://doi.org/10.17226/13466

Tovino, S. A. (2017). The HIPAA privacy rule and the EU GDPR: Illustrative comparisons. Seton Hall Law Review, 47(4), 973-994. https://scholarship.shu.edu/shlr/vol47/iss4/2

U.S. Department of Health and Human Services. (2021). HIPAA for professionals. https://www.hhs.gov/hipaa/for-professionals/index.html


 
 
 

Comments

© 2021 Väsentlig Consulting. All Rights Reserved.

  • LinkedIn
bottom of page