Direct Primary Care providers, who by definition, are no longer practicing in the fee-for-service world, are embracing all forms of telemedicine including phone calls, texts, emails, FaceTime, secure messaging platforms, and specialty consults as part of a patient’s membership package.
One of the defining characteristics of DPC is the improvement of the physician-patient relationship due to the time being spent on patient care instead of coding, and modifying and seeking authorizations for payment. By utilizing telemedicine, providers are extending access beyond the doctor’s office. This is good news for patient care, but DPC providers must not forget the HIPAA requirements for telemedicine.
HIPAA and Telemedicine
Most providers believe that communicating ePHI via telemedicine platforms is acceptable when the communication is directly between the physician and the patient. This is due to the language contained in the HIPAA Privacy Rule. But the HIPAA Privacy Rule is only dealing with half of the equation – there’s also the HIPAA Security Rule. This rule deals with the mode or channel of communication that is used for communicating the ePHI.
The HIPAA Security Rule covering telemedicine stipulates:
- Only authorized users should have access to ePHI
- A system of secure communication should be implemented to protect the integrity of ePHI
- A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
If a DPC provider utilizes SMS, Skype or email as a form of telemedicine, copies of the communications sent by these services contain individually identifiable healthcare information which are stored on the service providers’ servers. As a result, the HIPPA Security Rule dictates that DPC providers who use these systems have a Business Associate Agreement with their communication provider (i.e. Verizon, Skype or Google). Because it is highly unlikely that this would ever happen, the DPC provider would be liable for any fines or civil violations should a breach occur due to Skype, Google or Verizon’s lack of HIPAA-compliant security measures. All of this points to the need for DPC providers to obtain advice from a HIPAA expert on how to identify telemedicine platforms that are HIPAA compliant and how to include these in the DPC Providers HIPAA compliance risk assessment and HIPAA compliance policies.
Kathrine Nicol is a HIPAA compliance expert. Contact her today to discuss how to ensure your telemedicine platforms are HIPAA compliant.