HIPAA Compliance and Telemedicine

Direct Primary Care providers, who by definition, are no longer practicing in the fee-for-service world, are embracing all forms of telemedicine including phone calls, texts, emails, FaceTime, secure messaging platforms, and specialty consults as part of a patient’s membership package.

Why Telemedicine

One of the defining characteristics of DPC is the improvement of the physician-patient relationship due to the time being spent on patient care instead of coding, and modifying and seeking authorizations for payment. By utilizing telemedicine, providers are extending access beyond the doctor’s office. This is good news for patient care, but DPC providers must not forget the HIPAA requirements for telemedicine.

HIPAA and Telemedicine

Most providers believe that communicating ePHI via telemedicine platforms is acceptable when the communication is directly between the physician and the patient. This is due to the language contained in the HIPAA Privacy Rule. But the HIPAA Privacy Rule is only dealing with half of the equation – there’s also the HIPAA Security Rule. This rule deals with the mode or channel of communication that is used for communicating the ePHI.

The HIPAA Security Rule covering telemedicine stipulates:

  • Only authorized users should have access to ePHI
  • A system of secure communication should be implemented to protect the integrity of ePHI
  • A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

If a DPC provider utilizes SMS, Skype or email as a form of telemedicine, copies of the communications sent by these services contain individually identifiable healthcare information which are stored on the service providers’ servers.  As a result, the HIPPA Security Rule dictates that DPC providers who use these systems have a Business Associate Agreement with their communication provider (i.e. Verizon, Skype or Google). Because it is highly unlikely that this would ever happen, the DPC provider would be liable for any fines or civil violations should a breach occur due to Skype, Google or Verizon’s lack of HIPAA-compliant security measures. All of this points to the need for DPC providers to obtain advice from a HIPAA expert on how to identify telemedicine platforms that are HIPAA compliant and how to include these in the DPC Providers HIPAA compliance risk assessment and HIPAA compliance policies.

Kathrine Nicol is a HIPAA compliance expert. Contact her today to discuss how to ensure your telemedicine platforms are HIPAA compliant.

/by
You might also like
Health law news New Florida Direct Primary Care Law
Health law news US House of Representatives Approve HSA Expansion
Health law news The National: Chiropractors in DPC

Choose Nicol Health Law

Guiding healthcare facilities, physician practice groups, and individual practitioners through the maze of legal and compliance regulations.


Get in touch


Nicol Health Law, LLC | Kathrine S. Nicol | Health Law and Direct Primary Care Attorney
Phone: 303.638.1117 | Email: kat@nicolhealthlaw.com

DISCLAIMER

The information contained in this website is for general information purposes only. The information is provided by Nicol Consulting, LLC and while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.

© 2018 Nicol Health Law, LLC

The National: Chiropractors in DPC Health law news