Toolbox Module

Privacy, Confidentiality and Security

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 (Pub. L 104-191). Congress sought to streamline electronic health record systems while protecting patients, improving health care efficiency, and reducing fraud and abuse. The HIPAA Administrative Simplification provisions required the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health data. The Office of Civil Rights for HIPAA under the US Department of Health and Human Services is responsible for enforcing HIPAA requirements for most HIPAA covered entities.

Issues regarding privacy and confidentiality in the medical realm are not necessarily different in telemedicine. Providers are required to comply with the same HIPAA requirements whether they are delivering services through telemedicine/telehealth or in-person.  As with conventional medicine, a telemedicine clinician has the same duty to safeguard a patient’s medical records and keep their treatments confidential. Storage of electronic files, images, audio/video tapes etc., needs to be done with the same precaution and care ascribed to paper documents. Additionally, providers utilizing telehealth should also take steps to ensure that the environment where the telehealth interaction takes place, both at the originating and distant site, is secure and any patient information is not inadvertently exposed.

One unique challenge for telemedicine is to balance the requisite expansion of manpower to manage an electronic system with the increased number of people who have potential access to a patient’s records. Telehealth often requires consultation with technical personnel, independent of the medical team, who may be exposed to patient data.  Therefore, providers may need to enter into business associate agreements with these technical personnel, which obligate them to maintain the same confidentiality required of the provider under HIPAA.    Additionally, because of technological constraints, the transmission of information over communication lines lends itself to hackers and other potential exposure. Therefore, technology used should be HIPAA compliant with proper encryption to protect data. Protocols must be scrupulously followed to ensure that patients are informed about all participants in a telemedicine consultation (including technical staff) and that the privacy and confidentiality of the patient are maintained, as well as ensuring the integrity of any data/images transmitted.

All telemedicine programs should do a risk assessment with respect to data transmission consistent with HIPAA security policies. Staff at both the originating and distant sites should have the proper HIPAA privacy training education that meets the standards that the patient site requires.

Under the Health Insurance Portability Act of 1996, HHS adopted administrative simplification standards, applicable to any entity that is a health care provider that contains certain transactions in electronic form (referred to as “covered health care providers”), a clearinghouse or a health plan. Individuals, businesses and agencies providing healthcare services need to carefully assess whether their practice falls into one of these three categories in order to determine the applicability of HIPAA to their practice.

If the person, business or agency furnishes, bills, or receives payment for health care in the normal course of business and transmits any covered transaction electronically, then the person or agency is a Covered Health Care Provider covered by HIPAA.

If the business or agency processes or facilitates the processing of health information from a nonstandard format or content into standard format or vice versa, or the business or agency performs this function for another legal entity, then this business or agency is a health care clearinghouse covered by HIPAA.

If the plan is for an individual, group or some combination thereof, and provides or pays for the cost of medical care, has greater than 50 participants and is not self-administered, then it is a private benefit plan covered by HIPAA. Covered benefit plans include health insurance issuers, Medicare supplement policy issuers, HMOs, Multi-Employer Welfare Benefit plans, Long-Term Care Policies that provide services in addition to excerpted benefits and nursing home fixed-indemnity policies.

Additional Resources

HHS’ Office of Civil Rights for HIPAA

TRC Consortium Infographic on HIPAA