TELEMEDICINE LEGAL SERIES—PART 5: HIPAA
PRIVACY, CONFIDENTIALITY, AND SECURITY ISSUES ARISE WHEN PRACTICING TELEHEALTH OR TELEMEDICINE JUST AS THEY DO IN A BRICK-AND-MORTAR PRACTICE. IT’S ESPECIALLY IMPORTANT TO UNDERSTAND THESE ISSUES, SINCE MANY CLINICIANS ADVERTISE ON THEIR WEBSITE THAT THEY ARE “HIPAA COMPLIANT.”
DOES HIPAA APPLY
Stated in the most basic terms, HIPAA applies to use and disclosure of protected health information (“PHI”), if transactions are billed electronically for third-party reimbursement.
Given that there are more and more laws requiring reimbursement of telemedicine encounters, clinicians involved in telehealth need to understand HIPAA, as HIPAA may, in fact, apply. However, to the extent clinicians are in a cash practice and not billing insurance electronically, HIPAA does not apply.
STATE LAW PRIVACY & SECURITY RULES
Even if HIPAA does not apply, state rules can require privacy and security safeguards for PHI.
For example, California has the Confidentiality of Medical Information Act (CMIA). This statute imposes certain obligations with respect to disclosure of patient medical information, and governs patient access to medical records.
State laws, including, those of California, typically require that healthcare providers make reasonable efforts to maintain the privacy and security of medical information. In addition, these state laws usually entail consent/authorization from the patient for disclosure of information regarding genetics, HIV treatment, and other specialized medical documentation.
Other sections of state law govern such matters as retention of medical records, as well as responsibility regarding reporting communicable diseases.
Where HIPAA applies, it supersedes relevant state law standards, unless state law is found to be more stringent. HIPAA does not preempt state requirements related to reporting of disease, child abuse, birth and death, nor does it preempt state requirements that authorize public health surveillance, public health investigation, or intervention. In addition, state and federal law, as well as hospital policies, may establish stricter standards than HIPAA.
Increasingly, states also regulate privacy breaches. For example, the California Department of Health Care Services has a webpage describing procedures that should be followed in the case of a privacy breach or unauthorized disclosure of personal confidential information that violates state or federal privacy laws. The Department also has a Privacy Office which conducts incident investigation, privacy training, and compliance audits. The Office describes examples of privacy breaches, including:
- Loss or theft of documents containing PHI.
- Mailings to incorrect providers or beneficiaries.
- Stolen, unencrypted laptops, hard drives, thumb drives, or PCs with PHI.
The bottom line is that practices need to demonstrate efforts regarding privacy and security compliance, regardless of whether HIPAA applies.
PRIVACY AND SECURITY COMPLIANCE
There is a danger in asserting that one is ‘HIPAA compliant’, in that this can constitute false advertising if the practice is, in fact, not making reasonable efforts to comply with all the requirements of HIPAA.
Reasonable legal compliance efforts—whether under HIPAA or state laws that often mirror HIPAA—should include:
- Appointing a Privacy Official and a Security Official to ensure the privacy and security of PHI transmitted within, and, by, the organization—through its brick-and-mortar practice or through telemedicine.
- Creating a ‘Privacy and Security Practices Manual’ that is tailored to the practice.
- Ensuring everyone in the workforce has HIPAA privacy and security training, and documenting their attendance at the training.
The privacy and security practices manual should contain written policies and procedures and should be maintained for documentation, maintenance, and transmission of the records of encounters using telemedicine services. This should include addressing:
- Privacy of patient records.
- Administrative, physical, and technical safeguards regarding the security of patient medical information.
- Forms to document workforce HIPAA training.
- Policies, procedures, and forms relating to privacy and security of PHI.
Policies and procedures should be periodically evaluated to ensure all are current. They should be accessible and readily available for review.
Importantly, HIPAA requires that business associates of a covered entity also comply with HIPAA. The healthcare provider is the covered entity; the business associate is anyone who creates, maintains, receives, or transmits PHI. This could be, for example, the billing company which the practice employs. These business associates must also put compliance measures into place, and the covered entity should ensure that the business associates are doing so.
Failure to have written arrangements in place for business associate compliance can result in liability to the covered entity.
Even if not technically under HIPAA, the organization should cover its liability exposure by having an agreement in place that obligates the business associate to reasonable compliance.
Increasingly, telemedicine is seen as an integral part of medicine with a seamless physician-patient relationship more virtual than physical. To ensure patients receive high quality treatment, state laws and medical board regulations require the standard of care in telemedicine reflect that of an in-person physician-patient encounter.