Telemedicine services are an increasingly popular amenity for healthcare providers to offer patients, but unless the video service used is specifically developed for healthcare providers, it is likely in violation of HIPAA and could result in sizable fines.
HIPAA Rules
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains two rules that dictate how healthcare providers must protect their patients’ information. This includes any interactions via videoconferencing.
- Privacy Rule
The Privacy Rulerequires that healthcare providers use administrative, physical, and technical safeguards to protect a patient’s health information, whether it be in written, oral, or electronic form. However, the rule is deliberately flexible so that health providers can make their own determinations on safeguards that best match the needs of their practices. - Security Rule
The Security Ruleis focused solely on electronic records and dictates the implementation of security measures to ensure that those records remain private. The two rules are closely related, with the Security Rule adding additional protections on top of those mandated by the Privacy Rule.
HIPAA Enforcement
HIPAA is enforced by the Health and Human Services Office for Civil Rights (OCR), which investigates potential violations and levies fines. In 2009, OCR’s ability to enforce HIPPA was strengthened with the passing of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which increased potential fines and created four tiers of penalty amounts from $100 to $1.5 million per violation. In addition, the HITECH Act also bars organizations from using the defense that they are ignorant of HIPAA rules in order to avoid penalties.
Why Act Now?
HIPAA allows healthcare providers to make security decisions based on risk analyses. In a risk analysis between using a non-HIPAA-compliant video service and a HIPAA-compliant service, there would be few, if any, arguments for using the former over the latter.
While HIPAA-compliant services may not be free, they are relatively inexpensive, easy to install, and easy to use. Therefore, any healthcare provider not using a HIPAA-compliant service is liable to be investigated and fined by OCR for not taking appropriate measures to safeguard their patients’ protected health information.
Since 2003, OCR has investigated over 100,000 cases, levying over $75 million in fines. One of the top five compliance issues investigated was a lack of safeguards over electronic protected health information and the top two entities investigated have been general hospitals and private practices and physicians. OCR has and will take punitive action against healthcare providers of any size who do not safeguard their patients’ protected health information.
In addition to being fined, any healthcare provider that ends up on the HHS “Wall of Shame” has damaged their reputation. If a provider does not do everything possible to secure their patients’ protected health information, then not only are they in violation of HIPAA, they are violating their patients’ trust.
HIPAA-Compliant Video Conferencing
With many seeing telemedicine as the future of healthcare, it is essential that healthcare providers offering this service use a HIPAA-compliant video service with appropriate encryption and the ability to set user roles and permissions for staff members.
For further protection, that video service should also include a Business Associate Agreement, which states that any potential security breach or mishandling of protected health information on the service provider’s part is the liability of that provider, not the medical practice.
Protecting a patient’s health information should be a health provider’s top priority. Not only is it the law, it’s good business sense and the right thing to do.
SecureVideo is a HIPAA-compliant video service that securely connects patients and providers across the world. If you’re interested in learning more, contact us today.