HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), and HITECH (Health Information Technology for Economic and Clinical Health) Act requirements all apply to telehealth visits (Balestra, M., 2018). These requirements apply to both in-person visits as well as telehealth visits, but they extend to identifying specific requirements relating to telehealth technology; there is guidance within each which ensure the privacy and security of patients and secure health information (Bhate, C. et al., 2020).
It is important to consider a patient’s personal information, whether it is protected health information (PHI) or electronic protected health information (ePHI). The HIPAA guidelines on telemedicine require that only authorized users should have access to patient ePHI, secure communication must be used (not Facetime or Skype or Facebook, etc.) to protect ePHI, and a method must be available to monitor the communications containing the ePHI for potential breaches of data (American Telemed Association, 2020). In addition, if you are creating ePHI in any form (medical records, images, data from an eHealth app, billing, transcription, legal, etc.) that is stored by a third party, you are required by HIPAA to also have a Business Associate Agreement (BAA) executed with the third party. The BAA must outline how the third party will ensure the protection of the ePHI/data as well as detailed provisions for regular auditing of the data’s security. A business associate is any third party that performs functions or activities on behalf of a covered entity that requires them to have access to or store PHI or ePHI.
The government has provided a HIPAA audit protocol (HHS Secretary-Office of Civil Rights, 2018) that provides details relating to the internal security and privacy protection requirements for health care systems. However, this protocol is complicated and includes extensive details that are not always specific to telehealth. Therefore, interpreting the protocol details is challenging. Zhou et al. (2019) have developed and validated a telehealth privacy and security self-assessment questionnaire for telehealth providers. This is one example of a validated instrument that provides a statistically reliable means for telehealth providers and professionals to self-assess their telehealth systems and programs for HIPAA compliance based on the current security and privacy rules in telehealth practices.
Patient confidentiality and privacy are high on the list of both patient and provider concerns. Protected Health Information breaches are costly mistakes. As reported in the Cost of Data Breach Report 2020 released by IBM Security and the Ponemon Institute, the average global cost of a health data breach was 3.87 million US dollars, with healthcare being the most “at-risk” and “costly” industry (Ponemon Institute & IBM Security, 2020).
Many states and payers require you obtain patient consent, or informed consent, in order for you to be reimbursed for patient care. Some states require written consent, some verbal, and some none. Some states have specific Medicaid requirements. It is important to understand the regulations in the state where you practice as well as the state where the patient resides (if the two are different).
Even if informed consent is not specifically required in your state, it is best practice. The American Telemedicine Association (2020) suggests the informed consent form should include the following:
Think ahead about how you will be obtaining consent. Traditionally, it was discussed during an in-person office visit and consent was obtained at that time for moving forward. In more recent times, the first time you meet your patient may be via telemedicine. Always be sure to review the informed consent form together with the patient and allow them the opportunity to ask any questions. In the case where your first meeting is virtual, if you are collecting an electronic signature, plan what forms of electronic signature will be accepted. Will you use a service like Docusign, accept an electronic signature on a pdf, or require patients to print out the form for a wet signature and scan it back to you? If obtaining only a verbal consent, will you obtain an audio recording of the consent? Regardless, make sure it is clear how and where you will record this in the patient medical record.
Review this example of an Informed Consent for telehealth and consider the following points:
Per federal regulations, the following are the required elements for documentation of the informed consent discussion: