HIPAA (Health Insurance Portability and Accountability Act), COPPA (Children’s Online Privacy Protection Act), and HITECH (Health Information Technology for Economic and Clinical Health) Act requirements all apply to telehealth visits (Balestra, M., 2018). These requirements apply to both in-person visits as well as telehealth visits, but they extend to identifying specific requirements relating to telehealth technology; there is guidance within each which ensure the privacy and security of patients and secure health information (Bhate, C. et al., 2020).
It is important to consider a patient’s personal information, whether it is protected health information (PHI) or electronic protected health information (ePHI). The HIPAA guidelines on telemedicine require that only authorized users should have access to patient ePHI, secure communication must be used (not FaceTime or Skype or Facebook, etc.) to protect ePHI, and a method must be available to monitor the communications containing the ePHI for potential breaches of data (American Telemed Association, 2020). In addition, if you are creating ePHI in any form (medical records, images, data from an eHealth app, billing, transcription, legal, etc.) that is stored by a third party, you are required by HIPAA to also have a Business Associate Agreement (BAA) executed with the third party. The BAA must outline how the third party will ensure the protection of the ePHI/data as well as detailed provisions for regular auditing of the data’s security. A business associate is any third party that performs functions or activities on behalf of a covered entity that requires them to have access to or store PHI or ePHI.
The government has provided a HIPAA audit protocol (HHS Secretary-Office of Civil Rights, 2018) that provides details relating to the internal security and privacy protection requirements for healthcare systems. However, this protocol is complicated and includes extensive details that are not always specific to telehealth. Therefore, interpreting the protocol details is challenging. Zhou et al. (2019) have developed and validated a telehealth privacy and security self-assessment questionnaire for telehealth providers. This is one example of a validated instrument that provides a statistically reliable means for telehealth providers and professionals to self-assess their telehealth systems and programs for HIPAA compliance based on the current security and privacy rules in telehealth practices.
Patient confidentiality and privacy are high on the list of both patient and provider concerns. Protected health information breaches are costly mistakes. As reported in the Cost of Data Breach Report 2020 released by IBM Security and the Ponemon Institute, the average global cost of a health data breach was 3.87 million U.S. dollars, with healthcare being the most “at-risk” and “costly” industry (Ponemon Institute & IBM Security, 2020).
Many states and payers require you to obtain patient consent, or informed consent, in order for you to be reimbursed for patient care. The purpose of informed consent is to document that a discussion took place and the patient was informed of and able to understand the information provided. Some states require written consent, some verbal, and some none. Also, some states have specific Medicaid requirements regarding consent. It is important to understand the regulations in the state where you practice as well as the state where the patient resides (if the two are different).
Even if informed consent is not specifically required in your state, it is best practice. The American Telemedicine Association (2020) suggests the informed consent form should include the following:
Before the consent discussion:
Telehealth, or telemedicine, is the practice of using telecommunication technology to provide health care. And health related education remotely. Telemedicine is governed by guidelines similar to that of a typical health care setup. Overall, these guidelines are in accordance with the Health Insurance Portability and Accountability Act, or HIPAA, though they can vary slightly depending upon the state and insurance providers, like Medicaid or Medicare.
One of the foremost rules in this list is a verbal or written informed consent. It indicates that clients have the right to be fully informed of the reason for a procedure or treatment, what will be done, who will do it, alternatives to the procedure, as well as the potential benefits and risks, before that client consents to it. They can also withdraw their consent at any point during the procedure.
It's important to know that informed consent can't be given by someone who is mentally incapacitated, sedated, confused, or under the legal age, which is usually 18 years of age. Please refer to the laws in your state regarding minors' ability to consent for medical treatment. In cases where the person cannot give consent, a relative or other legal representative designated by the client is responsible for giving consent.
The American Telemedicine Association, or ATA, suggests that the consent form should, one, inform clients of their rights and responsibilities, including the right to stop or refuse treatment. Two, the potential benefits, constraints, and risks regarding the telemedicine's privacy and security should be explained. Three inform clients regarding backup plans, in case of technology or equipment failures during virtual sessions. And finally, set up a formal complaint process to resolve any potential ethical concerns or issues that might arise.
Next come the privacy and security rules of the HIPAA, which govern the use of protected health information. They require that the technology used for telemedicine should support fully encrypted data transmission and that video and audio not be stored. However, under exceptional circumstances like public health emergencies, the above rules can be waived, or reprieve is provided in good faith by the Department of Health and Human Services.
For example, the use of non-public facing communication technologies employing end to end encryption, like Apple FaceTime, Zoom, or Skype, has been allowed for the conduction of telemedicine sessions during the COVID-19 pandemic.
As a quick recap, telemedicine is governed by the guidelines based on the HIPAA and vary slightly based on the state and insurance providers. The most important ones are regarding informed consent, the privacy and security rules of HIPAA. Informed consent indicates that clients have the right to be fully informed of the reason for a procedure or treatment, what will be done, who will do it, alternatives to the procedure, as well as the potential benefits and risks, before that client consents to it. They can also withdraw their consent at any point during the procedure.
The privacy and security rules of the HIPAA govern the use of protected health information and require that the technology used for telemedicine should support fully encrypted data transmission, and that video and audio should not be stored.
Review this example of an Informed Consent for telehealth and consider the following points:
Per federal regulations, the following are the required elements for documentation of the informed consent discussion:
Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM and Melissa A. Singer Pressman, PhD, MLIS
If you are struggling with a concept or terminology in the course, you may contact TelehealthSupport@capella.edu for assistance.
If you are having technical issues, please contact learningcoach@sophia.org.