HCPs will need to understand and apply compliance measures with regulations while preparing and engaging in telehealth arrangements. A key piece of legislation is HIPAA, which stands for the Health Insurance Portability and Accountability Act (CFR 45, Part 164). It is legislation or law that defines rules for managing privacy and security of covered information (also called protected health information or PHI), grants individuals access to their own medical records, and supports the rights of individuals to authorize viewing (or disclosure) of their own medical records outside of treatment/payment/healthcare operations.
HIPAA was enacted and signed into law in 1996 to ensure national standards for healthcare transactions. Several updates occurred over the last 24 years to include:
The privacy rule applies to all forms of protected health information (PHI) in any form, whether spoken, written, or stored in systems. The rule is concerned with the right of access, consent to treat, disclosure, and correction of protected health. PHI comprises 18 identifiers. The elements are:
The security rule applies to electronic forms of PHI stored in systems. The rule identifies requirements for administrative, physical, and technical safeguards (countermeasures to ensure the confidentiality, integrity, and availability of PHI).
Key requirements for security countermeasures include:
Standards | Sections |
Implementation Specifications (R) = Required, (A) = Addressable |
---|---|---|
Administrative Safeguards | ||
Security Management Process | 164.308(a)(1) | Risk Analysis (R) |
Risk Management (R) | ||
Sanction Policy (R) | ||
Information System Activity Review (R) | ||
Assigned Security Responsibility | 164.308(a)(2) | (R) |
Workforce Security | 164.308(a)(3) | Authorization and/or Supervision (A) |
Workforce Clearance Procedure | ||
Termination Procedures (A) | ||
Information Access Management | 164.308(a)(4) | Isolating Health Care Clearinghouse Function (R) |
Access Authorization (A) | ||
Access Establishment and Modification (A) | ||
Security Awareness and Training | 164.308(a)(5) | Security Reminders (A) |
Protection from Malicious Software (A) | ||
Log-in Monitoring (A) | ||
Password Management (A) | ||
Security Incident Procedures | 164.308(a)(6) | Response and Reporting (R) |
Contingency Plan | 164.308(a)(7) | Data Backup Plan (R) |
Disaster Recovery Plan (R) | ||
Emergency Mode Operation Plan (R) | ||
Testing and Revision Procedure (A) | ||
Applications and Data Criticality Analysis (A) | ||
Evaluation | 164.308(a)(8) | (R) |
Business Associate Contracts and Other Arrangement | 164.308(b)(1) | Written Contract or Other Arrangement (R) |
Physical Safeguards | ||
Facility Access Controls | 164.310(a)(1) | Contingency Operations (A) |
Facility Security Plan (A) | ||
Access Control and Validation Procedures (A) | ||
Maintenance Records (A) | ||
Workstation Use | 164.310(b) | (R) |
Workstation Security | 164.310(c) | (R) |
Device and Media Controls | 164.310(d)(1) | Disposal (R) |
Media Re-use (R) | ||
Accountability (A) | ||
Data Backup and Storage (A) | ||
Technical Safeguards (see §164.312) | ||
Access Control | 164.312(a)(1) | Unique User Identification (R) |
Emergency Access Procedure (R) | ||
Automatic Logoff (A) | ||
Encryption and Decryption (A) | ||
Audit Controls | 164.312(b) | (R) |
Integrity | 164.312(c)(1) | Mechanism to Authenticate Electronic Protected Health Information (A) |
Person or Entity Authentication | 164.312(d) | (R) |
Transmission Security | 164.312(e)(1) | Integrity Controls (A) |
Encryption (A) |
For secured PHI, an unauthorized person cannot use, read, or decipher any PHI that he/she obtains if your practice engages in the following procedures:
A condition that may constitute a breach occurs if an individual who is not authorized hears an interaction with a patient while the provider (on their end) is engaged in a patient encounter. The same is true if the covered entity does not encrypt the connection for the telehealth engagement, uses an open wireless access point, or uses an insecure application that stores PHI. A risk assessment is needed to determine whether an event is a breach of PHI under HIPAA (ONC, 2020).
When considering privacy and security of health information, super-sensitive information such as data on pregnancy, AIDS/HIV, some components of behavioral health, and/or substance abuse treatment (informally referred to as "Super PHI”) may require additional protections. The HIPAA Privacy Rule requires enhanced protections of this information category (HHS).
A covered entity may also have requirements under the Confidentiality of Substance Abuse Disorders, also known as 42 CFR Part 2. While HIPAA is governed by the Department of Health and Human Services (HHS), 42 CFR Part 2 is governed by the Substance Abuse and Mental Health Administration (SAMHSA). As it relates to telehealth engagements, environment and system securities are similar to the requirements under HIPAA Privacy and Security Rules. This includes authorization to treat, and physical, administrative, and technical safeguards.
For more information, access the following links:
Telehealth technologies offer a variety of benefits in the delivery of mental health services. First, telehealth technologies increase access and reduce costs. Virtual consultations, telephone, and messaging systems bring mental health services to areas with insufficient mental health providers. Telehealth services are convenient, flexible, and save time for clients and providers alike. Virtual consultations can reduce costs by reducing the need for transportation and minimizing costs related to the visit.
Second, telehealth technologies increase the variety of screening and evaluation tools available to health care providers. This can include automated evaluations for conditions such as speech and language disorders, as well as imaging and acoustic analysis in the evaluation of behavior, mood, and affect.
Third, telehealth technologies allow for the delivery of internet based interventions, such as games for disorders like hyperactivity, autism, and aggressive personality disorders.
Fourth, telehealth technologies facilitate social support networks. Individuals seeking mental health services increasingly take advantage of the internet to meet their emotional and psychological needs. These can include online support groups, in the form of group discussions or chat rooms. Health care providers can collaborate with experts and colleagues to discuss evidence based practices and emerging trends.
Though telehealth technologies offer numerous benefits to both clients and providers, certain shortcomings present themselves in the delivery of telehealth mental services. First, telehealth technologies require necessary skills in the delivery of virtual services. Clients and providers with limited skills may struggle, necessitating in-person services.
Second, both clients and providers need access to appropriate equipment and internet access. Unstable internet access and complications and maintaining updates can make virtual services unpopular. Third, virtual consultations increase the risk of client privacy violations, as those not involved in the client's care may hear the conversation between the client and their provider.
As a quick recap, telehealth technologies offer benefits like increasing client access to services, reducing costs, increasing availability of evaluation and intervention tools, and facilitating social support networks. Though these benefits facilitate the care of mental health clients, some challenges include the requirement of technical skills, access to appropriate equipment, and concerns involving client privacy.
Authored by Cindy Ebner, MSN, RN, CPHRM, FASHRM and Tamika K. Williams, MSIT.CS, CISM, CISSP, CAP, SSCP, HCISPP, COBIT 5 Foundation/Implementation
If you are struggling with a concept or terminology in the course, you may contact TelehealthSupport@capella.edu for assistance.
If you are having technical issues, please contact learningcoach@sophia.org.