Startups have blended telehealth reality for both healthcare providers and patients. However, unlike other industries, telehealth applications may come into contact with HIPAA data protection since HIPAA defines health care rules. It is, therefore, important for developers to familiarize themselves with certain rules before coming up with these apps.
HIPAA (Health Insurance Portability and Accountability Act) is a law that regulates the management, storage, and transmission of PHI by healthcare professionals and their business associates (vendors or subcontractors who have access to PHI). PHI (protected health information) refers to any information in a medical record created, used, or disclosed while providing health care services that can be used to identify an individual.
Although the September 2013 Omnibus Rule Update clarified HIPAA, developers find it difficult to interpret its technical specifications. One of their primary concern is how to add HIPAA compliant video to a healthcare app. To address this, developers need to understand how this law works.
HIPAA compliance for Telemedicine Video Doctor Visits
There are two major sections that govern HIPAA; the Privacy Rule and the Security Rule. The Privacy Rule applies to PHI in any form. It requires covered entities to set up physical, technical, and administrative safeguards to protect PHI.
The Privacy Rule compliance is only applicable if your app creates, maintains and transmits PHI: If it does, then it is imperative for you to meet the requirements of the Privacy Rule and obtain satisfactory assurances.
Security Rule closely affects developers as it applies to E-PHI (protected health information in electronic form). The rule discusses acceptable ways to implement necessary security measures to protect E-PHI from unauthorized access, deletion, alteration, and transmission. It addresses video conferencing concerns in a straightforward way, stating that E-PHI excludes information that did not exist in electronic form before transmission such as video teleconferencing, paper-to-paper faxes and messages left on voicemail.
HIPAA defines electronic media as transmission media used to exchange information that is already in electronic storage. It means that your telemedicine app only need to meet the requirements of the Security Rule only if it has capabilities to record the consultation between the doctor and a patient.
A number healthcare apps often rely on another party to power the video calling feature making the other party a business associate as well. In such a case, you must obtain satisfactory assurances that the third party meets the requirements of the Privacy Rule.
How can telemedicine app developers reduce the burden of HIPAA compliant?
Choosing a video conferencing service that does not require PHI access can contribute to reducing this burden.
The health information of a patient is considered to be PHI only if it belongs to someone who can be identified. To reduce the burden of HIPAA compliance, telehealth app developers can use opaque user IDs to authenticate users to the video call anonymously.
Ensuring that you are not sharing PHI with a third party is also a vital factor to consider since it helps you avoid extending HIPAA applicability to the other party
Remember that all these are applicable in cases where there is no storage of conversations. Security measures set by HIPAA may not provide the level of privacy you aim to have for your app, and it is, therefore, important to consider other measures such as end-to-end encryption.
HIPAA compliance is ultimately the responsibility of telemedicine app developers, and they are required to take the necessary security and safety measures. However, developers should be in a position to determine if a telehealth app needs to be HIPAA compliant or not.