2013 HIPAA Modifications change the rules for telehealth relationships.
The HITECH amendment to HIPAA (effective March 25, 2013) lists "persons that provide data transmission services with respect to protected health information to a covered entity and that requires routine access to such protected health information" as Business Associates. (see page 5571) In our estimation, this provision includes telehealth technology partners who provide real-time support (like us). It requires that we sign a HIPAA Business Associate Agreement (BAA) with you.
The “conduit exception” to this rule is defined narrowly:
“The conduit exception is a narrow one and is intended to exclude only those entities providing mere courier services, such as the U.S. Postal Service or United Parcel Service and their electronic equivalents, such as internet service providers (ISPs) providing mere data transmission services.”
In order to enter into a BAA with you, your telehealth technology provider must meet all of the HIPAA Security requirements themselves. This is why Brother (Omnijoin) has entered into a reseller agreement with Secure Telehealth.
Section 13401 of the HITECH Act provides that the Security Rule’s administrative, physical, and technical safeguards requirements, as well as the Rule’s policies and procedures and documentation requirements, apply to business associates in the same manner as these requirements apply to covered entities.
Under these guidelines, the telehealth technology provider would have to meet the following (44) requirements from the "HIPAA Security Final Rule" page 45-47:
(23) Administrative Safeguards
(10) Physical Safeguards
(9) Technical Safeguards
(2) Policies, Procedures and Documentation Requirements.
Secure Telehealth meets these (44) requirements and signs a HIPAA Business Associate Agreement with our customers.
Details of our technical safeguards:
Secure Telehealth encryption is compliant with the Federal Government standard FIPS 140 Level-2. The data payload is encrypted with AES-256. This is high-level (strong) encryption.
- Secure Telehealth encryption is forced “on” for all sessions. There is no way a user or administrator can turn it off.
- Secure Telehealth encryption covers audio, video, and any data that might be shared as part of the session (Powerpoints, documents, chats, white-board, etc.)
- Secure Telehealth encryption does not depend on any outside device or firewall configuration. Therefore, sessions may safely be conducted from any Internet connection, no matter how sloppy the computer security in the surrounding environment. This allows sessions to safely be conducted from a physician’s home or small office without worry. This also allows the sessions to be sent over the public Internet without any worry of unauthorized disclosure through hacking.
- Secure Telehealth video conferences pass through the server in its encrypted form, precluding any likelihood of unauthorized access by technicians.
- Secure Telehealth uses digital certificates. A full certificate exchange between endpoints (Public Key Infrastructure with a verified 1024 bit key from Thwate) is used to insure that parties are who they claim to be.
The patient’s real-time video likeness is the only PHI which may be (occassionally) seen by Secure Telehealth (only when our customers request our presence in a meeting to fix something). Our software does not track patient names or other identifiers. Nor does it pass any information to or from EMR software or record sessions. It operates “blind” in the respect that it does not know who the physician is talking to.
Secure Telehealth signs a HIPAA business associate agreement with our customers to allow our presence in meetings with patients present when requested to fix problems.
Not sure of your own HIPAA compliance status? Click here to download a HIPAA Security Assessment Tool from the HHS web site Logo for HealthIT.gov