As most practices are aware, the COVID-19 public health emergency ended on May 11, 2023, and with it came the end of relaxed HIPAA rules for providers meeting with patients over telehealth. The Office of Civil Rights (OCR) has given providers a 90-day flexibility period to ensure telehealth systems and practices are in line with the HIPAA rules, but after August 9, 2023, you must be fully compliant.
To ensure that your practice’s telehealth policies and practices are HIPAA-compliant, check these essential best practices.
1. Update Your HIPAA Policies
Your practice likely had HIPAA policies in place prior to the pandemic, but a lot has changed since then. In fact, many practices weren’t performing telehealth at all before the PHE, so incorporating your telehealth policies into your staff HIPAA guidelines is essential now. If the OCR investigates your practice, not only will they ask about the specific complaints or violations they’ve come to investigate, but they’ll also ask to see your HIPAA policies. Ensuring that they’re up to date will help protect your practice.
2. Train Staff About HIPAA Policies
After updating your HIPAA policies, it’s important to train your staff about them. This shows that your practice made a good faith effort to ensure that the entire team is maintaining compliance with your policies, and it could help you face lower fines and penalties than practices that have no updated policies or didn’t train staff on them.
3. Notify Patients About Their Rights
One of the central tenets of HIPAA is that the practice must notify patients about their privacy rights and how their information will be used. Surely you give patients your Notice of Privacy Practices when they first join their practice, but is it on your website as well? Because many telehealth patients will never set foot in your office, and therefore won’t be there to sign a paper document. They’ll still need to access your notice and acknowledge that they read it, whether or not they come to your office.
4. Ensure That Telehealth Systems Are Secure
With the PHE over, you can no longer use any old non-secure communication method to talk to patients. Instead, you must ensure that your platforms are secure and private. When a patient is in your office, you don’t discuss their private medical history in the lobby, right? The same concept applies when you’re providing telehealth services. You need to use all of the technology at your disposal to confirm that your patient conversations are completely secure and private.
In addition, the electronic documentation you maintain following a telehealth visit must be secure and digitally protected, as must recordings of visits, if you keep them.
5. Talk to Vendors About Security
Almost every time you meet with a patient over telehealth, the electronic communication platform belongs to a third-party or vendor, so you need to have written assurances from the vendor that the platform is safe, secure, private and HIPAA-compliant. The vendor should be conducting security risk assessments, just as your practice must.
Ensure that you have business associate agreements (BAAs) with every vendor, and that you document not only who is the point of contact with the vendor, but how frequently they are in touch to demonstrate an ongoing commitment to privacy and security.
There’s much more that practices need to know about keeping telehealth systems HIPAA-compliant. To learn the essentials about this topic, join healthcare attorney Amanda Waesch, Esq., during her online training, Comply With Modified HIPAA and Telehealth Rules, Prevent Penalties. Sign up today for this one-hour event so you can stay on the right side of the HIPAA rules!
|Subscribe to Healthcare Practice Advisor
|Get actionable advice to help improve your practice’s reimbursement, compliance, and success in this weekly eNewsletter.