Back to table of contents Next article Government & LegalFull AccessHIPAA Compliance for Telehealth to Be Required Again on August 9Mark MoranMark MoranSearch for more papers by this authorPublished Online:31 May 2023AbstractHIPAA compliance is about more than just technology—it also means having physical or environmental and process security measures in place. A business associate agreement with a vendor may be necessary to ensure compliance with HIPAA.The federal Office of Civil Rights (OCR) in April extended the deadline for requiring telehealth compliance with the Health Insurance Portability and Accountability Act (HIPAA) by 90 days to August 9.At that time, health care professionals practicing telehealth must comply with HIPAA’s Security Rule and will no longer be able to use standard video technologies such as Zoom, Skype, or Facebook to meet with patients, as they had been allowed to do during the Public Health Emergency (PHE), which ended on May 11. Even before the new deadline, psychiatrists and other health care professionals need to pay attention to state rules about HIPAA compliance as well as the requirements of their institution, organization, or practice.“Best practices to ensure environmental privacy include clinicians connecting from a private space and letting patients know if there are others in the room with them,” said Shabana Khan, M.D. “This demonstrates to patients that their telehealth clinician values protecting their health information.”“OCR is providing this transition period to allow health care practitioners and practices to make necessary changes to ensure that their telehealth technologies are private and secure in a way that is adherent with HIPAA rules,” said Shabana Khan, M.D., chair of the APA Committee on Telepsychiatry. “Though OCR has provided this 90-day transition period through August 9, telehealth clinicians must also consider state rules and practice or organization requirements when deciding which technologies to use for telehealth services. We have this flexibility at the federal level, but an organization may require that their clinicians use approved HIPAA-adherent technologies.”HIPAA, which was signed in 1996 by President Bill Clinton, sets national standards for health information protections. The U.S. Department of Health and Human Services (HHS) established these standards to ensure protected health information (PHI) processed and utilized by “covered entities” is private and secure. OCR is responsible for implementing and enforcing this rule. HIPAA requirements cover a broad range of patient data and information, including making an appointment, conducting the appointment, and billing the patient’s insurance.HIPAA encompasses two major rules: the Privacy Rule and the Security Rule. The Privacy Rule protects all identifiable data of an individual patient; the Security Rule, a subset of the Privacy Rule, protects information that a covered entity creates, receives, maintains, or transmits in electronic form.So what does it mean to be HIPAA compliant when providing telehealth services? Importantly, it’s not just about technology. It also means having physical or environmental and process security measures in place to ensure that only those who are supposed to have access to patients’ information are able to get it.“Environmental privacy best practices include clinicians connecting from a private space and letting patients know if there are others in the room with them—for instance, a nurse or medical student who may be off screen,” Khan said. “Clinicians should also provide guidance to their patients on the importance of connecting to telehealth visits from a private space and avoiding public or semi-public settings. Clinicians can also ask patients if there is anyone in the room with them at the start of the visit. This demonstrates to patients that their telehealth clinician values protecting their health information.”Technology features that can help a HIPAA-covered entity meet compliance requirements include the following:Fully encrypted data transmission.Additional authentication and security through required passwords.Secure point-to-point connection.Private high-speed network.Administrative, physical, and technical safeguards for electronic protected health information.Audit controls.Breach notification.John Torous, M.D., chair of the APA Committee on Mental Health IT, said psychiatrists must use vendors of telehealth technology who can assure HIPAA compliance and have a signed business associate agreement (BAA).“Often you can use the same product (such as Zoom) without a BAA, but to make it HIPAA complaint, a psychiatrist needs to use the version of Zoom that requires the signature of a BAA,” he wrote in an email. “Regardless of the technology, being HIPAA complaint means the psychiatrist still has to offer reasonable physical safeguards (such as keeping computer passwords secure) and have process safeguards in place too (restricting access to patient files, creating plans for appropriate use of data).” ■ResourcesHHS Office for Civil Rights AnnouncementHIPAA & HIT: A PrimerSummary of the HIPAA Privacy RuleThe Security Rule ISSUES NewArchived