Information About Telehealth and HIPAA

There are two main alternatives for healthcare professionals to provide telehealth services to their patients: (1) Working with a telehealth vendor or (2) Working independently using web-based applications available in the marketplace.

Regardless of the alternative used, professionals who offer telehealth services should take care to ensure that the technology utilized complies with the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (45 C.F.R. Parts 160 to 164) ("HIPAA"). Use of common mobile and/or web-based tools/applications (apps) to provide telehealth services may put individuals' protected health information ("PHI") at risk. In addition, professionals should ensure that any vendor technology used is also compliant with HIPAA.

The risks of using applications or technology that does not comply with HIPAA include the following (not a comprehensive list):

• Such apps may “eavesdrop” on communications as part of their routine operations and collect information for their own use;
• All connections (friends) in a network are alerted when a patient logs in to a telehealth session;
• Such apps do not offer HIPAA required audit trails that trace information leaks; and
• Such apps may have functions or work design that makes it easy for PHI to be exposed.

Health care professionals who use any modern technology to communicate with patients – whether through email, telephone, or telehealth technology, must ensure that their use is compliant with HIPAA, including related risk assessments and the use of reasonable security safeguards whenever available. Cigna Behavioral Health urges network providers to utilize technologies that are HIPAA compliant in the delivery of telehealth services because of the inherent risk of unauthorized disclosure of that PHI, as well as the potential liability risk to the healthcare professional. Certain web-based apps are convenient to use and usually offered to the health care professional at no charge; however, if PHI is disclosed in violation of HIPAA, the healthcare professional may be held accountable and may be exposed to penalties.

What can you do to support HIPAA compliance in the telehealth environment?

• Work with an established telehealth vendor and ensure that the vendor’s technology is HIPAA compliant;
• Use a technology that provides streaming directly from endpoint to endpoint where information will not be stored on apps servers or subject to easy interception;
• Use applications or platforms that utilize Advanced Encryption Technology; and
• Retain videoconference sessions in compliance with your medical record retention policy.

In addition, providers can consult with the American Telemedicine Association (ATA), a leading international resource and advocate promoting the use of advanced remote medical technologies. Currently, ATA endorses the following technologies for the purpose of providing telehealth services *:

• VSee: http://vsee.com/
• Vidyo: http://www.vidyo.com/
• Polycom: http://www.polycom.com/

As a reminder, HIPAA is the federal law that protects the privacy and security of your patients’ personal health information. The intent of this newsletter is to provide you with information on HIPAA and telehealth, so you can better inform yourself concerning your compliance responsibilities. It is not intended as legal advice. You should always consult with your HIPAA compliance expert or legal counsel if you have questions or concerns.

_{* Cigna does not endorse the advanced remote medical technologies listed. Please consult the American Telemedicine Association for details on these technologies.}