Business

Guidelines on HIPAA-compliance for telemedicine

Learn about HIPAA guidelines on telehealth for your wellness practice. Read about telehealth privacy and how to keep client information secure.

Published on May 08, 2020
Updated on Jul 31, 2024

Telehealth was first used broadly by primary care physicians, dermatologists, radiologists, and psychiatrists, but is now rapidly expanding throughout healthcare.  Especially recently, there has been a major shift to providing healthcare using telehealth for increased convenience and flexibility from all types of health providers, including nutrition and wellness professionals.  

While telehealth is a powerful tool that allows more convenience and flexibility for both providers and patients, it does post new challenges for wellness professionals to safeguard client information. With advances in technology, and easily affordably telehealth platforms, many nutrition, and wellness professionals are evolving their private practices to include virtual services.

In response, telehealth platforms are quickly putting their own HIPAA safeguards in place so that providers can continue to offer healthcare solutions no matter where patients are located.  HIPAA compliance is a requirement, not a guideline when it comes to providing telehealth for wellness services.

Why HIPAA-compliance is important for telehealth wellness providers

HIPAA, which stands for the Health Insurance Portability and Accountability Act, ensures that a patient’s health information would be protected in a consistent and secure manner by all health professionals.  While it is just as important to keep client information secure when seeing clients in person, it is generally easier to do so.  You are communicating within your private office, storing information on physical chart notes and intake forms.

However, when holding appointments virtually and storing client information electronically, it is much more difficult to keep that information secure and safe.  HIPAA-compliance ensures that the method you use to communicate with clients, share personal information, and hold appointments will store the data safely, and protect both you and your clients from any breach in security.  

Additionally, maintaining HIPAA-compliance puts clients at ease, assuring them their health information is kept private.  While telehealth is becoming increasingly common in healthcare, it is still new to many patients and can feel uncomfortable or unfamiliar when transitioning to telesessions.

Showing clients the steps you have taken, such as putting safeguards in place to maintain confidentiality, will help them feel confident that their information is safe when working with you virtually.  

{{free-trial-signup}}

Ways to keep HIPAA-compliance with telesessions

There are a few quick and easy ways to ensure that the telehealth technology you’re using is HIPAA-compliant. Be sure to follow each of the steps below so that you are protecting both you and your clients when holding virtual wellness appointments.  

Step 1. Obtain a telehealth informed consent from your client

Depending on your state, receiving a telehealth informed consent form may be required for your profession (regulations vary by profession, depending on state regulations). In states without strict regulation for dietitians, nutritionists, or other wellness professionals, clients may legally only need to provide their verbal consent for telehealth care.

While getting a patient’s consent for telehealth visits may not be a requirement in your state, you may still want to consider having your clients fill out a telehealth informed consent form regardless of the regulations. Depending on your professional liability insurance servicer, you may need to have a telehealth consent form on file to activate your coverage.

Healthie has created a sample telehealth consent form for you, free for download.  If you are a Healthie member, this form is already preloaded into your account,

Step 2. Request a Business Associates Agreement for your telehealth platform

When storing PHI electronically by a third party, such as an EHR platform, you must have a Business Associates Agreement (BAA) with them.  According to HHS, a business associate is “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to a covered entity that involve access by the business associate to protected health information.”  A business associate may be:

  • Your EHR platform, like Healthie
  • Videoconferencing software
  • A clearinghouse that files insurance claims

Under HIPAA laws, covered entities (i.e. your  wellness business) must have a BAA with the third-party (business associate).  The contract will describe how the third party protects and secures the PHI to which they have access, and outline the “uses and disclosures of the protected health information by the business associate.”

What should a BAA include?

  • Well-Defined Terms: All contracts require clear outlines for key terms in order to avoid legal ambiguity. Phrases like “protected health information,” “business associate,” and “HIPAA” have specific definitions. You and your business associate should understand what they mean.
  • The Process For Dealing With a Data Breach: How will the BA handle a data breach if it were to occur? This is possibly the most important part of a BAA. As partners, your BA should be just as accountable as you are if a data breach occurs; your contract should reflect this idea.
  • How the BA Handles Audits From the Office of Civil Rights (OCR): HITECH specifies that HIPAA-compliant BAs are subject to audits from the OCR. Make sure the BAA details exactly how a BA will report and fix any complaints filed by the OCR.

For current Healthie members: you can view a copy of Healthie’s Business Associate’s Agreement (BAA) here.

Step 3. Conduct telehealth sessions in a private location

When holding telehealth appointments, it is extremely important to call clients from a secure and private location, such as your office or clinic.  This ensures that personal health information will not be overheard by others it is not intended for.  Providers should not hold sessions in public places, such as coffee shops or co-working spaces, in order to protect your client’s privacy.

If for some reason you are unable to hold sessions in a completely private space (i.e. you need to chat with clients from home), you are expected to implement other safeguards to ensure HIPAA-compliance.  These include lowering your voice, not using speakerphone, and recommending that the client move away from others to protect their privacy.  

Whether you host telehealth appointments in your office or your home, protecting your client’s personal information is of the utmost importance.  Be sure to enforce these safeguards as you transition to offering telehealth services in your business. Healthie’s Plus, Group, and Enterprise levels all integrate with HIPAA-compliant Zoom.

Tips for choosing HIPAA-compliant telehealth technology

When looking for HIPAA-compliance in a telehealth tool, there is no need to search for an add-on to what you already use to run your business. Choosing an EHR and telehealth platform, like Healthie, which is fully HIPAA compliant ensures that your client’s private health information is protected every step of the way. With Healthie, clients receive access to their secure client portal, which enables them to complete forms, sign policies, upload health information, message their wellness provider, and more, all within the same HIPAA compliant tool.

As the provider, you have access to all of your clients’ information in one place.  You can bill clients, fill out chart notes, store personal health information, and send HIPAA-compliant chat and email messages to clients for check-ins.  Additionally, with Healthie’s Video Call feature, you can hold virtual appointments through the platform.

Both you and your clients can access the appointment from phone or computer, making virtual appointments both flexible and secure.  Healthie’s integration with Zoom allows you to expand your offerings to include webinars and virtual group sessions as well.  

At Healthie, we maintain our HIPAA compliance while being hosted through Microsoft’s servers through a similar BAA. We additionally encrypt the private data collected on our platform to prevent information theft or security attacks. All data within our system is tightly controlled. All entries are logged and all information is kept so that it may be audited. Healthie receives an A+ rating in security from the external tester SSL Labs.

Here are additional resources to help you learn how Healthie keeps your business HIPAA-compliant.

If you are at all concerned about the security of your information or have any additional questions, you can learn more about Healthie’s high-security standards here or reach out to us at any time at hello@gethealthie.com.

Launch, grow & scale your business today.

Business

Guidelines on HIPAA-compliance for telemedicine

Learn about HIPAA guidelines on telehealth for your wellness practice. Read about telehealth privacy and how to keep client information secure.

Telehealth was first used broadly by primary care physicians, dermatologists, radiologists, and psychiatrists, but is now rapidly expanding throughout healthcare.  Especially recently, there has been a major shift to providing healthcare using telehealth for increased convenience and flexibility from all types of health providers, including nutrition and wellness professionals.  

While telehealth is a powerful tool that allows more convenience and flexibility for both providers and patients, it does post new challenges for wellness professionals to safeguard client information. With advances in technology, and easily affordably telehealth platforms, many nutrition, and wellness professionals are evolving their private practices to include virtual services.

In response, telehealth platforms are quickly putting their own HIPAA safeguards in place so that providers can continue to offer healthcare solutions no matter where patients are located.  HIPAA compliance is a requirement, not a guideline when it comes to providing telehealth for wellness services.

Why HIPAA-compliance is important for telehealth wellness providers

HIPAA, which stands for the Health Insurance Portability and Accountability Act, ensures that a patient’s health information would be protected in a consistent and secure manner by all health professionals.  While it is just as important to keep client information secure when seeing clients in person, it is generally easier to do so.  You are communicating within your private office, storing information on physical chart notes and intake forms.

However, when holding appointments virtually and storing client information electronically, it is much more difficult to keep that information secure and safe.  HIPAA-compliance ensures that the method you use to communicate with clients, share personal information, and hold appointments will store the data safely, and protect both you and your clients from any breach in security.  

Additionally, maintaining HIPAA-compliance puts clients at ease, assuring them their health information is kept private.  While telehealth is becoming increasingly common in healthcare, it is still new to many patients and can feel uncomfortable or unfamiliar when transitioning to telesessions.

Showing clients the steps you have taken, such as putting safeguards in place to maintain confidentiality, will help them feel confident that their information is safe when working with you virtually.  

{{free-trial-signup}}

Ways to keep HIPAA-compliance with telesessions

There are a few quick and easy ways to ensure that the telehealth technology you’re using is HIPAA-compliant. Be sure to follow each of the steps below so that you are protecting both you and your clients when holding virtual wellness appointments.  

Step 1. Obtain a telehealth informed consent from your client

Depending on your state, receiving a telehealth informed consent form may be required for your profession (regulations vary by profession, depending on state regulations). In states without strict regulation for dietitians, nutritionists, or other wellness professionals, clients may legally only need to provide their verbal consent for telehealth care.

While getting a patient’s consent for telehealth visits may not be a requirement in your state, you may still want to consider having your clients fill out a telehealth informed consent form regardless of the regulations. Depending on your professional liability insurance servicer, you may need to have a telehealth consent form on file to activate your coverage.

Healthie has created a sample telehealth consent form for you, free for download.  If you are a Healthie member, this form is already preloaded into your account,

Step 2. Request a Business Associates Agreement for your telehealth platform

When storing PHI electronically by a third party, such as an EHR platform, you must have a Business Associates Agreement (BAA) with them.  According to HHS, a business associate is “a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to a covered entity that involve access by the business associate to protected health information.”  A business associate may be:

  • Your EHR platform, like Healthie
  • Videoconferencing software
  • A clearinghouse that files insurance claims

Under HIPAA laws, covered entities (i.e. your  wellness business) must have a BAA with the third-party (business associate).  The contract will describe how the third party protects and secures the PHI to which they have access, and outline the “uses and disclosures of the protected health information by the business associate.”

What should a BAA include?

  • Well-Defined Terms: All contracts require clear outlines for key terms in order to avoid legal ambiguity. Phrases like “protected health information,” “business associate,” and “HIPAA” have specific definitions. You and your business associate should understand what they mean.
  • The Process For Dealing With a Data Breach: How will the BA handle a data breach if it were to occur? This is possibly the most important part of a BAA. As partners, your BA should be just as accountable as you are if a data breach occurs; your contract should reflect this idea.
  • How the BA Handles Audits From the Office of Civil Rights (OCR): HITECH specifies that HIPAA-compliant BAs are subject to audits from the OCR. Make sure the BAA details exactly how a BA will report and fix any complaints filed by the OCR.

For current Healthie members: you can view a copy of Healthie’s Business Associate’s Agreement (BAA) here.

Step 3. Conduct telehealth sessions in a private location

When holding telehealth appointments, it is extremely important to call clients from a secure and private location, such as your office or clinic.  This ensures that personal health information will not be overheard by others it is not intended for.  Providers should not hold sessions in public places, such as coffee shops or co-working spaces, in order to protect your client’s privacy.

If for some reason you are unable to hold sessions in a completely private space (i.e. you need to chat with clients from home), you are expected to implement other safeguards to ensure HIPAA-compliance.  These include lowering your voice, not using speakerphone, and recommending that the client move away from others to protect their privacy.  

Whether you host telehealth appointments in your office or your home, protecting your client’s personal information is of the utmost importance.  Be sure to enforce these safeguards as you transition to offering telehealth services in your business. Healthie’s Plus, Group, and Enterprise levels all integrate with HIPAA-compliant Zoom.

Tips for choosing HIPAA-compliant telehealth technology

When looking for HIPAA-compliance in a telehealth tool, there is no need to search for an add-on to what you already use to run your business. Choosing an EHR and telehealth platform, like Healthie, which is fully HIPAA compliant ensures that your client’s private health information is protected every step of the way. With Healthie, clients receive access to their secure client portal, which enables them to complete forms, sign policies, upload health information, message their wellness provider, and more, all within the same HIPAA compliant tool.

As the provider, you have access to all of your clients’ information in one place.  You can bill clients, fill out chart notes, store personal health information, and send HIPAA-compliant chat and email messages to clients for check-ins.  Additionally, with Healthie’s Video Call feature, you can hold virtual appointments through the platform.

Both you and your clients can access the appointment from phone or computer, making virtual appointments both flexible and secure.  Healthie’s integration with Zoom allows you to expand your offerings to include webinars and virtual group sessions as well.  

At Healthie, we maintain our HIPAA compliance while being hosted through Microsoft’s servers through a similar BAA. We additionally encrypt the private data collected on our platform to prevent information theft or security attacks. All data within our system is tightly controlled. All entries are logged and all information is kept so that it may be audited. Healthie receives an A+ rating in security from the external tester SSL Labs.

Here are additional resources to help you learn how Healthie keeps your business HIPAA-compliant.

If you are at all concerned about the security of your information or have any additional questions, you can learn more about Healthie’s high-security standards here or reach out to us at any time at hello@gethealthie.com.

Scale your care delivery with Healthie+.

All the tools you need to run your practice & work with patients.
All the tools you need to run your practice & work with patients.

All the tools you need to run your practice & work with patients.
All the tools you need to run your practice & work with patients.