Both telemedicine providers and technology companies that serve the telehealth industry face some unique and sometimes complicated challenges dealing with HIPAA, especially as it relates to the storage, transmission, and use of Protected Health Information (“PHI”). With the recent explosion of tech-savvy communication methods and cloud storage capabilities, telemedicine, while often saving patients and doctors time and reducing overall healthcare costs, also presents ever-expanding risks that may lead to violations of patients’ privacy rights under HIPAA. 

Imagine a telemedicine company that has contracted with various employers or insurers to provide telemedicine services to its members. The telemedicine company then contracts with a web development company to build it’s website and maintain the back-end of their interface. Then the telemedicine company has another contract with a physician group or locum tenens agency, which actually provides the doctors. There may be any number of additional technology vendors, providing videoconferencing feeds, cloud storage, telephone and internet bandwidth, email solutions, statistical compilations and access to electronic health records. 

However, the telemedicine company desires to maintain (or build) its brand recognition and goodwill, so it requires many (or all) of these companies to provide their services on a white-label basis, rebranded to appear to the customer as if they are provided directly by the telemedicine company. 

What if the telemedicine company also desires to build a database of recorded customer/patient interactions with their treating physician? When these audio or video interactions are stored on the cloud, then the patient has access to listen to exactly what his or her doctor said during a prior consultation. But, the telemedicine company (or their vendor) now has a very quickly growing trove of PHI that must be secured according to HIPAA with highly restricted access, except for with the patient’s proper authorization or another HIPAA-compliant use. 

These situations are not out of the ordinary in the telehealth industry. However, they create some extraordinary challenges when so much healthcare data, PHI in most cases, is passed around to so many different companies and each company is not absolutely sure of its role. The data are potentially exchanged by and stored in numerous different technologies, some by non-healthcare-specific companies that may not understand the intricacies of HIPAA. Additionally, these companies and their customers may be located in different states throughout the country, each with its own state healthcare-related security and privacy rules. HIPAA compliance is a minimum requirement – a floor, not a ceiling – as it relates to healthcare privacy, so states’ privacy rules must be considered as well. 

AGG Observation 

The following are just some of the considerations that a telemedicine company must contemplate when building a business model, establishing vendor or provider relationships, and expanding into new markets or technologies:

1. What is PHI? Generally, recorded calls, video consultations, or emails between a patient and doctor are PHI, but are the logs recording that the call took place PHI? What if a patient has the capability to text or instant mes sage their doctor? What about data stored by wearable fitness trackers? What about statistical compilations of several patients’ consultations? This requires a careful examination of exactly what data are retained and for what reason.
2. How are data going to be saved and why? This is key – if a video telemedicine consultation between doctor and patient is recorded, then that recording is considered PHI. Will it be stored on the cloud where the patient has access to it? Who else has access to it – the website provider, the data storage provider, a quality assurance committee – and how is it encrypted? This is especially problematic if quality assurance reviews are done by a company that does not provide the initial consultation, again confusing the lines over who is the covered entity. Business associate agreements must be in place and each organization’s role must be clearly delineated.
3. Who is the covered entity under HIPAA? When one company is the branded telemedicine provider, but another is providing the physicians, then it may be that the physician provider is the covered entity, and the service contract and business associate agreement must reflect that.
4. What are the state healthcare privacy and security rules? HIPAA provides a federal floor of privacy protections for PHI when that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to HIPAA are preempted by the federal requirements, unless a specific exception applies. However, if state laws are more stringent, then a company must comply with those as well. Therefore, a covered entity and business associate should conduct an analysis of state privacy rules for each state in which they operate, and if any state rule is more stringent, then it must be incorporated into any releases, consents, authorizations, and the notice of privacy practices. Generally, there should be separate sets of forms used in each state.
5. Is patient care conditioned on an authorization to disclose PHI? A creative telemedicine company may attempt to circumvent some of HIPAA’s requirements by presenting the customer/patient with a release that allows it to share or receive PHI after the patient signs, clicks a box, or answers an automated audio prompt. However, agreeing to an authorization to use or disclose PHI under HIPAA cannot be a condition of treatment or eligibility. Telemedicine companies have to figure out how to provide their telehealth services without requiring the customer/patient to release his or her PHI, even if the patient usually will.

Downloads:

PHI on the Cloud and White Label Covered Entities:HIPAA Challenges for Telemedicine Providers