Staying HIPAA Compliant While Leveraging Telehealth

7 min read
March 13, 2024 at 3:00 PM

In the rapidly evolving landscape of healthcare, telehealth has emerged as a pivotal technology, offering unprecedented convenience and accessibility to patients and providers alike. However, as healthcare organizations increasingly adopt these digital health services, the imperative to stay compliant with the Health Insurance Portability and Accountability Act (HIPAA) has never been more critical. Navigating the waters of HIPAA compliance in the telehealth era demands a keen understanding of both the opportunities and the challenges it presents. Software alone cannot achieve HIPAA compliance. Compliance depends on how the software is set up and utilized. Therefore, it's crucial for covered entities and business associates to be knowledgeable about the software's features and capabilities prior to its implementation, as well as being aware of any potential shortcomings.

It's essential for healthcare providers to implement robust strategies that not only enhance patient care through telehealth but also rigorously protect patient privacy and data integrity. This delicate balance is crucial for the continued growth and acceptance of telehealth as a mainstay in modern healthcare delivery.

What Telehealth Platforms Are HIPAA Compliant?

During the COVID-19 national emergency, healthcare providers covered under HIPAA rules were allowed to communicate with patients and offer telehealth services using various remote communication technologies. Recognizing that some of these technologies and their use might not fully align with HIPAA regulations, the Office for Civil Rights (OCR) decided not to impose penalties for noncompliance related to the good faith delivery of telehealth services during this period. This leniency applied immediately and included the use of commonly available video chat applications like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype for telehealth purposes, despite potential privacy risks. Providers were advised to inform patients about these risks and to employ encryption and privacy settings where possible. However, public-facing platforms like Facebook Live, Twitch, TikTok, and others were deemed inappropriate for telehealth use. The OCR also indicated that providers wishing for additional privacy protections should seek telehealth solutions through HIPAA-compliant technology vendors willing to enter into business associate agreements.

On April 12, 2023, the OCR announced the expiration of these enforcement discretion notifications effective May 11, 2023, with the end of the COVID-19 public health emergency, but offered a 90-day transition period for healthcare providers to adjust their telehealth practices to full HIPAA compliance. Going forward, all telehealth services offered by covered healthcare providers and health plans are required to adhere to the HIPAA Rules. These providers and plans must engage technology vendors who are in compliance with the HIPAA Rules and are willing to sign HIPAA business associate agreements when they provide their video communication products or other remote communication technologies for telehealth purposes. The following sections examine whether various popular video communication services qualify as HIPAA approved telehealth platforms.

Is Skype HIPAA Compliant?

Originally, there were two versions of Skype: a consumer version of Skype for individual or small business use, and Skype for Business, designed for larger corporations with advanced security and account management features. Microsoft transitioned from Skype for Business to Microsoft Teams, encouraging businesses to adopt the latter for its integrated security and compliance capabilities within Microsoft’s Office 365 suite. We will only examine Skype HIPAA compliance as it relates to the consumer version. HIPAA compliance for video conferencing tools hinges on several factors: the encryption of data, the execution of a business associate agreement (BAA), and the implementation of audit and breach notification controls.

Skype uses AES 256-bit encryption, which satisfies the encryption requirements for transmitting protected health information.

However, Microsoft will refuse to sign a Business Associate Agreement (BAA) for Skype, which is a crucial requirement under the HIPAA Omnibus Rule for any service handling Protected Health Information (PHI) on behalf of healthcare entities. Despite arguments about Skype potentially being exempt as a "mere conduit" due to its encrypted transmission of PHI without access to the encryption keys, concerns arise because Microsoft, Skype's parent company, can access these keys and has provided information to law enforcement in the past, positioning it as a business associate. Furthermore, Skype lacks explicit assurances for HIPAA compliance, while Microsoft does offer to sign HIPAA-compliant BAAs for Office 365 users, potentially including Microsoft Teams users.

Additionally, the HIPAA Security Rule mandates that covered entities implement technologies with audit controls to track and review activities involving electronically protected health information (ePHI). Skype, however, lacks such audit controls and breach notification capabilities, making it unsuitable for monitoring PHI access.

To summarize, the use of Skype presents challenges due to the lack of a BAA, essential audit controls, and breach notification capabilities, raising concerns over its suitability for HIPAA- compliant healthcare communication. Skype falls short of these standards and would not be considered HIPAA compliant.

Is Microsoft Teams HIPAA Compliant for Telehealth?

Microsoft Teams implements several measures to protect PHI, including unique user access controls, single sign-on (SSO) for seamless access across related systems like Office 365, and Multi-Factor Authentication (MFA) to verify user identity with multiple forms of credentials. Additionally, it maintains audit logs to monitor PHI access and employs encryption to safeguard data, both at rest and in transit. For enhanced communication capabilities, some also opt to integrate Microsoft Teams SMS to facilitate secure messaging with patients. Microsoft is open to signing a business associate agreement, though they emphasize that users must configure Teams correctly to meet HIPAA compliance. Therefore, when correctly configured and used, Microsoft Teams can be considered HIPAA compliant.

Is Facebook Messenger HIPAA Compliant?

Facebook Messenger does not meet HIPAA compliance requirements and should not be used for the exchange or disclosure of Protected Health Information (PHI), except when a patient explicitly requests communication through this app. Even then, measures should be taken to minimize the risk of unauthorized PHI exposure. The platform falls short of HIPAA standards due to missing features critical for compliance with the Security Rule's Administrative and Technical Safeguards, such as audit logs, access reports, and protocols for emergency access. This deficiency in compliance capabilities means Facebook cannot guarantee the protection of PHI to the extent required by HIPAA, nor can it sign a Business Associate Agreement with healthcare providers.

Is Facetime HIPAA Compliant?

Many sources argue that FaceTime is not HIPAA compliant because Apple does not engage in Business Associate Agreements (BAAs) with healthcare entities for its audio and video services, essential for transmitting Protected Health Information (PHI). The debate then extends to whether FaceTime falls under the HIPAA Conduit Exception Rule, which applies to entities that merely transmit PHI without storage or access, similar to traditional postal or courier services. Apple has emphasized that FaceTime is secured with end-to-end encryption, operates on a peer-to-peer basis without storing communications, and restricts access through Apple IDs.

Therefore, while no technology can inherently guarantee HIPAA compliance—it depends on user application—FaceTime has the necessary safeguards to potentially be used compliantly within the framework of the HIPAA Conduit Exception Rule. However, the issue is still debated amongst experts, with some (including the US Department of Veteran Affairs in the past) agreeing that Facetime falls under the conduit exception, while others do not share that opinion. Caution is advised, and using alternative video conferencing solutions that willingly sign BAAs may be more prudent for healthcare providers.

Is Zoom HIPAA Compliant?

Zoom can be HIPAA compliant under certain conditions. Zoom offers a healthcare version of its platform that includes additional security features to meet HIPAA requirements, such as end-to-end encryption, secure data storage, and the ability to sign a Business Associate Agreement (BAA) with healthcare organizations. Compliance, however, also depends on how the healthcare organization configures and uses Zoom, ensuring that PHI (Protected Health Information) is handled in accordance with HIPAA's privacy and security rules. Organizations must implement and enforce policies and procedures that align with HIPAA standards when using Zoom for telehealth or any other service involving PHI.

Zoom’s HIPAA Compliance Datasheet states,

“In the course of providing services to healthcare customers, the Zoom Platform and Zoom Phone enable HIPAA compliance to covered entities. In provisioning and operating the Zoom HIPAA Services, Zoom complies with the provisions of the HIPAA Security Rule that are required and applicable to it in its capacity as a business associate.

Zoom is responsible for enforcing the administrative, technical and physical safeguards to prevent any unauthorized access to or disclosure of protected health information (PHI) in the Zoom environment.”

Is Google Meet HIPAA Compliant?

Yes, Google Meet can be HIPAA compliant when used as part of a Google Workspace Business Plan or Cloud Identity account that supports HIPAA compliance features and when a Business Associate Addendum is provided. The responsibility to ensure HIPAA compliance when using Google Meet, including the proper configuration of the service and maintaining the security and privacy of all protected health information, lies with the healthcare organizations.

Google offers comprehensive guidelines on configuring and utilizing Google Meet for healthcare purposes, with specific instructions for adhering to HIPAA regulations. It is imperative for providers to thoroughly examine this guidance prior to initiating telehealth activities to ensure full compliance with all applicable rules.

Is WhatsApp HIPAA Compliant?

WhatsApp is not HIPAA compliant and should not be used for handling Protected Health Information (PHI) due to its failure to meet the necessary security measures for ensuring PHI confidentiality, integrity, and privacy. Despite introducing end-to-end encryption, which enhances message security compared to SMS and email, WhatsApp does not fulfill HIPAA's Technical Safeguards such as unique user authentication, automatic logoff, audit, and integrity controls. These deficiencies prevent the ability to monitor unauthorized PHI disclosures or alterations and lack remote message deletion capabilities. Furthermore, WhatsApp's terms of service explicitly state that the platform does not cater to industries with strict data confidentiality laws, like healthcare, and does not support Business Associate Agreements, a fundamental PHI exchange requirement that would be needed for WhatsApp HIPAA compliance.

Compass IT Compliance Makes HIPAA Compliance Simple

As the landscape of telehealth continues to expand, it's essential for healthcare organizations to deeply understand and navigate the complexities of HIPAA compliance. This involves a thorough examination of the telehealth platforms available, discerning which ones meet the stringent requirements of HIPAA, including the necessity of business associate agreements (BAAs), robust encryption, and comprehensive audit controls.

Compass IT Compliance has a rich history in assisting healthcare organizations to assess their IT security risks and achieve HIPAA compliance. With a deep understanding of both the potential and the pitfalls of telehealth technology, we stand ready to guide healthcare providers through the intricacies of securing telehealth services. Our expertise ensures that organizations can confidently leverage the benefits of telehealth while maintaining the highest standards of patient data protection and compliance with regulatory requirements. Through our support, healthcare providers can navigate the telehealth landscape with assurance, ensuring that patient care is both effective and secure. Contact us today to discuss your organization’s unique HIPAA challenges!

Contact Us

Get Email Notifications

No Comments Yet

Let us know what you think