Demystifying HIPAA Compliance for Telepractice

I’ve been hesitant to write on this topic because it overwhelms me. The fact that I’ve been providing teleservices for some time, am fairly involved in the topic, and yet, still don’t quite understand, means that perhaps one of you doesn’t either. This post is for you and me, the two people completely baffled by maintaining compliance while streaming video.

In all honesty, I suspect there are a few others out there, apart from you and me, who have had questions about HIPAA compliance and telepractice. There have been numerous emails among ASHA Special Interest Group 18 on Telepractice (SIG18) members about which video-streaming platforms are compliant. It seems we are all using something different. And then I came across this great infographic from The Connected Clinician that asserts, “There’s No Such Thing as a HIPAA-Compliant App.” It's enough to confuse anybody. In this post, I’ll share with you what I’ve gleaned from my conversations on the topic, and from my own research.

First and foremost, we must understand that there are two important elements that HIPAA addresses: security and privacy.

Security

ASHA has some helpful information, as per usual, that relates to security:

"Treatment sessions provided via videoconferencing software is not covered by the Security Rule. In the Final Rule, it specifically states ‘because “paper-to-paper” faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by this rule’ (page 8342). If, however, the provider records the session and saves a copy, the saved version would be subject to Security Rule provisions for data at rest. Regardless, the treatment session and all related information and documentation are subject to the Privacy Rule provisions. To ensure the patient’s privacy during treatment sessions, clinicians should consider the use of private networks or encrypted videoconferencing software."

- HIPAA Security Rule FAQ, American Speech Language Hearing Association

That seems to help a bit. We’re secure unless we record, which we sometimes do. Let’s you and I think about the security of recordings a little later, in another post. For now, we’ll continue to privacy.

Privacy

There are loads of things that can affect the privacy of telepractice and therefore make or break your compliance. Here are a few:

Where you are. If you’re providing services inside a compound of networked computers with hundreds of users accessing the internet, your needs will be very different from mine. I’m at home using my laptop. If you’re in the first group, then go ask someone in IT.

The platform. This is where companies can tell you about the security features that may or may not help support HIPAA compliance. While the service itself cannot guarantee compliance of the whole teleservice experience, it can give you details about security and in the end, this information can be shared with clients to help them understand the steps you are taking to ensure privacy. For example, the friendly online representative at GoTo Meeting was happy to tell me this:

"GoToMeeting and GoToWebinar include 128 bit end-to-end AES encryption and other security features that allow any company to maintain HIPAA compliance while using the solutions."

Where your client is. This is similar to the first part. If your client is in an SNF, school, or home, the risks change depending on the locale. For example, if you are streaming into an assisted living situation, there may be networked computers or even a location that others have access to. These factors can affect privacy and should be discussed with your clients ahead of time.

Remember that compliance includes using a secure platform as just one element of a compliant practice. A risk management strategy that identifies and addresses all points of possible access is what is needed for a compliant telepractice.

Here is the takeaway: there does not, to date, appear to be any magical solution to ensure that your telepractice is HIPAA-compliant. What you do to ensure the privacy of your clients is instead a process of understanding and mitigating the risks, and then explaining this process to your clients.

I hope other SLPs join this conversation. This post certainly does not cover all the elements of compliance. Leave us a comment, let us know what you know, and what your questions are. After all, we’re all navigating these stormy seas together.