Between Two Screens: Demystifying HIPAA Compliance for Telepractice

Welcome! The information below is mostly still accurate, but it is a little dated. We've written this updated "HIPAA/FERPA in the COVID Era" post that you might find useful, though. Please check it out!

I’ve been hesitant to write on this topic because it overwhelms me. The fact that I’ve been providing teleservices for some time, am fairly involved in the topic and yet, still don’t quite understand, means that perhaps one of you doesn’t either. This post is for you and me, the two people completely baffled by maintaining compliance while streaming video.

Let’s hold hands.

In all honesty, I suspect there are a few others out there, apart from you and me, who have had questions about HIPAA compliance and telepractice. There are have been numerous emails among ASHA Special Interest Group 18 on Telepractice (SIG18) members about which video-streaming platforms are compliant. It seems we are all using something different. And then I came across this great infographic from The Connected Clinician that asserts “There’s No Such Thing as a HIPAA-Compliant App.” It's enough to confuse anybody. In this post, I’ll share with you what I’ve been able to glean from my conversations on the topic, and from my own research.

First and foremost, we must understand that there are two important elements that HIPAA addresses: security and privacy. ASHA has some helpful information, as per usual, that relates to security:

"Treatment sessions provided via videoconferencing software is not covered by the Security Rule. In the Final Rule, it specifically states ‘because “paper-to-paper” faxes, person-to-person telephone calls, video teleconferencing, or messages left on voice-mail were not in electronic form before the transmission, those activities are not covered by this rule’ (page 8342). If, however, the provider records the session and saves a copy, the saved version would be subject to Security Rule provisions for data at rest. Regardless, the treatment session and all related information and documentation are subject to the Privacy Rule provisions. To ensure the patient’s privacy during treatment sessions, clinicians should consider the use of private networks or encrypted videoconferencing software." 

- HIPAA Security Rule FAQ, American Speech Language Hearing Association

That seems to help a bit. We’re secure unless we record, which we sometimes do. Let’s you and I think about the security of recordings a little later, in another post. For now, we’ll continue to privacy.

There are loads of things that can affect the privacy of telepractice and therefore make or break your compliance. Here are a few:

Where you are. If you’re providing services inside a compound of networked computers with hundreds of users accessing the internet, your needs will be very different from mine. I’m at home using my laptop.  If you’re in the first group, then go ask someone in IT. If you’re like me, then let’s continue to hold hands.

The platform. This is where companies can tell you about the security features that may or may not help support HIPAA compliance. While the service itself cannot guarantee compliance of the whole teleservice experience, it can give you details about security and in the end, this information can be shared with clients to help them understand the steps you are taking to ensure privacy. For example, the friendly online representative at GoTo Meeting was happy to tell me this:

"GoToMeeting and GoToWebinar include 128 bit end-to-end AES encryption and other security features that allow any company to maintain HIPAA compliance while using the solutions."

GoTo Meeting is, of course, one of many companies that offer similar levels of security. The folks at TeleMental Health Services have compiled a list entitled “Video Teleconferencing Companies Claiming 'HIPAA Compliance'.” I don't know how comprehensive their list is, but it’s certainly worth a review if you’re interested in this topic.

Where your client is. This is similar to the 1st part. If your client is in a SNF, school or home, the risks change depending on the locale. For example, if you are streaming into an assisted living situation, there may be networked computers or even a location that others have access to. These factors can affect privacy and should be discussed with your clients ahead of time.

Remember that compliance includes the use of a secure platform as just one element of a compliant practice. As the infographic by The Connected Clinician indicates, a risk management strategy that identifies and addresses all points of possible access is what is needed for a compliant telepractice.

Here is the takeaway: there does not, to date, appear to be any magical solution to ensure that your telepractice is HIPAA-compliant. What you do to ensure the privacy of your clients is instead a process of understanding and mitigating the risks, and then explaining this process to your clients (ASHA weighs in on informed consent here).

I hope other SLPs join this conversation. This post certainly does not cover all the elements of compliance. Leave us a comment, let us know what you know, and what your questions are. After all, we’re all navigating these stormy seas together. Let’s hold hands again soon.

This post is part of our ongoing series, Between Two Screens, in which we share our take on the ever-changing and always-exciting world of speech language pathology and telepractice. Check out our other posts and let us know if there's a topic you'd like us to cover!