Posted On: November 28, 2024

HIPAA Rules on Telehealth Compliance

Telemedicine enables healthcare professionals to use technology to deliver healthcare services remotely. However, despite the convenience and efficiency of telehealth, safeguarding patient privacy remains paramount. The Health Insurance Portability and Accountability Act (HIPAA) provides a crucial framework for ensuring the security and confidentiality of sensitive health information, even in an online setting. 

In this comprehensive guide, we explore the complex combination of telemedicine and HIPAA, detailing the guidelines and considerations essential for healthcare providers and professionals entering virtual care. 

Embracing Telemedicine: HIPAA’s Role in a Pandemic-Transformed Healthcare Landscape 

Before March 2020, telemedicine struggled against numerous regulatory and logistical challenges. Patients and providers faced inconsistent reimbursement policies, location and technology limitations, and privacy regulations requiring expensive investments in secure communication technology. 

Despite these hurdles, patients generally welcomed this technological shift, although concerns about personal data security persisted.

The COVID-19 pandemic marked a pivotal moment for healthcare, transforming telemedicine from a convenience to a necessity. According to the Journal of the American Medical Association, telemedicine usage skyrocketed from 840,000 instances in 2019 to an astounding 52.7 million in 2020. 

This dramatic increase not only revolutionized healthcare delivery but also highlighted the critical need to comply with the Health Insurance Portability and Accountability Act (HIPAA) in a swiftly changing digital healthcare landscape. 

What Is Telehealth? 

Telehealth utilizes electronic and telecommunication technologies to provide remote healthcare and education. This approach includes a range of services such as audio, text messaging, and video consultations, effectively eliminating geographical barriers and connecting patients to clinical services through digital devices like computers and smartphones.

Telehealth's acceptance is not just a fleeting trend; with 63% of users planning to continue using it post-pandemic and 77% expressing satisfaction, it is clear that telehealth is here to stay. The Biden-Harris Administration's substantial $19 million investment aims to improve telehealth access in rural areas, highlighting the sector's increasing momentum.

Additionally, 76% of employers expanded their telehealth offerings during the pandemic, demonstrating widespread support for this healthcare delivery method. The growing popularity of telehealth and its potential for continued use after the pandemic emphasizes the need for robust regulatory oversight in this rapidly evolving field. 

Agencies and Regulations Managing Telehealth Services

Several government agencies, including the U.S. Department of Health and Human Services (HHS) and the Federal Communications Commission (FCC), play active roles in regulating and expanding access to telehealth services. 

During the pandemic, Congress expanded the FCC's involvement through the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which allocated $200 million to enhance telehealth services nationwide. The FCC used these funds to support healthcare providers by offering essential telecommunications services, information services, and devices for telehealth.

The CARES Act, along with the subsequent 1135 waiver, facilitated the growth of telemedicine through 2025, ensuring reimbursement for specific telehealth services for seniors on Social Security. It also prompted the Secretary of Veterans Affairs to establish contracts to enhance telehealth services for veterans. 

Although the FCC's telehealth regulation initially focused on addressing the pandemic, the significant increase in telehealth usage indicates the need for continued regulation beyond the pandemic. The CARES Act's various provisions, designed to expand telehealth services, suggest that telehealth will remain a vital component of healthcare.

HIPPA Guidelines on Telemedicine 

Understanding that HIPAA regulations can often seem broad or complex, entities involved in remote healthcare services need to seek clarity and continuously update their knowledge. This proactive approach ensures HIPAA compliance for telemedicine and the secure handling of patient information in a telehealth environment. 

What Is ePHI? 

A thorough understanding of Protected Health Information (PHI) and electronic PHI (ePHI) is crucial for addressing privacy and security concerns. PHI includes a wide range of personal details about a patient's health, billing, and other confidential data, such as:

  • Patient names
  • Billing details
  • Contact information
  • Social Security numbers
  • Fingerprints
  • Home addresses

As healthcare increasingly moves online, ePHI – which refers to any PHI stored or transmitted electronically, whether through emails, digital files, or medical reports – becomes particularly important.

The digital transformation of healthcare data offers unprecedented convenience but also introduces increased risks. While HIPAA regulations meticulously safeguard both PHI and ePHI, the inherent vulnerability of digital data necessitates enhanced security measures to prevent unauthorized access and breaches.

Healthcare providers must be vigilant in recognizing these risks and implementing robust protections to maintain the integrity and confidentiality of patient information in this rapidly evolving digital healthcare environment. 

What Is a Covered Entity? 

A covered entity is an individual, organization, or agency that is required to comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations. Covered entities handle protected health information (PHI) and must adhere to HIPAA's privacy, security, and breach notification rules to ensure the confidentiality, integrity, and availability of PHI. 

What Are BAA Contracts? 

In the past, healthcare providers partnering with a telehealth vendor were required to establish a Business Associate Agreement (BAA) to comply with HIPAA standards. This contract ensured that all parties, including third-party vendors such as insurance companies or telehealth providers, adhered to HIPAA laws in handling sensitive health information. 

A BAA sets clear boundaries on how these associates use and access Electronic Protected Health Information (ePHI) or Protected Health Information (PHI), thereby safeguarding patient privacy. 

A BAA has several key roles:

  • Outline Usage Parameters for ePHI/PHI: Clearly define how business associates may utilize ePHI and PHI.
  • Prohibit Illegal Disclosure: State that disclosing ePHI or PHI beyond legal requirements constitutes a violation.
  • Mandate Comprehensive Safeguards: Ensure implementation of both technical and physical safeguards.
  • Require Security Breach Reporting: Obligate the reporting of any security breaches to appropriate authorities.
  • Enforce Disclosure of Health Amendments: Ensure transparency in disclosing health record amendments.
  • Adhere to HIPAA Rules: Mandate compliance with HIPAA Privacy and Security regulations.
  • Monitor ePHI/PHI Usage: Require reporting of all ePHI and PHI usage to the Health and Human Services (HHS).
  • Data Destruction Post-Contract: Obligate the destruction of all ePHI/PHI after contract termination.
  • Ensure Subcontractor Accountability: Ensure that subcontractors also comply with HIPAA guidelines.
  • Terminate Contract for Violations: Clarify immediate contract termination upon any breach of terms. 

During the pandemic, the Office for Civil Rights (OCR) did not mandate that covered entities form BAAs with video communication platform vendors. This relaxation might have impacted patient privacy. Platforms compliant with HIPAA before the pandemic, such as those with BAAs, could offer more secure services. 

However, new platforms for telehealth might not meet HIPAA standards. Despite claims of compliance by vendors like Skype and Zoom, OCR hasn't reviewed their BAAs or officially endorsed them. The high demand for telehealth services during the pandemic may have led many providers to use platforms without confirming HIPAA compliance.

In the absence of a Business Associate Agreement (BAA), telehealth users are governed by the privacy policies of individual companies. However, the requirements of BAAs can significantly increase the costs and complexities associated with telehealth software investments. This scenario poses a challenge for healthcare providers seeking telehealth technology partners, especially during a pandemic.

To promote adherence to HIPAA standards through BAAs, the Office for Civil Rights (OCR) could enhance transparency by publicly disclosing which companies have committed to these binding agreements. Such transparency would motivate platforms to align with HIPAA, leveraging public trust and credibility as a business advantage, ultimately driving more consumers to embrace their technology and services.

What Is the HIPAA Security Rule in Telemedicine? 

Designed to safeguard digital health information, the HIPAA Security Rule requires the implementation of extensive protective measures. Covered entities must establish robust administrative, technical, and physical safeguards to protect ePHI. 

These measures ensure confidentiality, prevent unauthorized access or alterations, and maintain data integrity and availability. Additionally, entities must proactively defend against potential security threats and unauthorized uses or disclosures of ePHI.

While the Security Rule does not specify telemedicine vendors for covered entities, it underscores the need for careful consideration when selecting telecommunication platforms and services. Compliance with the Security Rule at all employee levels is essential, highlighting the critical importance of comprehensive data security in healthcare. 

What Is the HIPAA Privacy Rule in Telemedicine? 

The HIPAA Privacy Rule establishes national standards for protecting individually identifiable health information. In the context of telemedicine, this rule is crucial as it governs the use and disclosure of Protected Health Information (PHI) by covered entities, ensuring patient confidentiality is maintained even when healthcare services are delivered remotely.

Key aspects of the HIPAA Privacy Rule include:

  • Patient Consent and Authorization: Covered entities must obtain patient consent before using or disclosing PHI for treatment, payment, or healthcare operations. In telemedicine, this means securing explicit permission from patients for their health information to be shared electronically.
  • Minimum Necessary Standard: The rule mandates that only the minimum necessary amount of PHI is used or disclosed to accomplish the intended purpose. This principle is especially relevant in telemedicine, where digital data transmission should be limited to essential information only.
  • Patient Rights: Patients have rights under the Privacy Rule, including the right to access their health records, request amendments, and receive an accounting of disclosures. Telemedicine providers must ensure these rights are upheld in a digital setting.
  • Safeguards: Covered entities are required to implement appropriate administrative, technical, and physical safeguards to protect PHI. In telemedicine, this includes using secure communication channels and ensuring that electronic systems comply with HIPAA requirements.

Purpose and Key Provisions of the HIPAA Privacy and Security Rules 

The HIPAA Privacy and Security Rules are designed to protect the confidentiality, integrity, and availability of individuals' health information. 

The Privacy Rule focuses on safeguarding Protected Health Information (PHI), while the Security Rule specifically addresses the protection of electronic PHI (ePHI). Together, these rules ensure that health information is properly handled, secure from unauthorized access, and used appropriately.

Here’s a breakdown of the key provisions of both rules:

HIPAA Privacy Rule

  1. Patient Rights:
    • Patients have the right to access their health records, request amendments, and receive an accounting of disclosures.
  2. Use and Disclosure:
    • Covered entities must obtain patient consent for using or disclosing PHI for treatment, payment, or healthcare operations, adhering to the minimum necessary standard.
  3. Notice of Privacy Practices:
    • Covered entities must provide a notice outlining how PHI will be used and disclosed, as well as patients' rights regarding their information.
  4. Safeguards:
    • Implement administrative, physical, and technical safeguards to protect PHI.

HIPAA Security Rule

  1. Administrative Safeguards:
    • Policies and procedures must be in place to manage the selection, development, and maintenance of security measures to protect ePHI.
  2. Physical Safeguards:
    • Physical access to electronic systems and facilities where ePHI is stored must be controlled to prevent unauthorized access.
  3. Technical Safeguards:
    • Implement technology to secure ePHI, including access controls, audit controls, integrity controls, and transmission security.
  4. Risk Management:
    • Conduct regular risk assessments and address vulnerabilities to ensure the security of ePHI.

Together, these rules establish a comprehensive framework for protecting health information, ensuring patient privacy, and securing electronic health data.

How the HIPAA Privacy and Security Rules Apply to Telemedicine Practices 

The HIPAA Privacy and Security Rules are crucial in ensuring the confidentiality, integrity, and security of patient information in telemedicine. Here are some examples of how these rules apply to telemedicine practices:

  • Secure Communication Platforms: Telemedicine providers must use HIPAA-compliant platforms that offer encrypted video conferencing, secure messaging, and data storage.
  • Access Controls: Implementing strict access controls ensures that only authorized personnel can access patient information.
  • Training and Awareness: Continuous training for healthcare staff on HIPAA requirements and best practices for telehealth security is essential.
  • Patient Verification: Telemedicine providers must verify patient identities before consultations to ensure that information is shared with the correct individuals.

Ensuring ePHI Security: The Critical Role of Technical Safeguards in Telemedicine 

Telemedicine providers must rigorously adhere to the technical safeguard guidelines mandated by the Department of Health and Human Services (HHS) to protect sensitive patient data. 

These safeguards include the following:

  • Robust User Identification: This essential feature enables healthcare entities to monitor all user activity within their systems, ensuring secure access to ePHI.
  • Encryption Protocols: The HIPAA Security Rule introduces encryption as an 'addressable implementation specification,' meaning it is not a strict requirement. Healthcare entities can assess whether encryption is a practical safeguard for protecting ePHI's confidentiality, integrity, and availability. If a covered entity finds encryption unsuitable after conducting a risk assessment, it must document this decision and, if feasible, implement an alternative security measure. In some cases, neither the suggested specification nor an alternative is necessary, provided the entity justifies how other means sufficiently secure ePHI under the Security Rule.
  • Emergency Access Procedures: These tailored procedures empower healthcare staff to access ePHI swiftly and securely during emergencies, ensuring the continuity of patient care.
  • Data Integrity Measures: Protecting the integrity of patient data is crucial to preventing unauthorized alteration or destruction of records and maintaining the accuracy and reliability of patient health information. 

Fortifying Telemedicine with Essential Physical Safeguards 

These measures, implemented within the physical confines of a healthcare facility, uphold HIPAA compliance and ensure the security of sensitive information. 

Key safeguards include:

  • Comprehensive Facility Security Plan: A well-documented plan outlines specific policies to prevent unauthorized access to patient data and protect against information theft.
  • Tailored Access Control and Validation: Strict access control measures ensure that sensitive information is accessible only to authorized personnel based on their specific roles within the organization.
  • Diligent Maintenance Records: Keeping detailed records of any security-related repairs or modifications to the facility, such as updates to doors or locks, helps maintain a secure environment.
  • Media Management Policies: Establishing clear guidelines for the use, disposal, reuse, or backup of media ensures that all forms of patient data, whether digital or physical, are handled with utmost care and security.
  • Stringent Workstation Maintenance: Regular scrutiny and maintenance of all workstations with access to ePHI are crucial. Creating and enforcing policies on data handling and restricting authorized use safeguard against potential breaches. 

Telehealth Prescriptions for Controlled Substances: Navigating DEA and Ryan Haight Act Guidelines 

Telehealth-based prescriptions of controlled substances are regulated by both state and federal laws. Prior to the pandemic, the Controlled Substances Act required prescribers to hold a DEA registration in each state where they prescribed these substances. 

During the Public Health Emergency (PHE), the DEA relaxed this rule, but this leniency will end once the PHE concludes. Understanding the Ryan Haight Online Pharmacy Consumer Protection Act of 2008 is essential for telehealth providers prescribing controlled substances. 

This Act restricted the internet-based distribution and dispensing of such substances, impacting telehealth prescriptions by requiring an in-person patient-provider relationship before prescribing scheduled medications via telehealth.

Telemedicine providers can bypass the in-person assessment requirement if the patient is at a DEA-registered medical facility or with a DEA-registered clinician. This exemption applies when clinicians act within professional norms and state laws and have DEA registration in the state where the patient is located. 

However, during the PHE, the face-to-face requirement was lifted, with certain guidelines for telehealth prescriptions. The DEA has proposed rules to extend these PHE flexibilities, pending public feedback.

Embracing a New Era in Telehealth: Understanding Post-Pandemic HIPAA Changes

As healthcare providers and patients navigated the challenges of social distancing, significant changes swept through HIPAA regulations for telehealth consultations, reshaping how healthcare services are delivered and accessed. 

These adaptations, driven by the CARES Act and CMS 1135 Waiver, have expanded the reach and scope of telehealth, offering unprecedented flexibility and inclusivity. In this section, we explore how these landmark changes have transformed the telehealth landscape, ushering in a new era of healthcare delivery that continues to evolve in the post-pandemic world. 

First, let's look at the changes made to Medicare and Medicaid:

  1. Eligibility for Providing and Receiving Telehealth Services
    • Before March 2020: Telehealth services were primarily restricted to certain licensed providers, with patients required to have a preexisting relationship with these providers.
    • After CARES Act and CMS 1135 Waiver: The landscape shifted dramatically, enabling a broader range of clinicians to bill for Medicare services, irrespective of a preexisting patient-provider relationship.
  2. Locations Approved for Telehealth
    • Before March 2020: Telehealth was confined to specific sites, such as designated rural areas or certain medical facilities. Providers were bound to conduct sessions from their professional practice locations, with cross-state services being largely prohibited.
    • After CARES Act and CMS 1135 Waiver: This paradigm shifted to allow healthcare providers to conduct telehealth sessions from their homes, offering services across state lines (with some state-specific restrictions). Telehealth can now originate from any site, including the patient's home, significantly enhancing accessibility.
  3. Technology Requirements for Telehealth Visits
    • Before March 2020: A stringent requirement for audio-visual capabilities, such as video technology, was in place, limiting telehealth to only approved technology platforms.
    • After CARES Act and CMS 1135 Waiver: The requirements evolved to include both audio-visual and audio-only options, with an expanded list of approved platforms embracing widely used technologies like FaceTime, Skype, and Zoom.
  4. Reimbursement Policies for Telehealth
    • Before March 2020: Medicare coinsurance and deductibles were applicable to telehealth visits, and reimbursements were generally lower compared to in-person services.
    • After CARES Act and CMS 1135 Waiver: There was a significant shift, allowing providers to waive cost-sharing for telehealth services paid by federal programs. Moreover, all telehealth visits, including audio-only sessions, began to be reimbursed at rates equivalent to in-person services.

Recent changes to general telehealth operations as of May 11, 2023, include:

  • Virtual check-ins and e-visits for new patients will no longer be allowed; these visits will only apply to established patients.
  • Certain healthcare common procedures for remote evaluation of patient video/images and virtual check-in services can only be provided to established patients.
  • Telehealth via any non-public-facing application will continue until December 31, 2024. However, the technology used to conduct a visit must be HIPAA compliant beginning May 12, 2023.
  • State laws will continue to govern whether a provider needs to be licensed in the state in which they practice. There is no CMS-based requirement that a provider must be licensed in their state of enrollment.
  • Telemedicine services furnished to a hospital's patients through an agreement with an off-site hospital will end.
  • If a beneficiary's home was designated as a provider-based department of the hospital for purposes of receiving outpatient services paid under the Hospital Outpatient Prospective Payment System (HOPPS), this designation will end.
  • The process of allowing the addition of services to the Medicare Telehealth Services List on a sub-regulatory basis will end. Any requests for services to be added must be made through the rulemaking process.
  • Subsequent inpatient visits provided via telehealth will no longer be limited to once every three days.

These changes reflect the ongoing evolution of telehealth regulations and practices, ensuring that healthcare delivery continues to adapt and improve in a post-pandemic world. 

Online HIPAA training for Telemedicine With 360training 

While adherence to HIPAA guidelines concerning ePHI and BAAs has lessened, protecting patient privacy in telemedicine remains a critical concern for maintaining trust between healthcare providers and patients. Upholding HIPAA certification is more important now than ever for your benefit and that of your clients.

Stay ahead in the ever-evolving field of healthcare with our comprehensive online training courses. Whether you need HIPAA telemedicine training for healthcare workers or you’re a business associate, dental office worker, or medical office worker, 360training’s courses provide the latest in HIPAA education, ensuring you remain up-to-date with the latest regulations and best practices. 


Ensure you are fully equipped to handle PHI with confidence and compliance. Enroll now and take the first step towards mastering HIPAA regulations!

Privacy Policy  |   Terms and Conditions   

©2025 360training

©2025 360training   Privacy Policy  |   Terms and Conditions   
Let's Chat!