Is telepathology HIPAA-compliant? How do you make sure that it is when choosing providers? Here’s what you need to know about telepathology & HIPAA guidelines.
At present, 65 percent of U.S. hospitals use some sort of telehealth technology including telepathology. Telehealth continues to gain more recognition as almost every state Medicaid program now offers coverage for some type of telehealth services.
Telehealth may be on the brink of something big, but providers who embrace it must still contend with HIPAA laws.
HIPAA guidelines don’t impact telemedicine and telepathology any differently than they affect any other covered entity (healthcare organization). When it comes to HIPAA and telemedicine, the guidelines extend from:
- physician and patient to
- physician or healthcare organization to other covered entity
- healthcare organization to a business associate.
Have you wondered whether using telepathology would be compliant with HIPAA? Keep reading to learn how to avoid running afoul of HIPAA laws and how to make sure your contractors take privacy as seriously as you do.
What HIPAA Guidelines Govern Telepathology?
Both the Privacy Rule and the Security Rule impact telepathology providers.
The Privacy Rule covers everything related to Protected Health Information (PHI). Whether you’re a provider or associate, it’s your job to make sure all PHI is shared only with those allowed to receive it: typically the patient and other providers who deal directly with the patient’s case.
Privacy doesn’t differ between telepathology and an in-house pathology lab. Whether you send information by email, phone, or on paper, you may never share more information than required.
The same is true of the Security Rule (the Protection of Electronic Protected Health Information). It doesn’t matter whether you store records in-house or share them with another covered entity or business associates. You need to publish and maintain physical and technical security standards at all times.
How to Avoid HIPAA Violations Using Telepathology
Staying compliant when using a telepathology service means recommitting to HIPAA rules and working with those who share your commitment.
To avoid violations, we recommend that all covered entities take the following steps:
- Enter into a Business Associate Agreement with your telepathology provider
- Train staff on HIPAA compliance with the new provider
- Use secure devices and portals to communicate
1. Enter Into a Business Associate Agreement
As a covered entity, you should enter into a Business Associate Agreement (BAA) with any other provider that you work with.
Although you will sign a contract for work anyway, a BAA specifically covers an entity or person who works for or on behalf of the covered entity to provide specific services. You want a BAA agreement because it lays out both an operating agreement and a HIPAA agreement.
Your BAA will:
- Establish the allowed uses of PHI
- Provide that the business associate will not share PHI
- Mandate that the associate follow the HIPAA Security Rule
- Require reports of disclosures not covered by the contract
- Carry out the Privacy Rule
- Destroy PHI upon termination of the contract
These agreements set the standard for your contract to avoid miscommunications.
Your BAA is the most critical step to securing your relationship. However, you also need to know who your business associate works with. It is vital that you know every single associate involved in the storage, transmission, and processing of PHI that comes from your organization.
Ask about third parties to the agreement. Be clear on how the BAA will manage those third parties to maintain HIPAA requirements. Remember, you are responsible for what happens with PHI, even if the violation was your associate’s.
2. Use Staff Training
Working with a new business associate comes with new processes. It’s important to ensure that you don’t assume your staff will know the appropriate way to interact with a telepathology lab.
Train your staff on issues related to working with business associates so that everyone is clear on their obligations.
HIPAA allows you to share relevant information with a business associate to complete work in the healthcare field. However, you should still update your patients with information about the new associate who will receive PHI from certain patients.
4. Always Stick to Secure Devices and Portals
With the advent of online portals and apps, it’s never been easier to communicate and improve workflow.
Failing to stick to secure devices and portals is one of the most critical errors a covered entity might make when they first use telemedicine or telepathology.
Avoid sending any patient information outside of secure email or portal lines. Doing so is an overt HIPAA violation. Stick to professional office emails set up with the appropriate security protocols.
Make sure your passwords aren’t left lying around and that access to the app is available only on computers of those who need to contact the business associate.
It’s also a good idea to ask for specs for any telemedicine apps, portals, and tools to pass them on to your IT support. Doing so helps you avoid potential security holes and ensures both your systems are compliant.
HIPAA Compliance Is Up to You
As the covered entity, you hold the most responsibility for ensuring you and the entities you work with meet HIPAA guidelines. Failure to do so leads to huge fines from HHS or even lawsuits from patients.
Protecting patient’s PHI is as much a part of your job as protecting their health. You can do both when working with a HIPAA compliant telepathology company. You need to do your due diligence both when working with a business associate and in keeping your staff and patients up to date.
Are you looking to make the switch to telemedicine for your pathology, cardiology, radiology needs? Visit our blog for more resources.