HIPAA Compliance for Virtual Practice Operations (Telemedicine)

In an effort to reduce the spread of contagious disease and improve patient compliance, patients and physicians have turned to virtual visits. This adoption of telehealth has been greatly accelerated by the COVID-19 pandemic, and both sides are now recognizing – and will soon be demanding – the benefits of telemedicine as a standing care option.

Patient confidentiality and HIPAA compliance are major considerations as you deliberate adopting telemedicine (and the resulting additional revenue stream) into your practice. HIPAA rules apply to remote medicine as much as to office visits, and the virtual nature of telemedicine can often increase the risk of a breach.

The Avitus Group Technology Services team, experts in HIPAA compliancy, shared the following initial steps and considerations for adopting telemedicine.

Risk Assessment

Practices that engage in telemedicine must first engage in comprehensive risk assessment to identify where best practices are not being met. A risk assessment should cover:

  • The practices used by the doctor
  • The software used (HIPAA-compliant videoconferencing software must be used)
  • The HIPAA guidelines followed. This includes ensuring that:
    • Only authorized users can access the system
    • Third party data storage companies have a Business Associate Agreement that includes the methods they use to protect data, etc.

During the current crisis some discretion in enforcement has been applied in order to facilitate virtual examinations to avoid the risk of transmitting COVID-19, but these measures are temporary. They do, however, present a brief opportunity for providers to take advantage of the leeway and complete a comprehensive risk assessment now.

Avitus Group offers complimentary risk assessment and gap analysis to healthcare providers who are practicing telemedicine or in the process of adding it to their offerings.

Most Common Risk Gaps

Risk gaps in healthcare fall into a number of areas, so while this list is not comprehensive it contains some of the most common:

  1. Portable hardware. Laptops and tablets are being used more and more commonly, and it is very likely that both patient and physician are using some kind of portable device that requires specific security measures. While patients cannot be policed, physicians and other providers must be trained in how to secure portable hardware.
  2. Devices storing communication. Make sure that any device used to practice telemedicine is not, in fact, storing routine transmissions. This is most often a concern with mobile health apps (that often collect data to target ads). Healthcare devices such as Fitbits often store and transmit data. Any device used by a patient to monitor symptoms should be, if possible, distributed in the office.
  3. Lack of transparent information given to patients. Patients may consent to being treated virtually, but not be aware of the privacy and security risks, and the measures taken to reduce them. Patients need to have technology specific risks explained.
  4. Not properly integrating telemedicine into overall HIPAA and HITECH compliance. It must be included in privacy notices or in your normal security management plan. Telemedicine must also be integrated into monitoring and breach notification protocols.
  5. Not training staff or providers in how to handle privacy and security during virtual visits.
  6. Failing to track compliance issues so they can be dealt with before they lead to a breach and/or fine.

Automated Compliance Reporting

Automated compliance reporting detects if applications are not secure and relays that information. It can be used to warn users if they have their conferencing software in the wrong mode or have enabled logging/recording of the session. It can also notify employers if users are using software incorrectly. The idea is to prevent the compliance breach before it happens by ensuring that users know right away if something is wrong.

Automated compliance reporting is also used to monitor business associates, that is to say third party providers, and ensure that you know right away about potential security issues. You can then comply with breach notification protocols if needed or consider changing providers if compliance issues are too high.

For telemedicine, these functionalities must be extended to video conferencing providers and remote monitoring devices provided to patients, along with any other additional software used.

Monitoring and Breach Notification Protocols

As with compliance reporting, it’s vital to integrate telemedicine provisions into your monitoring and breach notification protocols. Talk to your IT or your outsourced IT provider about how to best monitor video conferencing for problems.

If you do have a breach, the same rules about notifying patients in a timely manner apply. You must also ensure that you log virtual visits in a way which allows affected patients to be quickly identified and notified.

Whether you are offering telemedicine as a temporary measure to help your patients stay healthy or creating a new virtual arm to your practice, it is vital to work towards HIPAA compliance. To further discuss HIPAA compliancy for telemedicine in your practice, contact the Avitus Group Technology Services team. Their help desk averages only 15-seconds to connect you with a real person during business hours. Try them:



Table of Contents
Introducing Your New Integrated Business Team

If you love the idea of having an experienced team of Accounting, HR, IT, and marketing experts to add to your business toolkit without having to hire more employees, then you’ve come to the right place.

Your business needs are dynamic, and so are we.

Stay Connected

Subscribe to our monthly newsletter and get inspiring articles, useful resources, and more right in your inbox.