Enacted August 21, 1996, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), protects personal health information (PHI).  

In 2000, the US Department of Health and Human Services (HHS) finalized the “Privacy Rule,” (with modifications made in 2002) which addresses the use and disclosure of individuals’ health information, and provides standards for individuals’ privacy rights under HIPAA.  The Health Information Technology for Economic Clinical Health (HITECH) Act of 2009 created or clarified provisions that impacted HIPAA.  

Only certain parties, called “covered entities,” are subject to HIPAA.  These entities include:

  • Health plans;
  • Health care providers;
  • Health care clearing houses;
  • Business associates 

Telehealth provision or use does not alter a covered entity’s obligations under HIPAA, nor does HIPAA contain any special section devoted to telehealth.  Therefore, if a covered entity is utilizing telehealth that involves PHI, the entity must meet the same HIPAA requirements that it would if the service was provided in person. 

Telehealth does often require consultation with technical personnel, independent of the medical team, who may be exposed to patient data.  Therefore, providers may need to enter into business associate agreements with these technical personnel organizations, which obligate them to maintain the same confidentiality required of the provider under HIPAA.  

The entity will also need to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability, of PHI.  While there are some specifications, each entity must assess what are reasonable and appropriate security measures for their situation.

Use of specific telehealth equipment or technology cannot ensure that an entity is “HIPAA compliant” because HIPAA addresses more than features or technical specifications. Nevertheless, certain features may help a covered entity meet its compliance obligations. For example, a telehealth software program may contain an encryption feature, or the technology might provide security through the use of passwords. However, these examples only provide elements or tools to help a covered entity meet its obligations under HIPAA; they do not ensure compliance and cannot substitute for an organized, documented set of security practices.

View CCHP's HIPAA Fact Sheet.