Business Associate Agreement Telehealth
HIPAA and the HIPAA safety rule requires affected entities to comply with the safety rule when transmitting electronically protected health information (“e-PHI”). In essence, the security rule requires providers to assess the risks associated with customer confidentiality when using video conferencing and then put in place appropriate administrative, physical and technical security measures to protect themselves from unauthorized access. The security rule is intended to reduce the potential risks associated with the provision of telehealth services, including unauthorized interceptions/listening of third parties at a videoconferencing meeting and unauthorized access to recorded videoconferencing sessions. The BAA is responsible for you and the teletherapy platform you use in the event of a violation of HIPAA privacy and security rules in the treatment of protected health information (PHI). If you are employed by a teletherapy company, you do not need BAA, as the contract is signed by the teletherapy platform and the company that employs you. The Business Associate Agreement is a contractual obligation to protect the PHI. As a general rule, a counterparty is a person or organization other than a staff member of a covered company that performs certain functions or activities on behalf of a covered organization or provides certain services involving the use or disclosure of protected health information (PHI). 1. PHI is downloaded or stored on unsecured mobile devices With a Telehealth mobile app that can be incredibly convenient. But health care providers need to be careful with every PHI stored on their mobile device.
Install remote wiper software on the mobile device to remove PHI in case of loss or theft of the mobile device – Device password protection – Request to check the data stored on the device before the device not discarded or recycled Because this data is protected in accordance with the Security and Accounting Protection Act (HIPAA), telemedicine solution providers must ensure that their platforms are designed to manage ePHI. In the meantime, physicians, like public health organizations, are responsible for choosing safe and compliant technologies for their telehealth practices. GUIDELINEs for BAAs, including standard BAA rules, are available at www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. One of the most common misunderstandings around telehealth and safety could be this: The use of HIPAA-compliant telehealth software protects you from hipaa injuries. Of course, the use of telehealth software, which tracks the clear technical and physical safety features in HIPAA, is an important part of building a HIPAA-compliant telehealth program. But this is only part of the biggest puzzle in maintaining the security of your protected health information (PHI). An analysis of the safety risk of a telehealth provider has six elements: navigating the intricacies of HIPAA can be difficult, even for high-level health executives trained in health safety and compliance. With regard to telehealth, compliance issues are often more complex due to the introduction of mobile devices, wireless connections and a long list of technology providers involved in the provision of this telehealth solution. In addition, health care workers may not always understand how HIPAA can be applied to new technologies. Any software tool, no matter how it follows the technical and physical precautions described in HIPAA, can be used uncertainly by medical personnel.
The above satisfactory assurances must be made in writing, either in the form of a contract or other agreement between the covered entity and the counterparty.