HIPAA compliance for e-visits

Yes, e-visits must be HIPAA compliant if they involve the exchange of protected health information (PHI) between a patient and a covered entity. 

What are e-visits?

E-visits are online consultations between a patient and a healthcare provider, conducted through a secure digital platform. Unlike telehealth video calls, e-visits are often asynchronous, meaning they involve secure messaging, electronic forms, or emails rather than real-time communication.

HIPAA compliance for e-visits

According to the HHS, “covered health care providers and health plans must use technology vendors that comply with the HIPAA Rules and will enter into HIPAA business associate agreements in connection with the provision of their video communication products or other remote communication technologies for telehealth.” This means that any digital communication used for healthcare consultations must adhere to HIPAA’s Privacy and Security Rules to prevent unauthorized access, breaches, and misuse of patient data.

Key HIPAA compliance considerations for e-visits

To ensure HIPAA compliance, healthcare providers and telehealth platforms must implement the following safeguards:

• Secure communication channels: E-visits must be conducted using encrypted and secure platforms to prevent unauthorized access. Paubox is a HIPAA compliant solution that should be considered for email and texting solutions.
• Business associate agreements (BAAs): If a third-party vendor, such as a telehealth software provider, processes PHI on behalf of a healthcare entity, a BAA is required. This legally binds the vendor to adhere to HIPAA’s security standards.
• Patient consent and authentication: Healthcare providers should verify patient identities before conducting e-visits and ensure patients consent to the use of digital communications.
• Audit controls and access management: HIPAA requires communication platforms to have logging and monitoring capabilities to track who accesses patient information. Role-based access controls (RBACs) should also be implemented to restrict PHI exposure to only authorized personnel.
• Compliance with the HIPAA Security Rule: The HIPAA Security Rule mandates three types of safeguards:
  • Administrative: Policies and procedures that regulate access to PHI.
  • Physical: Security measures to prevent unauthorized physical access to devices storing PHI.
  • Technical: Encryption, secure login, and multi-factor authentication (MFA) to protect digital PHI.

FAQS

What happens if an e-visit platform is not HIPAA compliant?

Using a non-compliant platform can result in data breaches, legal penalties, and loss of patient trust. The healthcare provider may also face fines from the U.S. Department of Health and Human Services (HHS).

What violations can be associated with HIPAA compliance during e-visits?

Some common HIPAA violations in e-visits include:

• Using non-encrypted communication platforms
• Failing to obtain patient consent for digital communication
• Sharing PHI without proper authorization
• Not implementing access controls and authentication measures