The HIPAA rules for video conferencing in teletherapy require that any platform used has encryption, secure user authentication, and safe data storage to protect protected health information (PHI). Additionally, therapists must obtain a business associate agreement (BAA) with the video conferencing provider to ensure HIPAA compliance.
When conducting teletherapy sessions, any information shared through video conferencing is considered PHI and is subject to HIPAA regulations. PHI is defined as "all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. " That includes the conversation and any recorded sessions, notes, or shared files during the session.
Under the HIPAA Privacy Rule, mental health professionals must maintain the confidentiality of PHI, ensuring that no unauthorized individuals can access this sensitive information. According to the HHS, "The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.". These safeguards include secure data transmission, encryption, and access controls to prevent unauthorized access to the video conferencing session.
A video conferencing platform must offer several key features to comply with HIPAA:
In addition to these features, have a BAA with the video conferencing service provider. The BAA ensures the provider will handle PHI in compliance with HIPAA regulations. Without a BAA, even a platform with all the necessary security features would not be considered HIPAA compliant.
If connection is lost during a session, both the therapist and the patient should have a plan to resume it securely.
Another common concern is patient privacy, particularly in shared or public spaces. In such cases, therapists should advise patients to use headphones and ensure no unauthorized individuals can overhear the conversation.
Conducting sessions in public places can lead to privacy breaches. The therapist and patient should be in private, secure environments to maintain HIPAA compliance.
While not explicitly required, using MFA adds an extra layer of security and is recommended for protecting access to teletherapy sessions.
Yes, but you must ensure the recordings are shared securely, such as through encrypted email or a HIPAA compliant file-sharing platform.