What are the HIPAA rules for video conferencing?

The HIPAA rules for video conferencing in teletherapy require that any platform used has encryption, secure user authentication, and safe data storage to protect protected health information (PHI). Additionally, therapists must obtain a business associate agreement (BAA) with the video conferencing provider to ensure HIPAA compliance. 

HIPAA compliance requirements for video conferencing

When conducting teletherapy sessions, any information shared through video conferencing is considered PHI and is subject to HIPAA regulations. PHI is defined as "all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. " That includes the conversation and any recorded sessions, notes, or shared files during the session.

Under the HIPAA Privacy Rule, mental health professionals must maintain the confidentiality of PHI, ensuring that no unauthorized individuals can access this sensitive information. According to the HHS, "The Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting e-PHI.". These safeguards include secure data transmission, encryption, and access controls to prevent unauthorized access to the video conferencing session.

Choosing a HIPAA compliant video conferencing platform

A video conferencing platform must offer several key features to comply with HIPAA:

• Encryption: This ensures the communication is secure from the moment it leaves the therapist’s device until it reaches the patient’s device, preventing unauthorized access or interception.
• Secure user authentication: Both the therapist and patient must be verified before the session begins, ensuring that only authorized individuals can participate in the teletherapy session.
• Data storage and handling: If the platform allows session recordings or stores any data, it must do so securely. The data must be encrypted and stored so unauthorized individuals cannot access it.

In addition to these features, have a BAA with the video conferencing service provider. The BAA ensures the provider will handle PHI in compliance with HIPAA regulations. Without a BAA, even a platform with all the necessary security features would not be considered HIPAA compliant.

Best practices for HIPAA compliant teletherapy sessions

• Obtaining patient consent: Obtain and document explicit permission from the patient to conduct sessions via video conferencing before starting teletherapy. The consent should include an explanation of the platform being used, how the sessions will be conducted, and any potential risks.
• Managing session recordings: If sessions are recorded, they must be stored securely and in compliance with HIPAA. Recordings should be encrypted and stored in a secure location, with access limited to authorized individuals only. Patients should also be informed about the recording and storage process, and their consent should be obtained beforehand.
  
  

Addressing common challenges

If connection is lost during a session, both the therapist and the patient should have a plan to resume it securely.

Another common concern is patient privacy, particularly in shared or public spaces. In such cases, therapists should advise patients to use headphones and ensure no unauthorized individuals can overhear the conversation. 

FAQs

Is it a HIPAA violation to conduct a teletherapy session in a public place?

Conducting sessions in public places can lead to privacy breaches. The therapist and patient should be in private, secure environments to maintain HIPAA compliance.

Are therapists required to use multi-factor authentication (MFA) for video conferencing platforms?

While not explicitly required, using MFA adds an extra layer of security and is recommended for protecting access to teletherapy sessions.

Can I share session recordings with patients or their families?

Yes, but you must ensure the recordings are shared securely, such as through encrypted email or a HIPAA compliant file-sharing platform.