Telehealth Privacy Standards

April 15, 2021

Telehealth, or telemedicine, offers virtual healthcare through the use of digital devices, like telephones and computers. It is a safe, effective way for patients to meet with their medical providers and is often more accessible and convenient. Many services are available and effective via telehealth, including diagnosis and treatment of chronic disease, as well as behavioral health therapy. 

As telehealth becomes more popular as a safe, effective means of seeking medical care, patients and providers alike are responsible for telehealth privacy. And here at Bicycle Health, we take telehealth privacy and patient confidentiality seriously. We protect the privacy of our patients’ health information in accordance with state and federal laws, including compliance with the Health Insurance Portability and Accountability Act (HIPAA) and Disclosure of Substance Use Disorder Patient Records (Part 2). So, let’s jump into what this means!

HIPAA Compliant Telehealth

The Health Insurance Portability and Accountability Act (HIPAA) was passed by U.S. Congress in 1996, and the HIPAA Privacy Rule regulates the use and disclosure of patients’ Protected Health Information (PHI) pertaining to healthcare treatment, operations, and payment for health services. PHI includes all individually identifiable information, including demographics (e.g., name, birth date, contact information, geographic identifiers), medical history, test results, insurance information, technology device identifiers (e.g., IP address), and photographic images. You can review a complete list of PHI here.

This means that medical providers, healthcare organizations, and insurance companies cannot share any information about a patient or their health unless the following criteria are met:

  • The patient consents in writing;
  • The disclosure is allowed by a court order; or
  • The disclosure is made to medical personnel in a medical emergency or to qualified personnel for research, audit, or practice/program evaluation.

The HIPAA Privacy Rule was developed to protect the confidentiality of patients, and the rule imposes severe consequences on providers who are not in compliance. Bicycle Health is a HIPAA compliant provider, and you can review our Notice of Privacy Practices here.

Telehealth Privacy & Protection Practices

Bicycle Health is truly committed to robust telehealth security. All patient-provider communication occurs via the Bicycle Health password-protected phone application, and patients are encouraged to use strong, app-specific passwords (i.e., don’t use the same password for the Bicycle Health app that you use for other accounts). Both patient and provider will connect to the HIPAA- and password-protected, individual-use Zoom room, and HIPAA-protected meetings do NOT allow recordings. Further, none of the data on the Bicycle Health app is stored locally (i.e., on phones or computers). Data encryption ensures confidentiality, and telehealth visits are encrypted using the Advanced Encryption Standard. Two factor authentication is used for applications that include Protected Health Information (PHI). 

In order to protect patient privacy, Bicycle Health providers and staff will never connect with patients via non-commercial communication apps, like Facebook or WhatsApp.

Before the first video conferencing visit with your provider, patients at Bicycle Health will be educated on telehealth security best practices. You can read more about Bicycle Health’s Telehealth Informed Consent here.

Our Telehealth Privacy + Security Policies

As previously mentioned, Bicycle Health has privacy and informed consent policies available, which you can review here and here. Bicycle Health also has robust systems in place to protect the privacy and confidentiality of all patients, including the following:

  • All providers, staff, software developers, and leadership complete HIPAA training before allowed access to PHI;
  • All systems with PHI are clearly documented;
  • All third party software that handles PHI (e.g., Zoom, Freshworks, Spruce, Google Cloud Platform, Twilio) is HIPAA-compliant, and Bicycle Health has a signed Business Associate Agreement (BAA) on file with them;
  • Critical security updates are immediately installed on applications;
  • Two factor authentication is used for all applications containing PHI; and
  • All developer software has filevault encryption enabled.

All privacy policies and procedures are kept current and meet federal and multi-state regulations.

Our Telehealth Data Storage Policies

Apart from PHI on the Bicycle Health app (the patient communication portal), providers document medical histories and treatment plans in the electronic health record, Athena. Two factor authentication is enabled for Athena, and Athena also includes audit logging for every operation. No PHI is stored via cloud servers.

For patients, no data on the Bicycle Health app is stored locally (i.e., on phones or computers). If patients decide to store health information on the hardware of local devices, they’re encouraged to store only limited information that might be needed in the case of an emergency and to choose this information cautiously. 

Employee Training

All Bicycle Health providers, staff, software developers, and leadership complete training on computer network privacy and security AND mobile device privacy and security. HIPAA training is also required at the start of employment and on an annual basis for all Bicycle Health employees. 

Patient Education

Patients are also responsible for engaging in security best practices, like using secure internet connections and ensuring the security of their passwords. When connecting to the internet, we recommend either a landline connection or a personal and secure WiFi network. Before the first telehealth visit, Bicycle Health patients will be educated on security best practices in order to ensure the highest level of privacy and security possible.

Here at Bicycle Health, we value our patients above all else and are committed to robust telehealth privacy and security standards. To learn more about the availability of Bicycle Health’s buprenorphine/naloxone (Suboxone) treatment in your area, call us at (844) 943-2514, or schedule an appointment here.

Photo Courtesy of Dan Nelson on Unsplash.

About the Author

Rebekah L. Rollston, MD, MPH

Dr. Rollston is a Family Medicine Physician at Cambridge Health Alliance, Affiliate Editor-in-Chief of the Harvard Primary Care Blog, and Founder of Doctors For A Healthy US, LLC. She earned her Medical Degree from East Tennessee State University Quillen College of Medicine and her Master of Public Health from The George Washington University. Her professional interests focus on social influencers of health & health disparities, addiction medicine, sexual & reproductive health, homelessness & supportive housing, and rural health.

Citations

Bicycle Health Online Suboxone Doctors

Safe, confidential, & affordable treatment for opioid use disorder.