Standards for Telehealth Privacy

Telehealth, often known as telemedicine, is a type of virtual healthcare that utilizes digital devices such as phones and computers. It is a safe, effective, and frequently more accessible and convenient way for patients to meet with their medical professionals. Many treatments, including as chronic disease diagnosis and treatment, as well as behavioral health therapy, are available and effective through telehealth.

Patients and clinicians alike are accountable for telehealth privacy as telehealth becomes more widespread as a safe and effective way to obtain medical care. And at Suboxone clinic, we take patient confidentiality and telemedicine privacy very seriously. We follow state and federal laws to preserve the privacy of our patients' health information, including the Health Insurance Portability and Accountability Act (HIPAA) and the Disclosure of Substance Use Disorder Patient Records (Part 2). So, let's have a look at what this entails.

Telehealth that complies with HIPAA

The US Congress approved the Health Insurance Portability and Accountability Act (HIPAA) in 1996, and the HIPAA Privacy Rule governs the use and sharing of individuals' Protected Health Information (PHI) for healthcare treatment, operations, and payment for health services. PHI contains demographics (e.g., name, birth date, contact information, geographic identifiers), medical history, test results, insurance information, technology device identifiers (e.g., IP address), and photographic images.

A complete list of PHI can be found here. This means that medical professionals, healthcare organizations, and insurance companies are prohibited from sharing information regarding a patient's health unless the following conditions are met:

• The patient gives his or her written consent;

• A court order authorizes the dissemination; or

• In the event of a medical emergency, the information is disclosed to qualified people for study, audit, or practice/program review.
  

The HIPAA Privacy Regulation was created to preserve patients' privacy, and non-compliance with the rule can result in serious consequences for providers. Suboxone Clinic is a HIPAA-compliant provider; our Notice of Privacy Practices may be found here.

Practices in Telehealth Privacy and Protection

Suboxone Clinic is a firm believer in telehealth security. All patient-provider contact takes place through the Suboxone clinic app, which is password-protected, and patients are encouraged to use strong, app-specific passwords (i.e., don't use the same password for the Suboxone clinic app as for other accounts).

The HIPAA- and password-protected, individual-use Zoom room will be used by both the patient and the practitioner, and HIPAA-protected meetings do not enable recordings. Furthermore, no information from the Suboxone clinic app is saved locally (i.e., on phones or computers). Telehealth visits are secured using the Advanced Encryption Standard, which assures data confidentiality.

Protected Health Information (PHI) applications require two-factor authentication (PHI). Suboxone clinic doctors and staff will never communicate with patients via non-commercial communication apps like Facebook or WhatsApp to ensure patient privacy. Patients at Suboxone clinic will be taught on telehealth security best practices prior to their first video conference encounter with their practitioner. More information on Suboxone clinic's Telehealth Informed Consent can be found here.

Our Telehealth Security and Privacy Policies

Suboxone clinic has privacy and informed consent policies, which you can read here and here. In addition, Suboxone clinic has comprehensive measures in place to protect all patients' privacy and confidentiality, including the following:

• Before being given access to PHI, all clinicians, personnel, software developers, and leadership must take HIPAA training.

• All PHI-related systems are well-documented.

• All third-party software that handles PHI is HIPAA-compliant (for example, Zoom, Freshworks, Google Cloud Platform, and Twilio), and Suboxone clinic has a signed Business Associate Agreement (BAA) on file with them.

• Critical security upgrades are applied to programs right away;

• For all applications holding PHI, secure authentication is implemented; and

• Filevault encryption is enabled in every developer software.
  All privacy rules and procedures are kept up to date and comply with federal and multi-state laws.
  
  

Our Data Storage Policies for Telehealth

Providers capture medical histories and treatment plans in the electronic health record, Athena, in addition to PHI on the Suboxone clinic app (the patient communication portal). Athena supports secure authentication, and it also contains audit logging for all operations. Cloud servers do not keep any PHI. No data from the Suboxone clinic app is saved locally for patients (i.e., on phones or computers). Patients who opt to save health information on local device hardware are advised to keep only the information that will be needed in an emergency and to chose this information carefully.

Employee Education

All Suboxone clinic clinicians, staff, software developers, and leadership have received training in both computer network and mobile device privacy and security. All Suboxone clinic staff must complete HIPAA training at the outset of their employment and on an annual basis.

Patient Orientation

Patients are also responsible for following security best practices, such as using secure internet connections and keeping their passwords secure. We recommend using a landline connection or a personal and secure WiFi network to connect to the internet. Suboxone clinic patients will be informed on security best practices prior to their first telehealth appointment to ensure the highest level of privacy and security possible.