Skip to main content

HIPAA Disclosure Online

Updated

HIPAA

As a business associate, Teladoc Health is subject to compliance of the law under 45 CFR §164.308 (Administrative Safeguards), under 45 CFR §164.310 (Physical Safeguards), and under 45 CFR §164.312 (Technical Safeguards) to maintain and transmit protected health information in electronic form in connection with transactions performed by the customer (covered entity).

The policy of this organization is to ensure, to the greatest extent possible, that Protected Health Information (PHI) is not intentionally or unintentionally used or disclosed in violation of the HIPAA Privacy Rule or any other federal or state regulations governing confidentiality and privacy of health information. 

There are a number of safeguards implemented into the telehealth system to ensure that the system complies with the latest HIPAA regulations. One of the key requirements is Teladoc Health’s ongoing implementation and updating of its HIPAA security policies and procedures to ensure for the availability, security, and privacy of telehealth connections and ePHI (electronic protected health information). Teladoc Health maintains a policy to ensure workforce HIPAA compliance and training. Teladoc Health additionally maintains HIPAA security policies and procedures, a data destruction policy, and security incident response procedures.

Guidelines for Compliance

The telehealth system helps hospitals and medical professionals comply with HIPAA regulations. 

HIPAA requires all healthcare organizations to have policies and procedures, and the guidelines to the left. However, these may not cover all situations for a specific organization. For example, from time to time, automatic software upgrades may be downloaded which may contain new features. Teladoc Health will inform users of significant features added, their impact and how they may affect HIPAA policies, procedures, and safeguards.

Access to Provider Access

The computer using the Provider Access should be placed in a location that is only accessible to individuals who have authorized access to Protected Health Information (PHI). It is recommended that Provider Access be password protected via a Windows or iOS user account.

Only authorized users should have passwords, and users should safeguard passwords according to hospital policies and procedures. Passwords should be treated as highly confidential information. If you believe your password may have been compromised, it should be changed as soon as possible. Change your password by clicking on the "Forgot Password" link on the login screen of the Teladoc Health Provider Access.

The Auto Logout feature is set to log out of the Teladoc Health Provider Access when the system is inactive for 30 minutes. Also, all users should be trained to log out of Windows, iOS or the Virtual Private Network (VPN), when away from the system for any period of time. This is important for security reasons, so that any person attempting access to the Provider Access will be required to enter a password for secure access.

Discussion and Display of PHI

From time to time a physician will likely engage in remote communications with patients and medical staff in which patient information (records, images and video) will be discussed or displayed. In general, the same care should be exercised as though the physician were physically present. For example:

  • Use Head rotation to look around and see who else is nearby and might see or hear the sensitive information, and use appropriate discretion.
  • Use the microphone mute button when conversing with someone alongside the Teladoc Health Provider Access to avoid the inadvertent conferencing of patient-related conversation.
  • The Teladoc Health Provider Access screen should be positioned to point away from public areas, so as not to be visible to a passersby.

Images and Video

By default when saved, all captured images and video files are stored encrypted files; viewable only by the Provider Access user who captured them. All files are saved in the user’s Teladoc Health Media Vault to provide added protection.

For convenience, these files may be saved in common formats, e.g., JPEG for still images. These files are no longer encrypted and therefore are viewable by any user who can access them. As such, there are a few recommended techniques for safeguarding PHI contained in these images and video:

  • Ensure all personnel who have access to the Provider Access Software also have full permission to access stored images and videos under the hospital’s policies and procedures;
  • Make sure to store captured images and videos only on removable media (e.g., recordable CD-ROMs) which can be taken with each user or on secure network drives;
  • Do not save any captured images and video clips. Use these images and video segments only while logged in for a virtual encounter.

Disclosure of PHI

If the physician plans to transmit or copy stored images or video to other individuals or organizations, e.g., to a healthcare operator, the physician needs to abide by standard HIPAA codes governing who may receive PHI and under what conditions. The hospital’s HIPAA compliance officer should be consulted for details.