Q&A: Telehealth security

Q. My facility offers telehealth services as an originating site. Is the distant site acting as a BA in these situations? Is my facility responsible for ensuring the distant site is in compliance with the Security Rule?

A. That all depends. If the distant site is another CE and the purpose for using the telehealth services is to obtain additional clinical support such as connecting with a specialist, the distant site would be another CE and you would not be required to ensure the distant site is compliant with the Security Rule. That said, it’s still a good idea to make sure the distant site is secure. If it’s not, you’re putting your patients’ data at risk. As the saying goes, security is only as strong as its weakest link.

Depending on the setup and on who is providing support to who, your site and/or the distant site could be a BA and that would require the execution of a BAA and the exercise of due diligence. For example, if you provide the distant site with technical support and you maintain the telehealth site on behalf of another CE, you may well be a BA. This is the case if the other site is paying you to support the service. The same would be true for the distant site. If the distant site is providing support to you that’s paid for by you, it is likely the distant site is a BA.  CEs can be BAs and that’s called a hybrid entity.

Editor’s note: This question was answered by Chris Apgar, CISSP. Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.