Featured Articles

Monday, April 24

PROTECT: Telehealth Security, Safety, and Stewardship (Part 2)

Kenna Dunlap-Johnson, MBA, MSW, LCSW, and Ruth Lipschutz, ACSW, LCSW

This article is intended to help you better understand how to Protect the Profession. If you have insight on legislation and advocacy that supports the social work profession, please consider contributing an article! Submit your article proposal online here.

This is the second of a two-part article on providing telehealth services. To read Part One, click here.. To get involved with the formation of a new Telehealth Shared Interest Group (SIG) with the NASW-Illinois Chapter, click here.

HIPAA Privacy Rule and Audit

The HIPAA Privacy Rule requires that covered entities and any contracted associates providing services for billing, scheduling, storing, receiving, and communicating information must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [individual or organization].” (www.HHS.gov)

Risk analysis guidelines involve answering the following questions:

  • Have you identified the electronic personal health information (e-PHI) within your organization? This includes e-PHI that you create, receive, maintain, or transmit.
  • What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain, or transmit e-PHI?
  • What are the human, natural, and environmental threats to information systems that contain e-PHI? What are the potential threats and vulnerabilities? How might the security of the data be compromised? How critical is each threat? Assign a risk level to each threat.
  • Are the currentsecurity measures in place sufficient? What changes or additions are needed?

The scope of systems to assess include the following:

  • All components used to receive, send, and maintain PHI
  • All devices (e.g., computer, laptop, hard drives, phone, tablet)
  • Network connections (e.g., e-mail, cloud storage, security, accounting, other contracted services)
  • Communication with clients, colleagues, business associates, providers, backup services
  • Documentation system (electronic and non-electronic)
  • Work environment (access, security, personnel, etc.)
  • Finalize documentation—documentation is required but no specific format is advised.
  • Periodic review and updates to the risk assessment—the risk analysis process should be ongoing but a frequency is not advised. At a bare minimum it should occur any time new technology is employed.

A “business associate” is a person or entity (other than a member of the workforce of a covered entity) who performs functions or activities on behalf of or provides certain services to a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. (www.HHS.gov)

Without a proper business associates agreement (BAA) in place, a covered entity is subject to large fines for any misuse of e-PHI that is transmitted during telehealth sessions. A BAA is vital as it sets out the covered entity’s rules and expectations for the business associate who is handling the e-PHI. The BAA requires that the business associate utilize appropriate safeguards to prevent inappropriate disclosure or use of e-PHI. Having a BAA in place and following up to ensure that the business associate is complying with the terms of the agreement may lessen a covered entity’s liability in instances where a breach of information occurs electronically during the utilization of telehealth services.

HIPAA Sections on BAA Role and Contract

The HIPAA Privacy Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. The business associate contract also serves to clarify and limit, as appropriate, the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or as required by law. A business associate is directly liable under The HIPAA Privacy Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with The HIPAA Security Rule. (www.HHS.gov)

A written contract between a covered entity and a business associate must do the following:

(1) establish the permitted and required uses and disclosures of protected health information by the business associate;

(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law;

(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of The HIPAA Security Rule with regard to electronic protected health information;

(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information;

(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings;

(6) to the extent the business associate is to carry out a covered entity’s obligation under The HIPAA Privacy Rule, require the business associate to comply with the requirements applicable to the obligation;

(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with The HIPAA Privacy Rule;

(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity;

(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and

(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract. Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (www.HHS.gov)

Specific questions that should be asked and addressed in a BAA for any telehealth, two-way, video-conferencing software include the following:

  • Are the telehealth sessions recorded?
  • Do we keep calendars, contacts, or other potential PHI synced with the current software?
  • Is the software simply transmission, or does data remain within the software?

Be aware that it is not possible for software products and other electronic devices to be “HIPAA compliant” as some two-way video conferencing businesses may advertise. Covered entities are the ones who are either HIPAA compliant or not. Covered entities do need to ensure that any technology or products they use be compatible with HIPAA standards so that they, as covered entities, can comply with their HIPAA obligations.

HIPPA compliance is an ongoing process done by covered entities and business associates to ensure proper safeguarding of PHI.

Breach Notification

A breach may be defined as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” (www.HHS.gov) When there is a breach of patient/client unsecured PHI, it is required that patients/clients be notified that their personal health information has been compromised. A breach should be addressed as of the first day on which the breach is known and an investigation to follow. A breach may involve inappropriately disclosed PHI including identifiers such as social security numbers, credit cards, and financial data. It may also include clinical detail, diagnosis, treatment, medications, etc. When a breach of unsecured PHI for a large number of clients (500+) occurs, the Department of Health and Human Services (HHS) shall be notified as well as a press release to prominent media outlets within the state. A log of breaches should be maintained for numbers lower than 500 and submitted annually to the Department of Health and Human Services in the manner specified on the HHS website. Business associates should notify the organization and/or practitioner of a data breach of unsecured PHI within a reasonable amount of time (no later than 60 days).


Frederick Reamer suggests the following protocol for telehealth practice:

  • Full disclosure: Develop a clear, comprehensive statement that fully discloses the possible benefits and risks.
  • Comprehensive assessment: Provide clients with detailed and complete assessment tools. Fully evaluate for appropriateness for Telehealth interventions.
  • Confidentiality & disclosure of safeguards: Be aware of all security precautions needed to prevent hacking, misdirecting e-mails, eavesdropping on telephone conversations, etc.
  • Emergency Contact: Provide a contingency plan for clinical emergencies or technology failures
  • Consult state licensing provisions
  • Consult NASW Code of Ethics
  • Consult a malpractice/risk management attorney
  • Provide communications tips

Ultimately, as the NASW Code of Ethics states: “[S]ocial workers' ethical behavior should result from their personal commitment to engage in ethicalpractice. Principles and standards must be applied by individuals of good character who discern moral questions and, in good faith, seek to make reliable ethical judgments.” Telehealth may be an extremely beneficial way of providing mental healthcare services, especially in major shortage areas where access to healthcare services is limited and for populations with mobility difficulties. Multiple forms of online services can offer information, support, education, and various forms of treatment. Most social workers are not IT experts. As experienced as we may be in our mode of practice, the technical details of telehealth security present a learning curve. As section 1.04b of the NASW Code of Ethics states, our fiduciary duty is to engage “in appropriate study, training, consultation, and supervision from people who are competent in those interventions or techniques.”

Posted on 04/24/17 at 08:00 AM


Commenting is not available in this weblog entry.
  • 09-20-18

    East Central District CEU Event: Grief, Loss, and EMDR (Gibson City)

  • 09-20-18

    Calumet District Fall 2018 Networking and Social Event (Homewood)

  • 09-21-18

    LSW/LCSW Review Course 09.21.18 (Chicago)

  • 09-21-18

    SOLD OUT! Northeastern District Ethics CEU Event: Ethical Best Practice Q & A (Skokie)

  • 09-27-18

    LESS THAN 5 SPOTS! Chicago District CEU Event: Interrupting the Violence (Chicago)

Calendar »

Become a member of NASW today!


Visit the CEU Opportunities page to find free CEU events for NASW Illinois members!

Continuing Edcuation

Consider joining one of our social networking groups.