Dr Katie Stirling 22nd March 2020
Having had experience providing telehealth online psychology, we have had a number of questions from doctors trying to navigate the software security requirements in establishing telehealth COVID-19 services. Many have asked why we refer to HIPAA compliance when we live in Australia. I hope this information helps answer some of these questions.
Mandatory Privacy Rules in Australia
The Australian Medical Association (AMA) states that “New legal requirements introduced in 2018 mean that every medical practice must
have a proactive privacy compliance program”. In 2018 mandatory privacy requirements were introduced and the AMA suggests that
every quarter since, the health sector has reported the highest number of breaches, resulting in penalties of up to $2.1 million.
The AMA state that “ensuring compliance with privacy law is not just a matter of respecting patient confidentiality, your legal obligations include mandatory data breach notification, rules about handling data throughout its life cycle, and having a comprehensive privacy compliance program in place”. As we move to telehealth during COVID-19 isolation, peak bodies are reminding their members that there are broader considerations than funding requirements and it is important that we act in accordance of our respective ethical frameworks and professional standards.
What is HIPAA Compliance?
In 1996, the United States passed a law that brings together a broad range of patient privacy and confidentiality rules into the one Act
called the American Health Insurance Portability and Accountability Act (HIPAA). The Privacy Act 1988 is essentially the
Australian counterpart to HIPAA. As a health professional you are also operating under the relevant professional standards and codes
outlined by the Australian Health Practitioner Regulation Agency (AHPRA).
Isn’t HIPAA American? What does it have to do with Australia?
You don’t need to understand all of the specifics, the simplest way to think about it is HIPAA compliance is essentially the benchmark in this space for data security. If your software is HIPAA compliant then the software itself will meet many of the Australian requirements you need. Think of it like a seal of approval put on a product so that we can easily navigate which programs meet HIPAA compliance and which don’t. For simplicity sake Australia does not have it’s own seal sticker so we use the American seal HIPAA.
COVID-19 Funding - Does it matter if I am HIPAA compliant?
Information released about COVID-19 telehealth funding has referred to software that is not HIPAA compliant such as skype. The Australian government likely included non-HIPAA compliant software in COVID-19 telehealth information as this is a time of uncertainty. We need flexibility to be able to adapt and respond. These are extraordinary times and as a doctor you need the flexibility to use your professional judgement. There may be times when HIPAA compliant software is not available.
If I purchase HIPAA compliant software am I compliant with the Privavcy Act?
Not exactly. Yes you meet the software requirements for HIPAA compliance but your practice still needs to operate in accordance with the privacy act and other relevant standards. For example if you have HIPAA compliant software that is password protected and then gave your password to someone else, then the data would no longer be secure.
2- step verification
Privacy compliance is about more than just purchasing HIPAA compliant software, you also need to consider the way you are using the
software. This will be particularly relevant in the current environment where many doctors may be doing telehealth from their own laptops at
home. These computers may be accessible to other people in their environment.
One of the things that is often overlooked is the use of 2-step verification to ensure HIPAA compliance. You can establish 2-step verification using authentication programs such as google authenticator. Your team will have their own login (using their email and designated password), then an app such as google authenticator will provide a unique time limited code that will be the second step required for the team member to access the software online. It is also important to ensure that your team members do not disable any settings that turn off automatic lock outs after certain time limits. These functions ensure that if that individual forgets to log out they will automatically be locked out after a designated period of time thus supporting data security.
If you have more questions about telehealth considerations for doctors you can find more information here.