Are Telepresence Robots HIPAA Compliant?
You may be familiar with a very short, glib response to the question, which says, “Telepresence robots do not need to be HIPAA compliant.” However, the full answer is more complex. If you are familiar with HIPAA, you can fast-forward to the second paragraph. For those who are unaware of the term, HIPAA stands for “Health Insurance Portability and Accountability Act,” a public law enacted in 1996 and since revised. In general, it is an act which sets federal standards for electronic health care transactions and the security and privacy of certain health information. Within this act, the HIPAA Privacy Rule maintains the privacy of individually identifiable health information. Related to this is the rule more germain to the issue of using telepresence robotics within the medical field, the Security Rule, which focuses on the protection of any individually identifiable health information that a covered entity uses in electronic form. As the U.S. Department of Health and Services states, that information is called “electronic protected health information.” Covered entities affected by this are 1) a health plan, 2) a health care clearinghouse, and 3) a health care provider who transmits or maintains health information in electronic form. For more information on the act and what information is protected by this section of the act, you may visit the U.S. Department of Health & Human Services’ (HHS) page by clicking here. As fair warning, the articles are very dense and the language bordering on verbosity. Many will say our use of the word “bordering” shoots far short of the mark. However, it may suffice to say that HIPAA, in general, aims to protect the confidentiality and security of your health care information.
As alluded to above, the question of whether a telepresence robot needs to be HIPAA compliant is moot. In response to our query, the Office for Civil Rights and HHS stated, “we do not endorse any materials or systems as ‘HIPAA compliant.’” Therefore, while manufacturers need not list their telepresence robots as having HIPAA compliance, the covered entity (as mentioned above) must ensure that any data transmission using the robot is secured according to HIPAA standards, whether that transmission includes the creation, sending, or receiving of protected information. This includes transmission such as that achieved via the internet, extranet, private networks, and the physical movement of transportable electronic storage media, etc. An additional item to keep in mind is that, as Section 16 Part 103 of the act states, voice and video transmissions are not considered to be “transmissions via electronic media, because the information exchanged did not exist in electronic form before the transmission.”
The covered entity which employs the use of the telepresence robot is responsible for complying with HIPAA standards for all transmissions via the internet network(s) used and for complying with the standards regarding any data applications used with the robot. For example, some robots include applications where a physician can view patient information, vital records, CT scans, etc. while simultaneously interacting with the patient visually and verbally.
While in most cases the security features (such as the encryption of data) used within applications for the telepresence robots should be enough to satisfy requirements, we advise contacting the robot manufacturer directly to ask which application is necessary to control the robot, to utilize additional features such as sending of written data or x-rays, etc., and if those applications are properly secured and protected in accordance with HIPAA regulations. For providers interested in telemedicine, or who are already utilizing telepresence robots within their medical clinics or hospitals, ensuring that the robot’s applications allow for you to continue in compliance with HIPAA will certainly be vital.
We at TelepresenceRobots.com hope this answer is both helpful and sufficient. However, we are aware that, with the goal of being concise and helpful to visitors who are not fluent in legalese, the answer may not be as detailed as creators of the act would wish. With that said, please refer to the US. Department of Health and Human Services for more information on HIPAA, or to see if your entity is covered by the HIPAA Security Rule, or to see if your entity is in alignment with HIPAA standards. Section 164 Part 306, in particular, may be of great assistance in determining what responsibilities you have as a provider using a telepresence robot.
Feel free to leave any comments, concerns, or questions with us by using the Contact Us section of our website, which is located in the footer at the bottom of each page, or by clicking here.