Telemedicine and Digital Therapy
Harmony Telemedicine Criteria
Client must be moderate to low risk for suicide based upon initial assessment.
Client must have a Primary Care or Psychiatrist that the coach or counselor may speak with for continuity of care and background.
An Individual Safety Plan for Emergencies must be developed with the client in the first session which will include:
What to do if I feel Suicidal?
Who is my Emergency Contact?
Who is my Psychiatrist and Primary Care Physician?
What is my closest Hospital?
What is our alternative if technology fails?
Telemedicine Video System
Harmony uses Secure Video for our Digital Medicine Platform. SecureVideo.com was founded in 2012 by a team of behavioral health and technology experts in the San Francisco Bay Area. We’ve worked together since 1999 and have a passion for developing clinical technology systems that are simple, intuitive and pragmatic. We saw a need for a videoconference system that would be quickly implemented and adapted to the workflows of any medical environment – hospitals, networks, clinics, individuals and more. This would allow existing medical organizations to offer telehealth services – as opposed to sub-contracting for a specialty network that happened to work via video. We knew that the technology could now support this “do-it-yourself” approach, but the workflows needed to be designed correctly and it needed to be supported as a service, not just technology. We formed SecureVideo to meet this need. Our mission is to support medical professionals as they harness technology to transform healthcare.
You may also be interested in these articles:
Why do providers use Digital Health Platforms?
What do providers already using video think?
Some of the benefits providers have cited from working in video include:
- Reduced no-shows
- Ability to work from home
- More billable sessions because of less “chit chat” with patients
- Great way fill “non-prime” time slots
- Reduced office expense
- Physical safety
Do you have evidence on videoconferencing effectiveness?
Here are two studies:
- A study of nearly 100,000 mental health patients at the U.S. Department of Veterans Affairs demonstrated an approximately 25% reduction in hospitalization after initiation of video services.(Linda Godleski, M.D.; Adam Darkins, M.D., M.P.H.; John Peters, M.S. Psychiatric Services 2012; doi: 10.1176/appi.ps.201100206)
- Practice-based collaborative care is a complex evidence-based practice that is difficult to implement in smaller primary care practices that lack on-site mental health staff. Telemedicine-based collaborative care virtually co-locates and integrates mental health providers into primary care settings. The objective of this randomized, multisite trial was to compare the outcomes of patients assigned to practice-based and telemedicine-based collaborative care.
(John C. Fortney, Ph.D.; Jeffrey M. Pyne, M.D.; Sip B. Mouden, M.S., C.R.C.; Dinesh Mittal, M.D.; Teresa J. Hudson, Pharm.D.; Gary W. Schroeder, Ph.D.; David K. Williams, Ph.D.; Carol A. Bynum, Ph.D.; Rhonda Mattox, M.D.; Kathryn M. Rost, Ph.D. Am J Psychiatry 2013;:. 10.1176/appi.ajp.2012.12050696)
HIPAA Security Rule
This is a close read of the HIPAA Security Rule. The following article provides an outline of the different sections and compliance requirements for each one. We intend this to offer a way to get started. You may want to assign a Privacy Officer to examine this and all HIPAA rules thoroughly and help you put an action plan in place.
HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.
There are two types of implementation specifications: “required” and “addressable.” Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.
To meet the addressable specifications you can either a) implement as directed in the rule; b) implement one or more alternatives that will give you the same results; c) not implement at all. If you decide on the latter, it’s advisable to create documentation that outlines how you came to that decision; i.e., the factors you considered and the results of a risk assessment you used to base your decision.
It’s important to emphasize that the addressable specifications are not optional. You just have a little more flexibility in how you implement those pieces.
The Security Rule has three parts:
1) Technical Safeguards
2) Physical Safeguards
3) Administrative Safeguards
HIPAA Technical Safeguards include:
- Access control
- Audit controls
- Person or entity authentication
- Transmission Security
There are four required standards to meet under the Technical Safeguards.
- Access Control: Unique User ID– Every user must be assigned a unique ID that is used to track activity.
- Access Control: Emergency Access Procedure- Have procedures that allow you to access ePHI in the case of an emergency.
- Audit Control: Activity Oversight- You must have a system in place to record and review all ePHI activity logs.
- Person or Entity Authentication– You must confirm that a person who desires access to ePHI is who they say they are.
There are also five addressable Technical Safeguard standards.
- Access Control: Automatic Log-off- Set up auto log off systems for all workstations.
- Access Control: Encryption– Have a system to encrypt and decrypt ePHI.
- Integrity: Mechanism to Authenticate ePHI- Authenticate ePHI to verify its integrity.
- Transmission security: Integrity Oversight– Ensure that ePHI is not modified without detection.
- Transmission security: Encryption Control– Develop a system that encrypts ePHI whenever deemed appropriate.
For reference: HIPAA Security Technical Safeguards
The four standards to address here are:
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
Under these sections, there are four required implementation standards to note:
- Workstation Use – you must create policies and procedures that outline the proper functions to be performed by electronic devices and the appropriate business use of workstations.
- Workstation Security– similar to the one above, this standard asks you to implement safeguards for workstations that contain ePHI and limit access to authorized users.
- Device and Media Control– Media Re-Use– implement procedures for ePHI removal before the device or media is available for re-use.
- Device and Media Control– Disposal– Implement policies and procedures for the final disposal of ePHI and any hardware associated with its storage.
Next, you have six remaining addressable Physical Safeguard implantation standards:
- Facility Access Controls: Contingency Operations- Create and implement a disaster plan for emergencies to restore any lost data.
- Facility Access Controls: Facility Security Plan– Implement policies and procedures to protect the facility and it’s equipment from access, tampering, and/or theft.
- Facility Access Controls: Access Control and Validation Procedures– Implement procedures to control and validate a person’s facility access based on their role or function; i.e., staff and visitor badges, control of access to software testing & editing.
- Facility Access Controls: Maintenance Records– Implement policies and procedures to document repairs and upgrades to the physical components related to security; i.e. Hardware, locks, bolts, and doors.
- Device and Media Controls: Accountability- Maintain documentation for hardware and electronic media
assigned to people responsible for them.
- Device and Media Controls: Data Backup and Storage- Create a retrievable, exact copy of ePHI, as needed, before movement of equipment or hardware.
For reference: HIPAA Security Series, Security Standards: Physical Safeguards (PDF)
The administrative piece is vital when starting a HIPAA compliance program. Over half of the HIPAA Security requirements are under this section. The administrative safeguards are “administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect ePHI and to manage the conduct of your workforce in relation to protected information.”
You are required to designate a privacy officer, complete document a risk assessment annually, train employees, review policies and procedures, and complete Business Associate Agreements or BAAs, with all your partners handling PHI.
There are nine standards in the Administrative Safeguards section. They are:
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangements
There are eleven required Administrative safeguard standards.
- Security Management Process: Risk Assessment- Conduct and document a risk analysis to review ePHI storage and use to assess where their are vulnerabilities in your systems.
- Security Management Process: Risk Management- Implement measures to reduce a risks
- Security Management Process: Sanction Policy- Implement appropriate sanctions against employees who fail to comply with security protocols
- Security Management Process: Information Systems Activity Reviews- Regularly review system activity, logs, audit trails, and the like.
- Assigned Security Responsibility: Officers– Designate in house HIPAA Security and Privacy Officers.
- Information Access Management: Multiple Organizations– Ensure that ePHI is not accessed by other partner entities like a parent company, a subsidiary, contractors, or subcontractors- that shouldn’t have access.
- Security Incident Procedures: Respond and Document– Respond and document all security incidents.
- Contingency Plans: Contingency Plans– Implement policies and procedures that ensure the availability of ePHI backups and the retrieval of any lost data.
- Contingency Plans: Emergency Mode- Establish procedures to allow for critical business operations to protect ePHI in the event of an emergency.
- Evaluations: Perform cyclical evaluations to make changes to in your business operations should any HIPAA laws change.
- Business Associate Agreements (BAAs): Implement contractual agreements to ensure your partners’ compliance with all HIPAA laws. Choose partners who have similar agreements in with others in place.
There are also seven addressable standards under the Administrative Safeguards.
- Workforce Security: Employee Oversight– Implement policies and procedures to ensure all members of your workforce have appropriate access when their role calls for it and has that access removed when necessary.
- Information Access: Access Authorization- Implement policies and procedures for granting access to ePHI that monitor and allow access to ePHI.
- Security Awareness and Training: Security Updates– Cyclically send security reminders to about security and privacy policies to all employees.
- Security Awareness and Training: Protection Against Malware– Create policies and procedures that safeguard your systems against malicious software.
- Security Awareness and Training: Log-in Oversight- Implement monitoring of logins and reports of inconsistencies within your systems.
- Security Awareness and Training: Password Controls– Assure that there are systems in place for creating, protecting, retrieving, and editing passwords.
- Contingency Plans: Update and Review– Assess the relative criticality of specific applications and data in support of other contingency plan components.
For reference: HIPAA Security Series, Security Standards: Administrative Safeguards (PDF)
Content pulled from Secure Video Information Website