Messenger™, also known as Facebook Messenger™, is a free instant messaging app developed in 2011 and available on desktop or mobile devices. Facebook Messenger™ allows users to send and exchange messages, photos, stickers, videos, audio, and files, in addition to supporting voice and video calls. In April of 2020 Messenger Rooms™ was launched, allowing users to video chat with up to 50 people without a time limit.
With an increased demand for telemedicine during the coronavirus pandemic, healthcare providers are seeking patient messaging solutions that are easy to integrate with their practice. Since Messenger™ has widespread adoption in the US, as one of that nation’s leading messaging platforms, many healthcare organizations are wondering if the platform can be used for telemedicine. Providers might see Messenger as an easy and familiar solution to reach patients, rather than introducing an entirely new platform. Providers can offer Messenger™ as a solution, which patients already use and are familiar with, instead of having them use a new platform.
While healthcare organizations are looking for quick and convenient turnkey solutions at this time, they should be cautious to avoid penalties and legal ramifications. Implementing a video chat solution that isn’t HIPAA compliant can have serious ramifications for your practice and the security of patient data.
For Facebook Messenger™ to be considered a HIPAA compliant telemedicine platform, it must fulfill all of the following requirements:
Employ end-to-end encryption
Implement access control
Enable audit controls
Sign a business associate agreement (BAA)
Is Facebook Messenger™ a HIPAA compliant video chat solution?
Below we assess whether Facebook Messenger™ meets the security and regulatory requirements to be considered HIPAA compliant.
Any solution that claims to be HIPAA compliant must encrypt data at all times (at rest and in transit) so PHI is not vulnerable to interception by third parties. Facebook Messenger™ does include an option to encrypt data, but users must opt-in to this feature.
Facebook Messenger™ users aren’t required to provide login details each time they view messages in the app; therefore, the platform does not implement the proper access and authentication controls. If a device is stolen that contains the Messenger™ app, an unauthorized person will be able to access the PHI shared in the app without having to log in. Due to a lack of access controls, Facebook Messenger™ is not a HIPAA compliant telemedicine platform.
HIPAA-covered entities must ensure there is an audit trail. All information sent within Facebook Messenger™ would need to be stored with the ability to examine user activity within the app. It’s easy for users to delete messages, therefore, it would be difficult to maintain an audit trail on Facebook Messenger™. Due to a lack of audit controls, Facebook Messenger™ is not a HIPAA compliant video chat solution.
Business associate agreement
Business associates are companies or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. A business associate agreement is a contract between a healthcare organization and a business associate that requires both parties to protect PHI under HIPAA’s rules and regulations. Facebook will not sign a BAA so is not a HIPAA compliant telemedicine platform.
What’s the verdict?
Facebook Messenger™ fails to meet all four HIPAA requirements and is not considered a HIPAA compliant telemedicine platform.
Discover whether the following popular video conferencing tools are HIPAA compliant.
Founder and CEO of Bridge Patient Portal, and a health IT entrepreneur and business owner of 19 years with extensive experience in Healthcare IT. Specializing in Business Development, Software Development, Patient Portals, mHealth, Patient Engagement, HIPAA, Electronic Medical Records, Web Development, and Internet Marketing. John is a Judge for the 2020 eHealthcare Leadership Awards and has appeared on multiple podcasts, including the Outcomes Rocket Podcast and the Hospital Finance Podcast.
Telehealth may seem like a new concept fueled by COVID-19, but in reality, telehealth companies have been around for many years and are growing in popularity. Due to the outbreak of COVID-19, healthcare providers and patients are turning to telehealth companies to fill the void. Providers are also asking if other prominent video conferencing software such as Apple FaceTime® can be considered a HIPAA compliant telehealth software platform.
Is Apple FaceTime® a Conduit or a Business Associate?
Before we can determine whether Apple FaceTime® is a HIPAA compliant telehealth app or not we must ascertain if it is responsible for keeping electronic protected health information (ePHI) safe. HIPAA compliance normally pertains to covered entities (health plans, health care clearinghouses, and health care providers) which Apple FaceTime® obviously isn’t. It could be argued that Apple FaceTime® may be considered a conduit or a business associate in the eyes of HIPAA. A conduit is a service that transmits ePHI and does not store it, or have the ability to access encrypted data. Telephone service providers and internet service providers are considered conduits, but cloud service providers are not. A conduit is not required to sign a Business Associate Agreement (BAA).
Business associates are organizations or persons that create, transmit, receive, or maintain PHI on behalf of any covered entity. Cloud service providers (CSP) that provide cloud services to a covered entity or business associate that involves creating, receiving, or maintaining ePHI meet the definition of a business associate, even if the CSP cannot view the ePHI.
Apple® does not store any information sent via FaceTime®, which is a peer-to-peer communication channel where voice and audio communications are transmitted between individuals and can not decrypt sessions. Apple® is considered a business associate, therefore, is required to sign a BAA.
Will Apple Sign A BAA?
Because Apple® is considered a business associate it is required to sign a BAA (Business Associate Agreement). A BAA is a contract between a covered entity and a business associate that requires both parties to protect personal health information under the rules and regulations of HIPAA. Apple® is not willing to sign a BAA, therefore its services including FaceTime®, are not technically HIPAA compliant.
HIPAA Discretion During COVID-19
Under the good faith provision of telehealth during COVID-19, covered health care providers can use Apple FaceTime®, to provide telehealth without the risk of HIPAA non-compliance penalties. Apple FaceTime® could potentially introduce security risks, and providers should enable all available encryption and privacy modes when using such applications. Other popular applications are witnessing a rise in usage for telehealth purposes including Whatsapp®, Zoom®, and Skype™. It is advisable that healthcare providers notify patients that third-party applications such as Apple FaceTime® are not HIPAA compliant and that there are other HIPAA compliant telehealth apps such as:
Skype for Business™
Zoom for Healthcare®
Cisco® Webex Meetings / Webex Teams
Spruce Health Care Messenger™
Bridge Video Visits, powered by Zoom for Healthcare®
Any application leveraged by covered entities that transmit ePHI needs to comply with certain HIPAA regulations. Given the fact that Apple FaceTime® will not sign a BAA, we can deduce that Apple FaceTime® is NOT a HIPAA Compliant Telehealth Software Platform. Any healthcare provider using non-compliant software during the leniency of COVID-19 must still strive to provide their patients with the most secure/safe environment possible.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.
The COVID-19 pandemic is changing the way healthcare professionals are interacting with their patients. At the height of the pandemic, healthcare practices of all types have turned to telehealth/telemedicine to interact with patients remotely. Telehealth software use is being driven by necessity since patients are advised not to physically go to a medical clinic or any other healthcare facility due to the risk of COVID-19 exposure. But not every healthcare specialty lends itself well to telehealth. In certain scenarios, patients need to see their providers in person.
As government and healthcare officials are slowly relaxing the restrictions regarding visiting healthcare offices, the risk of COVID-19 exposure is still present. Patients are now more aware of how the virus spreads and the risk of being infected by contact with people, places, and objects (including pens, clipboards, and shared devices like tablets and kiosks). It’s preferable that patients use their own devices with the aid of a mobile app patient portal to complete the patient intake process.
The Virtual Waiting Room
Some officials want to prevent the use of the traditional waiting room as much as possible since forcing patients to sit in a room in close proximity to others is a breeding ground for viruses. For instance, in New York City, patients are advised to remain in their car until it’s time for their appointment as contact with potentially contaminated objects should be limited at all costs. Because of new protocols enacted across cities, for how patients receive in-person care and limit exposure to contamination, a patient intake option that can be completed on one’s own devices via a mobile app patient portal would be beneficial.
Patient Portal For Medical Clinics
Healthcare providers are seeking a solution to complete intake forms, gather patient clinical histories, and other documentation virtually. A patient portal for medical clinics can provide patients with a means to complete necessary forms online before a consultation, (leading to a better in-person experience) and deliver more efficiency to doctors and medical staff by cutting down wait times. Patient portal solutions are also valuable because healthcare practices can utilize them to inform patients of new policies before a visit to the office and disseminate educational materials. Some examples include the requirement for patients to wear masks during visits, instructions for virtual check-in, the protocol for reporting COVID-19 symptoms prior to arrival, where patients should wait before an appointment, precautions to prevent the spread of COVID-19, etc. HIPAA compliant appointment reminders, broadcast messaging, and bidirectional patient messaging are pivotal in communicating new protocols for visiting a provider.
The healthcare landscape has drastically changed since the onslaught of COVID-19, which has forced medical practices and healthcare organizations to change how they operate to meet the evolving needs of patients and prioritize public health. Consider the importance of integrating a patient portal for your medical organization. Contact us to learn more.
Within the healthcare industry, medical jargon can be thrown around with little rhyme or reason. This may not be a problem for professionals within the field but may prove difficult for the general public, especially for patients trying to figure out what their medical payer may or may not cover. Terminology such as telehealth and telemedicine are often used interchangeably. The truth is that these terms refer to a different way of administering health care via existing technologies or a different area of medical technology.
Telemedicine is the clinical application of technology of a physician delivering medical care to patients remotely using technology including telecommunications infrastructure. Telemedicine refers specifically to remote clinical services.
Telehealth is more of a consumer-facing approach that refers to the technology and services used to provide medical care and medical services remotely. Telehealth can refer to remote non-clinical services.
Is Telemedicine or Telehealth more predominantly used?
As a result of our Google traffic research, we discovered that on average telehealth was searched 23,987 over the past 12 months, while telemedicine was searched 32,044 times.
Through our analysis of the major healthcare payers and IT vendors, the majority of organizations (57%) use the term telehealth. These organizations include Medicare, Amwell, Teladoc, MDlive, Epic, Eclinicalworks, United Health Group, and Aetna. 21% of our subjects including Snap.md, Cerner, and Humana use the terms telemedicine or telehealth interchangeably. Medicaid, Doctor On Demand and Doxy.me comprise the final 22% that make use of the term telemedicine.
Federal Communications Commission (FCC) COVID-19 Telehealth Program authorized by the CARES Act will provide $200 million in funding to support healthcare providers in offering telehealth services to patients during the coronavirus pandemic. The COVID-19 Telehealth Program aims to fully fund telecommunications services for eligible healthcare providers. Funds can be used to purchase devices and software needed to provide vital telehealth services in response to the COVID-19 pandemic. This support will continue until the program’s funds have been depleted or the COVID-19 pandemic has ended.
Who qualifies for the FCC Telehealth Fund?
The COVID-19 Telehealth Program is open to healthcare providers/organizations that treat patients within the USA. The FCC Telehealth Program is limited to nonprofit and public healthcare providers, including:
Post-secondary educational institutions offering healthcare instruction, teaching hospitals, and medical schools
Community healthcare centers or healthcare centers providing healthcare to migrants
Local health departments or agencies
Community mental health centers
Rural health clinics
Skilled nursing facilities
Associations of healthcare providers consisting of one or more entities falling into the first seven categories
The goal is to allocate funding to providers that serve areas which have been the most affected by COVID-19, and where support will be the most impactful on addressing the current healthcare challenge.
Participants are chosen based on responses to the following criteria:
Conditions to be treated
Goals and objectives to be achieved with the funding
Timeline for the deployment of the proposed service(s) or devices
Metrics that the applicant will use to help measure the impact of the funded services and devices
Geographic area and population served by the applicant
Whether funding will help high-risk and vulnerable patients
What products qualify for the FCC Telehealth Program?
The FCC Telehealth Program will support eligible healthcare providers to purchase telecommunications, information services, and connected devices required to provide telehealth services at this time.
Eligible services and connected devices for funding include:
Telecommunications and broadband connectivity services for healthcare providers or their patients.
Information services and online connected platforms for remote patient monitoring, patient-reported outcomes, the transfer of patient images and data, and video consultation.
Connected devices/equipment such as tablets, smartphones, or other devices to receive care at home (e.g., broadband-enabled blood pressure monitors, pulse monitors, oxygen monitors), or telemedicine kiosks/carts for healthcare providers.
Vendors of eligible services and devices are not eligible to apply for funding. The program is also not intended to fund the development of new websites, systems, or platforms.
How to acquire funding?
Obtain an FCC Registration Number (FRN) from the Commission Registration System (CORES), as well as a CORES username and password.
Obtain an eligibility determination from the Universal Service Administrative Company (USAC) by filing FCC Form 460 through My Portal on USAC’s webpage.
Due to the outbreak of coronavirus disease (COVID-19) that was first reported in Wuhan, China, on December 31st, 2019, the public is turning to telehealth to prevent further spread of the virus. Telehealth is the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care. Telehealth software allows healthcare providers to conduct consultations with patients while both parties maintain a safe distance, preventing the spread of the virus.
Payers & Telehealth
Before the COVID-19 crisis, some private health insurance providers covered telehealth consultations, though this significantly varied by the payer and across states. If telehealth consultations were covered, they were usually at a lower reimbursement rate.
Medicare would cover telehealth if the patient lived in a “health professional shortage area” that is outside a metropolitan area. Medicare also required that patients go to a designated healthcare facility to initiate a video visit. After the initial e-visit, the patient and their local provider could connect using telehealth technology. Video visits from home, or anywhere that was not within a designated “originating site,” were not covered under Medicare.
Medicaid’s telehealth coverage was based on state laws, as the federal Medicaid statute does not recognize telehealth as a distinct service. Telehealth was viewed as a cost-effective alternative to the more traditional face-to-face way of providing medical care. Fifty states and Washington, DC, provided reimbursement for some form of live video in Medicaid fee-for-service.
Families First Coronavirus Response Act & Telehealth
Due to the COVID-19, healthcare authorities have urged the public and healthcare organizations to make use of telehealth software. The federal Families First Coronavirus Response Act passed on March 18th, 2020, requires payers to waive the amount an individual would pay for telehealth. USA President Donald Trump announced that “Medicare patients can now visit any doctor by phone or videoconference at no additional cost, including with commonly used services like FaceTime and Skype.” During the pandemic, health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth.
Barriers that previously interfered with the use of telehealth software have been removed during this time. With the recent passing of the Families First Coronavirus Response Act, patients are not required to pay for telehealth consultations related to COVID-19 testing and treatment. Additionally, public knowledge of telehealth software capabilities has significantly increased. Patients are now seeking alternatives to reduce their costs associated with COVID-19 testing and treatment, and will likely become accustomed to the convenience of receiving care via telehealth. Furthermore, the new Interoperability and Patient Access final rule legislation promotes secure and straightforward access to personal health information by patients through ubiquitous technologies such as smartphones. And the trend in mobile app implementation by healthcare providers will further drive the adoption of telehealth.
Telehealth & Healthcare Organizations
Telehealth may seem like a new concept fueled by COVID-19, but in reality, telehealth software companies have been around for many years and are growing in popularity. (The expectation is that the changes as mentioned above will rapidly drive growth.)
CareClix was founded in 2010 and works with qualified practicing physicians to provide a wide range of telehealth services. CareClix accepts Medicare, Medicaid, and most private insurance plans.
MDLive was founded in 2009 and has multiple partnerships within healthcare systems across the United States; they also accept some health insurers, including Blue Cross Blue Shield (BCBS). MDLive provides the public with healthcare professionals who are available by phone or online video 24 hours a day to help patients answer questions about non-emergency related medical conditions.
In both cases, these companies are staffed with their own physician network. This means that they provide telehealth software and physicians. There are other vendors in the market that provide only the technology, which is then purchased by healthcare organizations to be used with their own physician network. Bridge Patient Portal is an example of a vendor that provides a platform for healthcare organizations to offer telehealth services to patients using their private providers. It’s essential to recognize the difference in approach here. There are many considerations in terms of the pros and cons of each model. There’s a risk when physicians step out of their primary care provider’s (PCP) network and go to a random telehealth provider for their care. One could say that when a patient’s private insurance company is promoting their own telehealth provider, they are essentially circumventing the patient’s PCP. An example of this is BCBS’ partnership with MDLive, where patients are encouraged to seek care outside of their PCP.
Unless brick and mortar healthcare organizations adopt telehealth platforms, they may lose the business of their patients. The rapid growth in demand for telehealth, and circumventing by private healthcare insurance companies, are leaving healthcare organizations scrambling to provide their patients with telehealth software. As a temporary solution, healthcare providers can leverage traditional video conferencing platforms for e-consultations. Once the crisis has subsided, healthcare providers will likely no longer be able to use telehealth in this manner — as the HIPAA waiver expires. In addition, healthcare providers will no longer be reimbursed for telehealth services through video conferencing platforms. Given the many challenges that exist today in sharing health records, it’s preferred that patients seek care with the same network of providers to reduce the duplication of care and diagnostic testing. But if a patient’s PCP can’t provide telehealth, they may be forced to seek care elsewhere.
According to the Families First Coronavirus Response Actpassed on March 18th, 2020, congress requires payers to cover telehealth visits (with health care providers) that relate to COVID-19 testing, treatment, and consultations during the public health emergency. Reimbursement for telehealth solutions during this time is being provided for all patients, not only those with Medicare. During the COVID-19 pandemic, many healthcare professionals are scrambling to find a HIPAA compliant telehealth software.
Seeking a HIPAA compliant telehealth software during COVID-19
HHS has created new guidelines on HIPAA requirements and modified HIPAA’s Privacy Rule, which stated that healthcare organizations must use only secure methods of communication for telehealth visits. The Office for Civil Rights said that videoconferencing services normally not permitted under HIPAA may now be used by healthcare professionals for the good faith provision of telehealth solutions. This change in policy allows video conferencing platforms such as Zoom® to be used during this time of crisis.
The Coronavirus pandemic has resulted in an increase in healthcare organizations leveraging video conferencing apps. In the past month, Zoom® has become one of the most popular choices for teleconferencing, registering a 535% increase in traffic. Previously Zoom® has maintained that they provide a HIPAA compliant telehealth software: Zoom® for Telehealth. This service claims to incorporate access and authentication controls, HIPAA compliant messaging is secured with end-to-end encryption and Zoom® has signed a HIPAA Business Associate Agreement (BAA).
During the last few weeks, there have been several security concerns surrounding Zoom®. It has been reported that the company does not have end-to-end encryption as they previously claimed. This discovery makes Zoom® decidedly NOT HIPAA compliant.
If healthcare providers want to ensure that patient privacy is respected, they should reconsider the use of Zoom® as a HIPAA compliant telehealth software. Aside from the lack of end-to-end encryption, additional security concerns include videoconference hijacking, user data being shared with third parties such as Facebook™, and lapses in security that make Zoom® vulnerable to cybercriminals and malware. While Zoom® is willing to sign a BAA, which is a crucial step towards achieving HIPAA-compliance, there are too many security issues preventing HIPAA-compliance. Until these issues are fully resolved, we do not recommend Zoom® as a HIPAA compliant telehealth software.
DISCLAIMER: All product and company names are trademarks™ or registered® trademarks of their respective holders. Bridge Patient Portal is not affiliated, endorsed, or sponsored in any way to the service providers mentioned in this article.
Perhaps the top priority for providers in the coming years is the successful transition from Meaningful Use to MACRA. The motivation for meeting the requirements of this transition is a series of compensation adjustments, both positive and negative. MACRA, or the Medicare Access and CHIP Reauthorization Act of 2015 is the bipartisan brainchild of the Centers for Medicaid and Medicare Services (CMS), which continues the shift from volumetric fee-for-service payment model, to one that incentivizes quality and value.
The CMS differentiates telemedicine from telehealth as services provided by a medical practitioner or non-medical services by administrative staff. To prevent confusion in this article, I will stick to telehealth as the term used in discussion, of which telemedicine can be considered a subset of activities.
The recently released MACRA Final Rule demonstrates key opportunities to not only fulfill MACRA requirements (and in turn receive payment adjustments), but to find reimbursement in new frontiers of healthcare technology. Telehealth is one such frontier—innovative technology projected to become a 60-billion-dollar market by 2021.
Many EHR providers are struggling to cobble together telehealth technology platforms to support their current customer base, although few are yet successfully doing so at a price point that adds business value to these providers.
Many providers, especially the small and rural ones, are looking at telehealth as a viable option to grow their practice incrementally, without realizing it can possibly revolutionize a practice in many intangible ways. Telehealth can allow an already overburdened solo practitioners to spend more time with their family, or allow much more convenient access to care for handicapped patients.
So, let’s look at how telehealth intersects with MACRA, and telehealth will fit into the new value-based business model of healthcare.
Telehealth through MACRA
The most common method of MACRA participation is one of the two payment programs: the Merit-Based Incentive Payment System (MIPS) (the other being Alternative Payment Models). MIPS grades providers on four performance categories (quality, cost, clinical practice improvement activities, and advancing care information), and aggregates each score into a composite score. For the purpose of MIPS scoring, the Final Rule distinguishes the difference between a patient-facing and non-patient facing encounter. A patient-facing encounter is one where a doctor interacts with a patient, remotely or not. A non-patient facing encounter is any procedure that does not involve direct interaction with a patient. Specialties like pathology or nuclear radiology have encounters where they do not directly face the patient; therefore their encounters are considered non-patient facing. When you look at telehealth, it seems to blur the boundary between patient-facing and non-patient facing. However, MACRA defines this distinction, as they,”…include telehealth services in the definition of patient-facing encounters. Various MIPS eligible clinicians use telehealth services as an innovative way to deliver care to beneficiaries…”
Additionally, not every remote service is defined as telehealth. The Final Rule defines telehealth as, “…the use of telecommunications technology (real-time audio and video communication) substitutes for an in-person encounter. Services furnished with the use of telecommunications technology that do not use a real-time interactive communication between a patient and clinician are not considered telehealth services.” The CMS defines the list of telehealth services here.
What Telehealth Can Do for Your Practice
Providers will wonder whether it’s financially viable to adopt telehealth into their practice. Here are some benefits I find in telehealth:
Telehealth enables a far greater health footprint:
The ability to remotely treat patients creates an avenue of delivering care never before utilized by many providers. Telehealth increases options in outpatient care, which means doctors can visit a far greater number of patients through real-time audio and video communications. For example, the growing elderly population signifies an increase in incidents of chronic diseases—telehealth allows the elderly to be treated from the comfort of home, without having to come in.
Telehealth gives you a wider reach:
Many states allow for telehealth interstate licensing, which allows providers to treat patients, not in your general vicinity. Imagine the reach your practice has now, which is possibly limited by the bounds of a car ride. With telehealth, you can advertise across counties and state borders. The potential patient growth for providers with telehealth is outstanding.
Telehealth is efficient and potentially cost-saving:
In-house encounters take up much more time and resources than telehealth appointments, which means physicians may see a greater amount of patients during the day. Telehealth increases access to health care services not available to many patients, say bed-ridden or those in hospices. Telehealth can reduce avoidable hospitalizations for those in nursing homes, and is a viable option for potential clinician shortages around the world.
Telehealth can improve health outcomes:
The American Telehealth Association (ATA) lists some key services telehealth provides: primary care and specialist referral services, remote patient monitoring, electronic consumer and medical education—all of which can improve the outcome of patient encounters. Education and accessibility in health are crucial aspects that determine patient outcomes.
PrognoCIS and the Future of Healthcare
Healthcare technology is creating a paradigm shift in the way we approach healthcare. Healthcare is becoming more electronic, more interconnected, and more about sharing data for the betterment of patients and providers alike. Whether its telehealth or other innovative healthcare tech, it’s important to stay on top of the game, and understand how innovation in healthcare tech intersects with the healthcare legislation.
MACRA is shaping up to be a very promising change to the way healthcare has been approached, and as with Meaningful Use, PrognoCIS will be ready to assists providers in dealing with the changes. Learn about PrognoCIS’ telehealth capabilities and how we’re preparing for MACRA.