The Telehealth HIPAA Compliance Primer can be an important feature in telehealth security. In order to be HIPAA compliant, an organization must be able to show that they have developed their IT systems according to the security and privacy guidelines of the Health Insurance Portability and Accountability Act.

While there is no formal certification process, organizations need to:

  • keep records about how they secure their data
  • what policies and procedures they will follow to prevent data breaches
  • how they will notify users about data breaches

These procedures are important to show that the organization is following best practices and legal requirements, and such documentation may be required before your application can be used by healthcare providers.

Where’s my certificate?

There’s actually no HIPAA certification per se. Sorry- you don’t get a certificate for the office wall! When someone says their system is “HIPAA Compliant”, that usually means they are skating that they have implemented their system to match the regulations of HIPAA as best as possible. They are essentially self-certifying you can pay an outside consultant to audit your practices, but there is no certification.

The key technical points about HIPAA are that you must secure access to your system with strong authentication methods, passwords that regularly expire, servers that are patched with the latest updates, and best practices to prevent hacking and data breaches. These are moving targets, since hackers are usually one step ahead of security practices. It’s important that your IT team keep your systems up to date.

In addition, all “Protected Health Information,” or PHI, must be… protected. This means that information that can be used to identify individual patients should be encrypted when stored in your database, and encrypted when in-transit. The use of HTTPS URL’s with SSL encryption is a good start, but not enough. What if someone can get onto your server? Will they be able to search your database for patient information? The PHI should be encrypted as much as possible in order to minimize the impact of a data breach.


It’s also very important that access to the data in your software is restricted only to those who can see it. Obviously one patient should never be able to see information about other patients, but it’s also important that software developers don’t have access to real patient data in their development environments. Imagine the most awkward medical information in your very own personal history, and then design your application and IT practices so that no one can see it without your permission.

Think a Telehealth Solution may be right for your healthcare business?

We have a telehealth platform that is already built and can be quickly white-labeled and licensed for your use.  We have decades of experience with over 200,000 hours invested in building real-time applications. You can read a client testimonial here.

Contact us today. We’ll help you get your user-friendly, HIPAA-compliant app — up and running with both the provider and patient in mind.

Recent Blog Posts