Telehealth HIPAA Compliance Checklist: The Easiest HIPAA Guide Available on Internet

3 years ago

There is no good news. Because HIPAA does apply to all telehealth apps in the USA!

Even if you are not launching a telehealth app in the USA, you can make your app compliant with local privacy laws to some great extent by meeting all HIPAA requirements.

For now, let’s assume you are here to know only about HIPAA.

Some important things about HIPAA

  • First of all, it is important to develop a HIPAA-compliant telehealth app to avoid a very hefty fine and legal battle with the government.
  • And secondly, by being compliant with HIPAA, you are ensuring that your app does not have any privacy issues which put the important personal information of patients or users at risk.

Now, let’s understand some important definitions stated in the law.

1) Covered Entity:

The covered entity is the healthcare service provider. If you are a hospital and developing a telehealth app for your in-house use, you are called a covered entity.

2) Business Associate:

A business associate is a person or business that provides services to a covered entity.

If you are a startup and providing your telehealth app to the hospital for their use, you are called a business associate.

Both covered entities and business associates have to adhere to almost similar HIPAA requirements.

HIPAA Privacy Law Breakdown

Understanding HIPAA requirements is a very daunting task.

However, you can easily understand it if you break it down.

There are major four rules described under HIPAA.

  • HIPAA Security Rule
  • HIPAA Privacy Rule
  • HIPAA Breach Notification Rule
  • HIPAA Omnibus Rule

Each of these rules has different requirements. By combining all, you can make your telehealth app HIPAA compliant.

That means each of these rules has a different checklist which together is called the telehealth HIPAA compliance checklist.

The Ultimate Telehealth HIPAA Compliance Checklist

1. HIPAA Security Rule

  • Technical Safeguards

❏ Do you encrypt the data of patients once it leaves your internal firewalled servers?

❏ Does your telehealth app assign a centrally-controlled unique username and PIN code for each patient or user?

❏ Have you established a strategy to govern the release of the personal information of patients during an emergency?

❏ Do you have a mechanism to confirm whether the data is altered or destroyed?

❏ Do you have a system that catches the attempt made by even registered users to access the personal information of patients?

❏ Do you have a mechanism that helps you know what has been done with data once it has been accessed?

❏ Does the system automatically log off users from devices they are using for accessing the personal data of patients?

  • Physical Safeguards

❏ Do you have control over who has the physical access to the location where the data of patients is stored? (or you must ensure that the server or cloud service provider with whom you tie-up should be HIPAA compliant.)

❏ Have you implemented policies for your internal staff’s workstations that do have access to personal data of patients or users?

❏ If your in-house team member has the access to personal information from their mobile devices, there should be policies to wipe out the data from their mobile devices when they leave your organization.

❏ Do you maintain the inventory of every hardware which has the access to personal information of users?

  • Administrative Safeguards

❏ Have you assigned a Security Officer and Privacy Officer?

❏ Have you conducted a risk assessment?

❏ Have you introduced a risk management policy along with the sanctions policy for employees who fail to comply with HIPAA regulations?

❏ Have you developed the contingency plan to continue business operations during emergencies while protecting the integrity of the personal information of users?

❏ Are you ensuring that no third-party organizations have access to the personal information of patients?

❏ Have you signed a Business Associate Agreement with third-party organizations that do have access to your data?

2. HIPAA Privacy Rule

❏ Are you asking for the patient’s or user’s written consent before using and sharing their data for marketing, fundraising or research purposes?

❏ Have you created policies to permanently delete the personal information of users when it is no longer required?

❏ Are you providing patients with copies of their data if they demand so?

❏ Are you providing patients with copies of their data within 30 days of their request?

❏ Have you developed policies and procedures to provide copies of data to patients?

❏ Have you drafted a Notice of Privacy Practices (NPP)?

❏ Have you made all users aware of your privacy practices?

❏ Have you published your privacy practices on your website?

❏ Have you planned a strategy to deal with failure to comply with NPP?

3. HIPAA Breach Notification Rule

❏ Have you defined a strategy or process to deal with data breaches?

❏ Do you have a mechanism for identifying the data breaches?

❏ Do you have the capability to track the investigation of data breaches?

❏ Are you able to notify the patients or users when there is a breach of their personal information?

❏ Are you able to notify the Department of Health and Human Services of such a data breach?

❏ Are you going to share the news of the data breach with the media if the data breach is affecting the data of more than 5000 users?

❏ If you are a business associate, are you going to notify the covered entity of the data breach within 60 days of the incident?

4. HIPAA Omnibus Rule

❏ Have you signed a business associate agreement with your subcontractors? ( If you are a business associate.)

❏ Have you identified if your signed business associate agreement has all new requirements imposed under HIPAA Omnibus rule?

❏ Are you sharing personal information of the deceased person to only family members of that person or anyone who was involved in payment and healthcare before the death of a person?

❏ Are you getting the written consent of the patients to sell the information of patients?

❏ Train the staff on the Omnibus Rule amendments and definition changes.

❏ Do you have an updated privacy policy with definition changes made in the Omnibus rule?

Our In-house HIPAA Consultants + White-Label HIPAA Compliant Telehealth App = Your Best Investment Under $15K

All of our team members have been putting our all efforts into healthcare apps especially telehealth apps. And here are what we earned:

  • White-label HIPAA compliant telehealth app (costs under $15000)
  • Back-office task automation for your healthcare startup/organization
  • In-house HIPAA compliant consultants (free consultation with telehealth app)
  • Technical and business consultation for your telehealth startup

In essence, we’re helping you to start a telehealth startup from scratch.

Get Telehealth App’s Free Live Demo

CEO Note: We always wanted to prove the difference between just an app development company and a healthcare-focused app development company. And we proved it by delivering HIPAA-compliant telehealth apps along with HIPAA compliance consultation which is rare to expect from just an app development company!

I would love to discuss your telehealth app idea and share my earned knowledge. So, let’s arrange a one-on-one meeting. Email us at

Other Important Resources:

1) Telehealth Startup Checklist

2) Telehealth Marketing Checklist