Telehealth during the COVID-19 Pandemic
The Coronavirus (COVID-19) has increased the use of telehealth. Telehealth offers many benefits, including mitigating the spread of COVID-19. But it also complicates HIPAA compliance. HIPAA is the Health Insurance Portability and Accountability Act of 1996. It’s federal law that protects patient health information. HIPAA applies to covered entities and business associates.
Why care about HIPAA?
HIPAA data breaches can cause hefty fines. The most HIPAA can fine your office in a year is $1.5 million. It can cause expensive employee turnover, the loss of your license to practice, and the loss of patient trust.
What is Telehealth?
Telehealth is providing healthcare by using digital information and communication technologies. Healthcare providers can offer remote consultations, appointments, or post-op checkups via video chat. During COVID-19, telehealth has become even more useful. The Department of Health and Human Services writes, “Telehealth is a great way to get the health care you need while still practicing social distancing.”
Telehealth and HIPAA
Telehealth technology, such as smartphone and communications platforms, must comply with HIPAA rules and have safeguards in place to ensure the confidentiality, integrity, and availability of ePHI.
Even during a public health emergency, the HIPAA Security Rule still applies. Healthcare professionals providing Telehealth services would, under normal circumstances, not be permitted to use video conferencing technology like Facetime or Skype, since these services are not fully compliant with HIPAA.
Relaxed HIPAA Enforcement During COVID-19
The Office for Civil Rights (OCR) is responsible for enforcing HIPAA. The OCR is taking a more relaxed position on HIPAA enforcement of noncompliance with certain HIPAA provisions relating to Telehealth services.
According to the OCR:
OCR will exercise its enforcement discretion and not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of Telehealth.
During the current public health emergency, healthcare providers are permitted to use any non-public facing remote communication product available to communicate with patients. The enforcement discretion also applies to Telehealth services related to the diagnosis and treatment of health conditions unrelated to COVID-19.
While enforcement has been relaxed, it is still important to implement reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures.
What Telehealth Services can be used?
While the OCR does not endorse specific products, healthcare providers could use:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video or Skype
What Services Cannot be used?
Public facing chat and communications platforms that are not permitted:
- Facebook Live
How can my Practice obtain Greater Privacy?
Covered Entities can obtain greater privacy protections by using HIPAA-compliant video communications solutions, and obtaining a signed Business Associate Agreement (BAA). Providers of platforms that sign BAAs and provide a HIPAA compliant service include:
- Skype for Business
- Zoom for Healthcare
- Up Dox
- Vee See
However, the OCR will not penalize providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of Telehealth services during the COVID-19 emergency.
What about when COVID-19 ends?
When the emergency ends, however, penalties could apply if a BAA is not in place and communications platforms are not HIPAA compliant.
The OCR notes that ‘bad faith’ provision of Telehealth can include the use of PHI for criminal purposes or in furtherance of a criminal act. Another ‘bad faith’ use might involve the use of PHI for purposes not permitted by the Privacy Rule, like the sale of PHI, or the use of PHI for marketing purposes without patient authorization.
‘Bad faith’ provisions of Telehealth also include violations of state licensing laws, violations of professional ethical standards, and the use of public-facing communications products.
How can I learn more about HIPAA during COVID-19?
To learn more about telehealth and HIPAA compliance, check out our free Telehealth and Privacy Compliance training module.
Stay ahead of the compliance curve with Smart Training.