HIPAA Compliance in the Age of Telehealth
Telehealth has emerged from the ongoing coronavirus crisis as an effective tool that allows healthcare providers to see, treat and triage patients without the need for a trip to a hospital or physician’s office unless it is necessary.
To increase patient access to telehealth, the Centers for Medicare & Medicaid Services (CMS) issued new temporary payment guidelines so that more services could be provided via virtual visits.
At the same time, the Office of Civil Rights (OCR) at the Department of Health and Human Services (HHS) said it would relax enforcement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for telehealth during the COVID-19 emergency. This change enabled video communication channels not typically used for healthcare interactions, such as Skype or Zoom, to bridge the gap in telehealth access for patients and providers.
How long the relaxed enforcement will remain in effect is not known, with the federal government only saying it will be until the end of the emergency. That’s why if you are implementing telehealth during the COVID-19 crisis, you should make sure it is HIPAA-compliant so you can continue to use it after the full regulations are back in force, advises Jordan Pisarcik, Vice President of Growth and Customer Engagement at DocASAP.
HIPAA Regulations Relaxed for Telehealth
In a list of frequently asked questions (FAQ) titled “FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency” published by OCR in March, the agency says: “Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
The OCR’s FAQ document also states that it will continue to enforce HHS regulations that protect the confidentiality of substance use disorder patients.
“Even though the OCR has said it will not strictly enforce HIPAA violations, health systems should work to meet HIPAA requirements whenever they can,” Pisarcik says. “That way, they will be compliant or close to it when full enforcement begins again.”
In its FAQ, OCR says healthcare providers should conduct telehealth sessions in private settings, such as a clinic or office with patients who are either in their homes or in another clinic.
Patients should not be in a public or semi-public setting when they receive telehealth services. If a patient cannot be in a private location, healthcare providers should use reasonable HIPAA safeguards to limit any accidental disclosures of protected health information (PHI). Those precautions include:
- Asking patients to use lowered voices.
- Asking patients not to use speakerphones.
- Recommending that patients move as for away from others for the telehealth visit.
The Office of Civil Rights says it will take action against healthcare providers who violate HIPAA if they use telehealth to conduct a criminal act, such as fraud, identity theft, and intentional invasion of privacy. The OCR says it will also take action against:
- Using or disclosing patient data obtained during a telehealth session in ways that are prohibited by the HIPAA Privacy Rule, including selling data or using it for marketing purposes without authorization.
- Violating state licensing laws during telehealth sessions that result in disciplinary actions.
- Using public-facing communications channels, such as TikTok, Facebook Live, Twitch, or a public chat room. Public-facing channels are designed to be open to the public.
What Platforms Are HIPAA Compliant for Telehealth
“There are two kinds of platforms that can be used for audio or video communications,” explains Pisarcik. “Non-public facing platforms are designed for one-to-one private communications or group communications with only people who have been invited to the session. Public-facing platforms are open to the public and anyone can join in.”
The Office of Civil Rights (OCR) issued a notification in March that lists non-public facing platforms that can be used for telehealth visit with potential COVID-19 patients and patients who have ailments and injuries other than coronavirus.
Each of these platforms has said they provide HIPAA-compliant video applications and that they will enter into a HIPAA BAA with providers, according to the OCR. Those platforms are:
- Amazon Chime
- Cisco Webex Meetings / Webex Teams
- Google G Suite Hangouts Meet
- Skype for Business / Microsoft Teams
- Spruce Health Care Messenger
- Zoom for Healthcare
The OCR also said healthcare providers should not use public-facing platforms, such as Facebook Live, Twitch, TikTok or similar applications for telehealth.
“The telehealth systems we implement today will enhance patient access and protect patient privacy far beyond the pandemic,” Pisarcik said. “Starting with a non-public, HIPAA-compliant platform will save healthcare organization resources in the future — and acclimate patients and providers to healthcare’s new normal much sooner.”
Hospitals and physician practices can learn more about implementing telehealth and other digital technology and tools. To get more information, insight and ideas, download DocASAP’s new eBook Catching Up to the Healthcare Consumer.