Telehealth HIPAA Enforcement Discretion: Impacts on Healthcare
IN A NUTSHELL:
- HIPAA Enforcement Discretion expanded available telehealth apps
- FaceTime, Zoom, Skype, and more allowed for telehealth services
- Telehealth usage has surged during the several months of the pandemic
For nearly a year, health care providers have been able to use widely available communication apps, such as FaceTime or Skype, for telehealth services due to the federal government issuing a Notification of Enforcement Discretion.
On March 17, 2020 the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced that it would waive potential penalties for HIPAA violations against health care providers that use common communication technology during the COVID-19 pandemic. The exercise of discretion applied to almost any communication technology when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service was directly related to COVID-19.
While there is no expiration date currently set in stone, the government may reinstate the HIPAA regulations related to telehealth and health care providers must be prepared.
During the last week of March 2020, telehealth visits increased by more than 150 percent, compared with the same time period in 2019, according to data provided in Morbidity and Mortality Weekly Report, a publication of the Centers for Disease Control and Prevention (CDC). The CDC states that the increase might have been related to pandemic-related telehealth policy changes and public health guidance.
What this means for the health care industry:
Once the wavers expire, it is up to health care facilities to provide patients who are accustomed to using a service such as Zoom or FaceTime to switch to a HIPAA-compliant platform.
The CDC report stated that continued availability and promotion of telehealth services might play a prominent role in increasing access to services during the pandemic. Researchers suggest that the regulatory waivers in place during COVID-19 might have helped increase adoption of telehealth services along with public health guidance encouraging virtual visits and CDC recommendations for use of telehealth services during the pandemic.
Some may wonder if/when the HIPAA mandates are reinstated, could the surge in telehealth slow?
Industry experts say it isn’t likely. Matt Fisher is General Counsel for Carium, a remote patient monitoring platform that seeks to lead the digital transformation of healthcare toward new high-value models that revolve around patients and their lives. He believes that reinstating the full scope of HIPAA requirements to telehealth should not have any impact on the usage of telehealth.
“The basic tenets of HIPAA around protecting the privacy and security of personal information are very much core to the trust in healthcare and align with basic expectations of patients,” said Fisher.
He points out the fact that no one wants their health information exposed to unauthorized parties.
“For patients to know that exposure is not even an option when the HIPAA enforcement discretion ends could actually be more of a positive since it should end the haphazard adoption of various solutions,” said Fisher.
It is important to note that even during the COVID-19 pandemic, legal requirements for security of protected health information (PHI) and patient privacy do not disappear completely. Health care facilities and providers remain responsible for protecting the health information of their patients.
Also noteworthy is the fact that the informed consent requirement for telehealth was also relaxed but will most likely be reinstated along with the other HIPAA-related regulations. While it has been common for health care providers to obtain verbal consent from their patients, this will no longer be compliant with Federal law. Health care facilities must obtain consent from their patients via another method, such as in writing or a digital signature on an electronic form.
It is unknown when the OCR will roll back the Telehealth HIPAA Enforcement Discretion. However, authorities at the federal level are certainly keeping a close eye on telehealth. At the beginning of February, The Office of the Inspector General with HHS announced that it will conduct a series of audits of Medicare Part B telehealth services. The end result of these audits remains to be seen, yet it begs the question if facilities that do provide such services need to monitor the OIG exclusion list.
In any instance, experts recommend that health care facilities and providers begin to use technology as if HIPAA regulations were being fully enforced. A physician is obligated to maintain the privacy and security of patient interactions during telehealth appointments in the same manner as they would during an in-person visit. The provider is responsible for ensuring the overall safety and security of telehealth encounters, including patient privacy and PHI data protection.
While Zoom, FaceTime, and Skype are all simple and familiar for patients, they were not made for telehealth and do not have the security measures to meet HIPAA compliance. Fisher noted that while nothing has occurred yet, the biggest potential privacy issue concerning the use of these types of technologies for telehealth purposes would be usage and/or retention of health data by the non-compliant service. He went on to say that while some of the non-compliant services publicly stated that no health data would be captured or used for the company’s own purpose, as attention has shifted it is not necessarily known if that altruistic position has remained.
Additionally, even if the position is still currently in place, there is no guarantee that it will not change further into the future, which becomes especially concerning when there is no mechanism to force the return or deletion of any data that may have been captured or retained.
While telehealth is only one of many ways the health care industry has changed due to the pandemic, it is likely one that will become permanent. How and when HIPAA laws affect telehealth still remains to be seen, but there is no doubt that the pressure is on for the federal government to expand access to telehealth.
The clock is ticking for facilities and providers to find a technology for telehealth that is HIPAA compliant. Once they do, they still must maintain best practices for the patient experience which has become a standard expectation during the course of the COV ID-19 pandemic.