HIPAA Enforcement Discretion: What Comes Next
IN A NUTSHELL:
- HIPAA Enforcement Discretion has no current expiration date
- HIPAA waiver applies to telehealth only, privacy rules still in place
- Healthcare providers, facilities should implement best practices ahead of HIPAA waiver expiration
More than a year and a half ago, the federal government issued a Notification of Enforcement Discretion for telehealth communication in response to the COVID-19 Pandemic—allowing healthcare facilities and physicians to use standard communication apps, such as FaceTime or Skype, to deliver patient care.
The issuance applied to almost any communication technology for any telehealth treatment or diagnostic purpose, no matter if the telehealth service was directly related to COVID-19.
The waivers also relaxed the informed consent requirement for telehealth, yet this will likely be reinstated as well. Throughout the pandemic it is standard for healthcare providers to obtain verbal consent from their patients, which will soon no longer be compliant. Healthcare facilities will be required to obtain consent from their patients via another method, such as in writing or a digital signature on an electronic form.
There is currently no set expiration date for the HIPAA waivers, yet experts believe the rules are bound to return and healthcare professionals must be prepared to remain in compliance or risk massive monetary penalties.
It is also important to note that throughout the COVID-19 pandemic, legal requirements for security of protected health information (PHI) under the HIPAA Privacy Rule remained in place. Facilities and providers remain responsible for protecting the health information of their patients, through clinical communication within a facility as well as outbound communication directly with a patient.
A healthcare provider is required to maintain the privacy and security of patient interactions during telehealth appointments in the same manner as they would during an in-person visit. The provider is also responsible for ensuring the overall safety and security of telehealth encounters, including patient privacy and protecting the security of all data containing Protected Health Information (PHI).
While texting and other communication methods using portable electronic devices is common practice in the healthcare industry, it is a violation of HIPAA unless the covered entity warned the patient about the risk of unauthorized disclosure and obtained the patient’s consent to communicate by text—both of which must be documented.
How HIPAA is Enforced:
The U.S. Department of Health and Human Services established the Office of the Inspector General (OIG) to identify and eliminate fraud and abuse. HIPAA authorized the OIG to provide guidance to the healthcare industry to promote lawful conduct—which the department conducts through a nationwide program of audits, inspections, and investigations. On average, the OIG Office of Evaluation and Inspections conducts hundreds of audits each year.
While the HIPAA Enforcement Discretion is technically still in place, the OIG already began conducting audits of Medicare Part B telehealth services related to distant and originating site locations, virtual check-in services, electronic visits, remote patient monitoring, use of telehealth technology, and annual wellness visits to determine whether Medicare requirements are met.
This first wave of audits is a tell-tale sign that healthcare facilities and providers should already be using technology as if HIPAA regulations are being fully enforced.
How to Navigate HIPAA Compliance with Ready Doc™:
Ready Doc™ is a free medical credentialing software which also provides a centralized repository for digital documents such as healthcare credentials, medical licenses, and anything else to improve administrative workflows.
The platform uses Hashgraph distributed ledger technology (DLT) which creates some of the highest level of cybersecurity possible and generates immutable timestamps to expedite the credentialing process. These features combined with HIPAA-compliant messaging, digital forms, and electronic signatures can all be used to meet federal regulatory requirements concerning the security of PHI and maintaining HIPAA compliance.
As an added peace of mind, the Ready Doc™ marketplace offers HIPAA Breach Insurance to help with security breach response, privacy liability coverage, business interruption, and more.
Continuous Compliance Monitoring With Ready Doc™:
In addition to the audits conducted by the OIG Office of Evaluation and Inspections, HIPAA authorized the OIG to maintain a nationwide list of individuals and entities who committed some form of healthcare fraud or other violations. The database is known as the List of Excluded Individuals/Entities (LEIE). Healthcare professionals in all specialties as well as any type of medical facility can land on the LEIE and potentially be impacted for life.
Anyone who is on the LEIE is excluded from any payments involving Federally funded healthcare programs. The payment exclusion applies to all methods of Federal program reimbursement, including but not limited to itemized claims, cost reports, fee schedules or a prospective payment system (PPS).
At the same time, any medical facility that hires an individual on the LEIE can be subjected to civil monetary penalties (CMP), which are often extremely expensive—up to $10,000 for each individual service provided. The onus is on the healthcare provider to know their own exclusion list status as well as the medical facility to know the status of all their employees.
Healthcare providers which employ or directly work with excluded individuals, and facilities which hire those on the LEIE, can both be subjected to significant fines. The OIG states that both facilities and providers have an “affirmative duty” to know their exclusion status as well as anyone who works with the facility—which can be tedious given the fact that as of November 2021, more than 74,000 individuals and entities are on the LEIE.
Ready Doc™ provides continuous monitoring of exclusion lists and sends automated alerts to facility administrators in the event one of their healthcare providers appears on a databank. Individual healthcare providers can also take advantage of compliance monitoring with their own Ready Doc™ account.
Future of HIPAA Compliance:
The clock is ticking on the Notification of Enforcement Discretion for telehealth services and HIPAA compliance. After nearly two years since the first discovery of COVID-19 in humans, the ensuing global pandemic drastically changed the healthcare industry and it has been operating under a “new normal” ever since. While some critics argue that new standards of patient care delivery such as telehealth are here for good, certain tenets of the healthcare industry will rebound in their entirety.
Without a doubt, the cornerstones of HIPAA for protecting the privacy of patient information and improving efficiency in healthcare will come back tenfold with the potential for updates to keep in pace with the advancement of technology. A full-service credentialing, compliance, and communication platform such as Ready Doc™ will keep facilities and providers one step ahead of the rest as the healthcare industry rebounds with regulations both new and old.