COVID Changes Way Health Care Providers Administer Services
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) enforces certain rules and regulations regarding protected health information as provided under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, including the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
The coronavirus (COVID-19) global pandemic has necessitated changes to the way health care providers administer services to patients. Providers have looked at ways to communicate with patients and provide telehealth services while still adhering to the applicable HIPAA Rules. Many of the remote communications technologies that are most easily accessible to providers and patients may not fully comply with the HIPAA Rules.
As a result of the adverse circumstances created by COVID-19, HHS has issued a notice indicating that OCR shall exercise enforcement discretion and shall not impose penalties against covered health care providers for noncompliance with the regulatory requirements under the HIPAA Rules, if such providers are involved with the good faith provision of telehealth during the COVID-19 emergency. During this period, providers may use non-public facing audio or video remote communication products to communicate with patients for the treatment of medical conditions, including conditions not related to COVID-19.
Some of the applications that may be used during this time period include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video chat, Zoom, or Skype. Nevertheless, providers should still notify all patients that all third-party applications have certain privacy risks. Providers should also utilize all available encryption and privacy modes when using such applications. Notwithstanding the foregoing, public facing video communication applications such as Facebook Live, Twitch, and TikTok cannot be utilized by providers.
A number of video communication product vendors, including Skype for Business/Microsoft Teams, Updox, VSee, Zoom for Healthcare, Amazon Chime, Google G Suite Hangouts Meet, and Spruce Health Care Messenger, actually claim to be HIPAA compliant and represent that they will enter into HIPAA business associate agreements in connection with their video communication products.
This is important as the HIPAA Rules generally require covered providers to enter into business associate agreements with their business associates (entities or individuals that perform services that involve the use or disclosure of protected health information on behalf of the covered entity) to ensure the business associate will appropriately safeguard health information that is protected by HIPAA.
Although OCR has indicated that it will not impose penalties for noncompliance with the HIPAA Rules against covered health care providers acting in good faith, such vendors may offer an avenue to provide telehealth services with additional privacy protections that more closely resemble an offering that would be permitted when OCR re-imposes penalties.
Although OCR is exercising discretion in the imposition of penalties for good faith violations of the HIPAA Rules, best practice dictates that compliant procedures and avenues for providing telehealth services be implemented sooner rather than later. Using HIPAA compliant methods of video communication is a good start, but that is no substitute for a compliance audit to ensure there are no gaps.
For more information about telehealth HIPAA compliance, contact health care attorneys Ryan Portugal or Alexander John at 941.748.0100.