COVID-19 has brought a lot of changes to our everyday lives. Across the globe, many have been working or schooling from home since March with no end in sight. This global pandemic has also changed how we view and seek out medical help. Telehealth is not a new concept but is being seen in a new light because of COVID-19. This quick, almost overnight switch from in-person appointments to virtual ones has come with HIPAA compliance and enforcement changes. How has this global pandemic and the increased need for telehealth changed HIPAA compliance? Let’s break down the declaration on the matter from the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS).
An early changeVery early in the pandemic, the HHS quickly expanded telehealth laws . These expansions included additional Medicare coverage for telehealth visits, waived HIPAA penalties for good faith use of telehealth, and provided flexibility to healthcare providers for telehealth visits paid for by federal healthcare programs. The notice, revised in late March, stated that the OCR would not be imposing penalties for non-compliance with HIPAA Rules. Per the statement:
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
This expansion allowed healthcare professionals to quickly move from in-person visits to virtual ones without fear of penalty. As stated in the notice:
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.
In other words, medical professionals will face no penalty if they meet with patients virtually with a non-public facing, non-HIPAA compliant tool.
Popular communication toolsHealthcare providers are currently allowed to use a wide range of video communication applications to have telehealth appointments with their patients, many of which were not previously permitted. As stated in the declaration:
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
Healthcare professionals should note the OCR recognizes that not all of the suggested applications are HIPAA compliant. Providers should exercise caution when using these platforms. Some popular video applications are not secure enough to be used nor permitted per this notice:
Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
These applications are public-facing, meaning any conversation is open to and viewable by the public.
Limiting riskAlthough the OCR is making exceptions, healthcare professionals should consider only using software or a service that will enter into a business associate agreement (BAA). By doing so, you can help limit the risk of exposing protected health information (PHI), prevent data breaches, and your practice won’t have to change to a HIPAA compliant platform should the OCR rescind this exemption. Additionally, utilizing HIPAA compliant vendors adds additional privacy to patient-provider appointments. As stated in the OCR declaration:
Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.
However, the OCR will not impose penalties on covered entities who do not enter into a BAA with a business associate .
Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
The OCR also notes that providers should notify patients that using these applications introduces a potential privacy risk . Doctors and their staff should always use a private network, enable any available encryption, turn on any privacy modes with these applications, and make sure all applications are up-to-date.