by Hannah Trum Senior Marketing Specialist
Article filed in
A look into HHS COVID-19 HIPAA compliance changes
by Hannah Trum Senior Marketing Specialist
COVID-19 has brought a lot of changes to our everyday lives. Across the globe, many have been working or schooling from home since March with no end in sight.
This global pandemic has also changed how we view and seek out medical help.
Telehealth is not a new concept but is being seen in a new light because of COVID-19. This quick, almost overnight switch from in-person appointments to virtual ones has come with HIPAA compliance and enforcement changes.
How has this global pandemic and the increased need for telehealth changed HIPAA compliance? Let’s break down the declaration on the matter from the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS).
An early change
Very early in the pandemic, the HHS quickly expanded telehealth laws.
These expansions included additional Medicare coverage for telehealth visits, waived HIPAA penalties for good faith use of telehealth, and provided flexibility to healthcare providers for telehealth visits paid for by federal healthcare programs.
The notice, revised in late March, stated that the OCR would not be imposing penalties for non-compliance with HIPAA Rules. Per the statement:
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
This expansion allowed healthcare professionals to quickly move from in-person visits to virtual ones without fear of penalty.
As stated in the notice:
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.
In other words, medical professionals will face no penalty if they meet with patients virtually with a non-public facing, non-HIPAA compliant tool.
Popular communication tools
Healthcare providers are currently allowed to use a wide range of video communication applications to have telehealth appointments with their patients, many of which were not previously permitted.
As stated in the declaration:
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
Healthcare professionals should note the OCR recognizes that not all of the suggested applications are HIPAA compliant. Providers should exercise caution when using these platforms.
Some popular video applications are not secure enough to be used nor permitted per this notice:
Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
These applications are public-facing, meaning any conversation is open to and viewable by the public.
Although the OCR is making exceptions, healthcare professionals should consider only using software or a service that will enter into a business associate agreement (BAA).
By doing so, you can help limit the risk of exposing protected health information (PHI), prevent data breaches, and your practice won’t have to change to a HIPAA compliant platform should the OCR rescind this exemption.
Additionally, utilizing HIPAA compliant vendors adds additional privacy to patient-provider appointments.
As stated in the OCR declaration:
Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.
Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
The OCR also notes that providers should notify patients that using these applications introduces a potential privacy risk.
Doctors and their staff should always use a private network, enable any available encryption, turn on any privacy modes with these applications, and make sure all applications are up-to-date.
Choosing the right application
Although no penalties will currently be imposed against healthcare providers who do not enter into a BAA with a vendor as it relates to the good faith provisions of telehealth, choosing a HIPAA compliant application is still critical for the safety of PHI.
Finding a new platform to conduct telehealth appointments with your patients can be frustrating as there are many options.
If you and your practice consider keeping telehealth appointments, even after the current crisis ends, picking a HIPAA compliant telehealth option now will save you from a future headache.
Luckily, at Paubox, we have reviewed several popular telemedicine applications for their HIPAA compliance, in addition to our publishing a post on the top 5 telehealth software services.
HIPAA compliant applications include:
*Both Zoom and Google offer a wide range of products, some of which cannot be configured in a HIPAA compliant manner. We recommend reading the above articles for more information.
Non-HIPAA compliant applications include:
An obvious choice with HIPAA compliant email
Addressing patient concerns during COVID-19 can be frustrating and tedious while staying HIPAA compliant and limiting PHI exposure. Utilizing a HIPAA compliant email solution is an easy way to make sure information is safe, encrypted, and patient-friendly.
Paubox Email Suite encrypts all emails sent from a customer’s existing email platform (such as Google Workspace or Microsoft 365). Emails are delivered directly to a patient’s inbox, meaning your patients no longer have to log into or out of an email portal or use a password to read their messages.
Paubox Email Suite is perfect for helping your company avoid a cyber-security disaster.