Ensuring patients get the medical attention they need, while limiting interactions and travel in order to slow the spread of COVID-19, telehealth has rapidly expanded in 2020. As many offices made the shift to WFH setups and remote working, health care professionals have been encouraged to practice virtual medicine whenever possible. Yet, the recent reliance on technology and mobile communications poses some new questions and concerns related to HIPAA compliance.
Expansion of Telehealth in Response to the COVID-19 Pandemic
When the coronavirus pandemic first began, the HHS Office for Civil Rights announced that it would relax HIPAA standards in order to facilitate a greater use of telemedicine. Specifically, the OCR plans to use discretion when enforcing fines for what would be considered a HIPAA violation in a normal situation. The goal is to give medical practitioners the flexibility needed to use remote communications and provide virtual care for patients.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
The emergency exemption recently issued by the HHS applies to all healthcare providers who are covered by HIPAA and provide telehealth services during the pandemic. It temporarily waives the requirement that healthcare professionals be in a medical office or facility when providing compliant and billable telehealth services. This includes services for patients with Medicare coverage.
During the COVID-19 pandemic, this allows physicians, nurse practitioners, physician assistants, nurse midwives, clinical psychologists, registered dietitians, and licensed social workers to work from home. At the same time, it helps keep patients at home with respect to stay-at-home orders and public health safety measures. Mental health counseling, preventative health screenings, and medical treatment related to COVID-19 and not, can be done remotely to avoid putting the patients and others at greater risk.
Growing Cybersecurity Threats Targeting Healthcare Now
The medical community faces concurrent challenges at the moment between providing remote healthcare and increased cybersecurity risk. Telehealth raises many patient privacy concerns. Recent reports have sounded the alarm about hackers targeting medical facilities, doctors working remotely, and popular telecommunications platforms, specifically during the pandemic. Security vulnerabilities have also been introduced by third-party contractors, health insurance companies, medical billing agents, and other healthcare administration work being done from home.
Get up to date on Security Challenges in Healthcare During the COVID-19 Pandemic.
Telehealth & HIPAA Compliance Concerns During the Pandemic
Despite this, however, authorities continue to prioritize patient care and citizens’ access to adequate medical attention. To facilitate regular medical practices – and diagnosis or treatment of COVID-19 related conditions – the CMS has waived the business associate agreements (BAA) requirement for HIPAA-compliant telehealth technology.
This opens the door for doctors to use mobile apps, text messages, phone calls, images, internet streaming and videoconferencing to deliver long-distance clinical health care. Platforms such as FaceTime, Zoom, Google Hangout, Facebook Messenger video chat, Skype, and WhatsApp video chat are increasingly being used for this purpose. In general, these technologies use end-to-end encryption and require password-protected login for individual users.
Activities such as storing images, handling PHI, and conducting e-visits with patients won’t be subject to the penalties for violations of HIPAA Privacy, Security, and Breach Notification Rules that might happen while providing telemedicine services in the good faith. These activities are allowable for covered health care providers during the national public health emergency, but could be subject to fines and violation penalties in normal circumstances.
These are the only HIPAA/HITECH compliance requirements which have been waived due to the emergency. It’s important for covered entities and business associates to continue to comply with all other privacy and security regulations. We expect that HIPAA Rules regarding technology and telehealth practices will return to full enforcement when the coronavirus pandemic is contained and the waiver expires.
Get advice on How to Avoid the Most Common HIPAA Violations.
Current HIPAA Guidelines for Telehealth
In normal circumstances, the use of personal mobile devices to discuss patient care or share patient data, without encryption features and secure servers, would be a clear violation of HIPAA. For that reason, compliant medical communication services provide their clients with secure communications platforms for safely accessing, storing, and transmitting PHI via mobile devices.
While the waiver is in effect, HIPAA telehealth requirements during the COVID-19 emergency are less restrictive. Yet, it’s important to use caution when using technology in healthcare to ensure data security and patient privacy.
- HIPAA-compliant telemedicine platforms must have an interactive audio and video system that enables live, two-way telecommunications between the health care provider and patient at home.
- The platform or application used for telehealth purposes must not be public-facing.
- Patients must consent to using telehealth technology and virtual visits.
- If the patient is not required to login through a secure portal, the practitioner must confirm his or her identity before beginning the appointment.
Tips for Avoiding Telehealth HIPAA Violations
When carrying out telehealth, it’s important to still follow reasonable HIPAA protections to decrease the possibility of accidental PHI disclosure. Here are some tips to help you decrease the risk of privacy violations and practice telemedicine securely.
- Get informed about the telehealth resources and guidelines available through your state and county medical association.
- Consult with your insurance company to confirm that platforms without a BAA are included in coverage in case of a data breach.
- Refer to your healthcare facility or network to understand what EMR technology is currently available.
- Practitioners should have a private, quiet space where they can perform telehealth visits, communicate with patients, and collaborate with healthcare teams.
- Avoid using speakerphone devices and virtual assistant features, such as Alexa and Siri, which are not considered HIPAA compliant.
- Refrain from using any social media or communications platforms that can be viewed by other users, such as Facebook Live or TikTok.
Questions Regarding Telehealth & HIPAA Compliance
Are healthcare practitioners subject to penalties for HIPPA Rule violations if sensitive data is breached related to telehealth services used during the coronavirus pandemic?
No. The OCR will not enforce penalties for breaches that occur while telemedicine services are being provided in good faith during this national emergency.
How long will these exceptions to HIPAA enabling telehealth practices be valid?
The Notification of Enforcement Discretion does not currently have an expiration date. The OCR will inform the public when the waiver is no longer in effect.
Is it possible to render a mobile device secure enough to transmit PHI and meet regular HIPAA standards?
Yes. Covered entities and business associates can use mobile devices to access PHI if the required physical, administrative, and technical safeguards are implemented to protect the confidentiality, integrity, and availability of sensitive data.
“A mobile device isn’t necessarily considered HIPAA-compliant because of its accessibility and lack of encryption for stored data,” explains Vince McGlone, Director and HIPAA Compliance Officer for PatientCalls. “Specific platforms are available to support HIPAA-compliant e-mail capabilities and mobile text message apps using encryption technology and complex password protection for secure access, storage, and transmission of PHI.”
Is it permissible to conduct virtual health visits using a personal mobile phone?
Yes. Phone calls made for activities, such as reminding patients of appointments, delivering lab test results, discussing prescriptions and health checkups, are HIPAA compliant. Phone conversations and faxes are considered more secure by compliance standards. It’s important that the medical practitioner confirms the identity of the patient before continuing with any conversations that contain PHI.
Expert Guidance Where Technology, Healthcare & Compliance Meet
During this period of uncertainty, we invite you to consult with the experienced professionals at I.S. Partners for advice on regulatory compliance. Call us today at 215-675-1400 or visit us online to request a quote.