As a result of the COVID-19 crisis, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services announced on March 17 it would not penalize violations of the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth. The Notification of Enforcement Discretion (“Notification”) will remain in effect during the COVID-19 nationwide public health emergency and until the OCR issues a notice ending the waivers.
As California and other states begin the reopening process, providers who have begun or expanded telehealth programs during the COVID-19 crisis and under the waivers face the prospect of ensuring compliance with HIPAA requirements after the waivers’ expiration. It is therefore vital to understand both the HIPAA rules and the rules under the waiver if providers plan to continue to offer compliant telehealth options to patients.
The Security Rule requires providers ensure the confidentiality of electronic protected health information (“e-PHI”), individually identifiable health information created, received, maintained or transmitted in electronic form. A health care provider who transmits any e-PHI, must first conduct a thorough assessment of the potential risks and vulnerabilities of their communication method with patients.
The Security Rule includes the administrative, physical and technical safeguard requirements that must be met in order to ensure confidentiality and protect against any reasonably anticipated threats to the security of e-PHI. Required technical safeguards include, unique user identification, mechanisms to encrypt and decrypt e-PHI and automatic logoff functions.
If a provider is using a third party to communicate with patients, they must have a Business Associate Agreement (“BAA”) with the third party. The Business Associate is required to comply with those same Security Rules.
The waivers allow providers to bypass the thorough risk analysis assessment requirements for their communication method with patients. The Notification states that providers may use any non-public facing remote audio or video communication product to provide diagnosis or treatment for both COVID-19 related and non-COVID-19 related conditions.
Non-public facing applications, such as Zoom, Apple FaceTime and Skype, allow only the intended parties to participate in the communication. Unlike public-facing applications, which are designed to be open to the public or allow wide or indiscriminate access to the communication, non-public facing applications provide some additional safeguards. These include requiring passcodes, recording capabilities and turning off audio and video signal functions. The waivers do not extend to the use of public-facing communication products. The use of them by providers will constitute as a bad faith provision of telehealth services.
During the waiver period, the OCR will not impose penalties on providers who do not have a BAA with video communication vendors. Health care providers are encouraged, but not required, to use vendors that are familiar with the requirements of the Security Rule, which often have stronger security capabilities and can provide assurances they will protect e-PHI.
Despite the relaxation of enforcement, providers should do their best to conduct telehealth under normal private settings and enable all available encryption and privacy modes when using non-public facing applications. Additionally, providers should inform patients of potential privacy risks associated with using their chosen telehealth communication method. Providers who have relied on the relaxations under the waivers should take time now to plan the transition towards a fully compliant telehealth program to avoid having to discontinue offering telehealth to patients or face potentially costly HIPAA violations.
While there is no indication that any HIPAA waivers will remain post-COVID-19, U.S. Surgeon General, Jerome Adams, stated that “telehealth is likely here to stay,” and state and federal laws will need to adapt post-COVID-19 “to ensure the continued smooth delivery of telehealth for both patients and health care providers.”
Questions
If you need help planning to transition your telehealth program for continued compliance or if you have any questions regarding this legal alert, please contact the following attorneys from our office, or the attorney with whom you typically consult.
Jennifer Scott
jscott@kmtg.com | 916-321-4349