In recent years there has been an increase in the use of telehealth and remote management tools as options for maintaining patient well-being. If you’re not familiar with these, the HHS’ Health Resource & Services Administration (HRSA) defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications.” These services may be conducted through audio, text messaging or videoconferencing.
In light of the COVID-19 pandemic, the HHS Office for Civil Rights has announced that for HIPAA-covered healthcare providers, a Notification of Enforcement Discretion will be applied that relaxes the HIPAA compliance in relation to telehealth. This notice covers “all services that a covered health care provider, in their professional judgment, believes can be provided through telehealth in the given circumstances of the current emergency”. They define these covered entities as such if they “transmit health information in electronic form in connection with a transaction for which the Secretary has adopted as standard”. A health insurance company that pays for telehealth services is “not covered” by this notice. This will include the remote diagnosis and treatment of patients via a telehealth service. Additional details from the Notification of Enforcement Discretion indicate that this applies to “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” This notice currently does not carry an expiration date.
Communication Platform Options
The Notification of Enforcement Discretion is only applicable to communication tools that are NON-PUBLIC facing. The end to end encryption that these HIPAA compliant solutions usually include will reduce the interception of personal and private health information. Some of these include Apple FaceTime, Facebook Messenger (but not Facebook Live) and WhatsApp. These applications give the user controls that include muting and recording the conversation.
Healthcare providers must conduct telehealth treatment in private settings and locations. If this is not an option, lowered voices, not using the speakerphone, and reasonable space and distance between others.
Like many of the standard policies and procedures that are in place, we’ve had to make modifications and accommodate this situation. Government agencies have seen that need and made changes accordingly in an effort to tackle these unprecedented times. Having a strong HIPAA program and trusted security advisor in place can assist you in understanding how your company will be affected and how to proceed best.