The COVID-19 pandemic has spawned many new business realities including the mainstreaming of telemedicine and with it, the state of HIPAA compliance. The American Medical Association estimates that $250 billion in healthcare could shift to telemedicine from outpatient, office and home health visits. And the CDC is throwing its support behind the effort to migrate from in-person to virtual care for essential health services, in order to meet the requirements of the current moment.
The telemedicine policy changes within the COVID-19 environment create an imperative for healthcare-involved organizations to understand the relevant HIPAA compliance issues. The rate of these changes over a short period of time creates an even bigger sense of urgency.
To help healthcare providers and businesses covered under HIPAA navigate telemedicine and compliance issues, following are essential highlights.
Understanding whether your organization is a defined healthcare “covered entity” is crucial to knowing your compliance obligations:
"Covered entities are defined in the HIPAA rules as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards. Generally, these transactions concern billing and payment for services or insurance coverage. […] Covered entities can be institutions, organizations, or persons."
“Researchers are covered entities if they are also health care providers who electronically transmit health information in connection with any transaction for which HHS has adopted a standard.”
Is your organization a covered entity? Please read on.
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The HIPAA Security Rule stipulates:
1. Only authorized users should have access to ePHI.
2. A system of secure communication should be implemented to protect ePHI.
3. A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.
4. A medical professional or a healthcare organization creating ePHI that is stored by a third party is required to have a Business Associate Agreement (BAA) with the party storing the data.
These compliance mandates are actually pretty clear and easy to understand. Now here's how telemedicine and COVID-19 factor in.
Three important elements to be aware of as telemedicine is impacted by the COVID-19 environment:
Informed consent. Informed consent is largely unchanged and you should remain aware of relevant state and payer requirements. Patient consent is often a legal requirement, or a condition for receiving payment, depending on the payer being billed.
The expansion of telemedicine ensures that verbal informed consent scenarios are becoming more common, however there is enormous variability in state requirements. These can range from no requirements, to verbal consent only, to requiring written consent that must be stored in the patient's health record. If you are experiencing a surge in telemedicine volume, make certain you're making any necessary adjustments to remain compliant.
Business associate agreements (BAAs). Healthcare covered entities (see above) must always enter into a BAA with their technology providers if ePHI is being shared. The following list includes some vendors that affirm they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA with covered entities:
Important note: under the above Notice, distinction is made between certain seemingly similar platforms. Popular video chat apps, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype are suitable for good faith use. However, others including “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.” Also, the Office of Civil Rights (OCR) at the Department of Health and Human Service has not reviewed the products provided by the above vendors and does not endorse any of them, so do your own due diligence about the suitability of any given solution.
Enforcement discretion. The COVID-19 pandemic is a declared national public health emergency. National, state and local regulatory agencies understand that healthcare covered entities are struggling with enormous and unforeseen challenges in the COVID-19 environment; this includes the OCR, which is responsible for enforcing certain regulations issued under HIPAA and its amendments.
Accordingly, there's some leeway allowed for the foreseeable future in meeting certain HIPAA compliance requirements:
“OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.”
“Good faith” is the key: your efforts should be directed in a manner that provides support to patients no matter where they are, especially at-risk groups (elderly, disabled and those with pre-existing conditions).
Avertium provides specialized support for healthcare involved entities, for the full range of their compliance and technology needs. Contact us to learn more about solutions custom-designed to help you navigate this complex privacy and security environment.