It is well known that every organization involved in the transmission and management of Protected Health Information is subject to HIPAA’s rules. The outstretched regulatory arm of HIPAA governs all organizations in the healthcare chain irrespective of their size. Covered entities protect themselves when they have a rigid policy to follow risk assessment rules. PHI is shared between healthcare providers, third-party vendors and billing companies and runs the risk of being saved at unsecure locations, like internal messaging apps, cloud storage and localized folders.
The pandemic increased this risk multi-fold as the emergence of Covid19 led to a rapid surge in virtual healthcare. As organizations across the globe took to remote working, protecting critical health information required a whole new set of guidelines along with enforcement to maintain security control and prevent violations. In March and April the US Department of Health and Human Services officially communicated a number of waivers and changes in HIPAA Compliance and other medical privacy laws and ever since, privacy teams have been on the front line of dealing with these disruptive and rapid changes.
The CDC reported a 154%* increase in telehealth visits in the last week of March 2020 as compared to March 2019. While dealing with the pandemic and the heightened demand for telehealth services was one mega challenge in itself, the new privacy practices of HIPPA left many organizations quizzing about their position on HIPAA compliance. Numerous small organizations who never offered themselves as HIPAA compliant, were worried about coming forcefully under radar due to the temporary changes. So what have we learned so far?
Lesson 1: Invest time and resources to stay abreast on briefing and announcements that are made time and again on the official HHS, CDC and HIPAA websites.
It’s important to know and understand the changes, waivers that covered entities are governed with. Privacy and Disclosures that are ‘minimum necessary’; under the ‘best interest of the patient’; and ones that pose a ‘serious and imminent threat’ are best explained in a specific process or service agreement only with the help of professionals. This not only helps Business Associates understand and incorporate changes in their processes and in the services offered to covered entities, it also opens up new avenues to scale and increase accessibility to quality healthcare.
However, opting to use customized telehealth platforms that are also HIPAA Compliant is the way to go be it during a crisis, or otherwise.
Lesson 2: Covered Entity’s Precautions in Telehealth for HIPAA Compliance is simple, when telehealth service providers follow reasonable precautions as listed under the FAQs or other OCR guidelines.
One of the lessons learned was through the all- hands –on- deck approach. The IT team meticulously charted short-term options that also suited long-term telehealth plans. The OCR’s FAQs on Telehealth and HIPAA included guidelines on how covered healthcare providers were required to conduct telehealth. The document listed reasonable precautions like not using a speakerphone, lowering of voices and requesting the patient to move to a reasonably isolated place to ensure, while PHI is discussed. HIPAA requirement to stay compliant during the telehealth process is simple and clear making it amply clear to worker involved in the chain of delivery. This became a checklist that was necessary to be incorporated on the telehealth platform with both the provider and patient checking the boxes.
Lesson 3: The Pre-Corona telehealth tech platform provider is safe if the platform is used in good faith as a sequel to complete the healthcare service.
There was also growing anxiety among telehealth providers who were not HIPAA compliant but now have their platforms used by healthcare providers or covered entities. These tech companies were also perplexed if their associated Healthcare provider would be imposed a penalty for violating HIPAA Security Rules. The HHS clarified that the penalties otherwise applicable for breaches that were a result of good faith for the provision of telehealth services would not be pursued during this pandemic. For example; it would look at all reasonable precautions taken by the healthcare provider which includes following notifications regarding non-disclosure on any OCR guidance. It further states that the provider would also not be penalized for a hack exposing PHI on a telehealth session, however, intentional disclosure, identity thefts and frauds are met with penalties.