It is well known that every organization involved in the transmission and management of Protected Health Information is subject to HIPAA’s rules. The outstretched regulatory arm of HIPAA governs all organizations in the healthcare chain irrespective of their size. Covered entities protect themselves when they have a rigid policy to follow risk assessment rules. PHI is shared between healthcare providers, third-party vendors and billing companies and runs the risk of being saved at unsecure locations, like internal messaging apps, cloud storage and localized folders.
The pandemic increased this risk multi-fold as the emergence of Covid19 led to a rapid surge in virtual healthcare. As organizations across the globe took to remote working, protecting critical health information required a whole new set of guidelines along with enforcement to maintain security control and prevent violations. In March and April the US Department of Health and Human Services officially communicated a number of waivers and changes in HIPAA Compliance and other medical privacy laws and ever since, privacy teams have been on the front line of dealing with these disruptive and rapid changes.
The CDC reported a 154%* increase in telehealth visits in the last week of March 2020 as compared to March 2019. While dealing with the pandemic and the heightened demand for telehealth services was one mega challenge in itself, the new privacy practices of HIPPA left many organizations quizzing about their position on HIPAA compliance. Numerous small organizations who never offered themselves as HIPAA compliant, were worried about coming forcefully under radar due to the temporary changes. So what have we learned so far?
- Invest time and resources to stay up to date.
- Covered Entity’s Precautions in Telehealth for HIPAA Compliance is not complicated.
- Telehealth platform providers are safe when the platforms are used in good faith.
Lesson 1: Invest time and resources to stay abreast on briefing and announcements that are made time and again on the official HHS, CDC and HIPAA websites.
It’s important to know and understand the changes, waivers that covered entities are governed with. Privacy and Disclosures that are ‘minimum necessary’; under the ‘best interest of the patient’; and ones that pose a ‘serious and imminent threat’ are best explained in a specific process or service agreement only with the help of professionals. This not only helps Business Associates understand and incorporate changes in their processes and in the services offered to covered entities, it also opens up new avenues to scale and increase accessibility to quality healthcare.
The Health and Human Services (HHS) also made clear the list of non-public facing communication platforms that can be used for telehealth services. Platforms that allow end-to-end encryption, and ones that permit individual user logins and passwords limiting access while enabling user verification. For example, Apple FaceTime, Facebook Video Chat, Google Hangouts video, WhatsApp or iMessage. The text applications of these products are included as well. A public-facing platform is clearly described as a platform that gives open access for another to be present on it as well, eg: Facebook Live Streaming, Chat rooms etc.,
However, opting to use customized telehealth platforms that are also HIPAA Compliant is the way to go be it during a crisis, or otherwise.
Lesson 2: Covered Entity’s Precautions in Telehealth for HIPAA Compliance is simple, when telehealth service providers follow reasonable precautions as listed under the FAQs or other OCR guidelines.
One of the lessons learned was through the all- hands –on- deck approach. The IT team meticulously charted short-term options that also suited long-term telehealth plans. The OCR’s FAQs on Telehealth and HIPAA included guidelines on how covered healthcare providers were required to conduct telehealth. The document listed reasonable precautions like not using a speakerphone, lowering of voices and requesting the patient to move to a reasonably isolated place to ensure, while PHI is discussed. HIPAA requirement to stay compliant during the telehealth process is simple and clear making it amply clear to worker involved in the chain of delivery. This became a checklist that was necessary to be incorporated on the telehealth platform with both the provider and patient checking the boxes.
Lesson 3: The Pre-Corona telehealth tech platform provider is safe if the platform is used in good faith as a sequel to complete the healthcare service.
There was also growing anxiety among telehealth providers who were not HIPAA compliant but now have their platforms used by healthcare providers or covered entities. These tech companies were also perplexed if their associated Healthcare provider would be imposed a penalty for violating HIPAA Security Rules. The HHS clarified that the penalties otherwise applicable for breaches that were a result of good faith for the provision of telehealth services would not be pursued during this pandemic. For example; it would look at all reasonable precautions taken by the healthcare provider which includes following notifications regarding non-disclosure on any OCR guidance. It further states that the provider would also not be penalized for a hack exposing PHI on a telehealth session, however, intentional disclosure, identity thefts and frauds are met with penalties.
While the OCR does not endorse the security of any communications product, it believes that many commonly used electronic communication products include security features that ensure a safe transmission of ePHI between the provider and the patient.
Most importantly, the OCR would assess the provider’s transparency in communication when it comes to notifying patients regarding the potential risks of using third party applications. Enabling all privacy mode options and encryptions are also critical determinants which rule out breaches and violations.
As processes in Healthcare are evolving as fast as the COVID19 situation, a HIPAA Risk assessment is critical to reveal the areas where the PHI of your organization could be at risk. This simply puts things in perspective for every stakeholder in the healthcare chain as to what should be their focus areas and why robustness in processes and platforms play a huge role. HIPAA Compliance is consistent and awareness would be the first step towards increasing the accessibility of healthcare services during this time of public health emergency.
Was this post helpful?
Let us know if you liked the post. That’s the only way we can improve.