Things may never be the same in a world following COVID-19 and perhaps that’s not all bad. Some of the actions we’re taking now have the power to make our businesses stronger in the end. One of the industries set to benefit the most after COVID-19 could be healthcare. Between travel and waiting room time, going to the doctor is an ordeal that can take several hours.
Healthcare providers are under pressure to see as many patients as possible on any given day. While we wait in the lobby and then in the exam room, patients typically only interact with a doctor for a few minutes. Telehealth can make the experience more productive for both patients and providers. It might also have the power to improve community health and individual outcomes by making healthcare more accessible. However, telehealth imposes a variety of risks from IT security concerns to HIPAA and more.
7 Important Facts About HIPAA, Telehealth, and COVID-19
There’s nothing currently in HIPAA that prohibits telehealth services. In fact, HHS released periodic guidance to help healthcare providers leverage telehealth services to preserve provider capacity and lessen the spread of COVID-19. If you’re thinking of offering telehealth services, there are a few things you need to know outlined below.
1. The OCR will use enforcement discretion
On March 30, 2020, the Department of Health and Human Services (HHS) announced that the OCR (Office of Civil Rights) will use discretion when enforcing HIPAA for organizations that are in compliance with the good faith provision of the regulation.
“OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
2. Platforms must not be public-facing
One vital element of the guidance is that the mediums and platforms used must NOT be public-facing. So, for example, you can use teleconferencing services such as Zoom or Go-To-Meeting to hold consultations in which PHI (Protected Health Information) is discussed with patients or other care providers. But, you can’t use Twitter or Facebook, which are public-facing platforms.
However, you can use features of a public-facing platform, e.g., Facebook Messenger, to deliver telehealth services if those features allow you to protect patient privacy. Facebook Groups can even be used to manage online support groups, provided they are configured and characterized correctly.
3. You should have a signed BAA
Under HIPAA, any provider that handles the PHI of your patients must sign a Business Associate Agreement (BAA). That’s pretty straight-forward when you’re dealing with a cloud provider like Connectria or a records disposal firm you use to destroy old documents. But how does that relate to telehealth platforms? If they’re not handling the data themselves, do they need to sign a BAA? Well, HHS’s response is that they should. Even if the provider of the service you use isn’t tracking the details of your conversations, they could. Hence, the need for a BAA. HHS lists the providers below as having publicly agreed to provide a signed BAA. If your provider is not on this list, it does not mean they are not willing. Reach out and ask.
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
Penalties During COVID-19
Here’s the caveat. The HHS guidance states, “OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relate to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
It should be noted that as of this writing, Apple is not offering a signed BAA. Given the popularity of FaceTime, perhaps this is one of the reasons HHS decided to use discretion in its enforcement. Still, it seems like the safe bet to get a signed BAA, especially when you consider what the legal experts have to say. (emphasis mine).
According to Dark Reading, the OCR at the HHS — the government office responsible for enforcing HIPAA — has exercised its enforcement discretion to not impose penalties for noncompliance with certain HIPAA rules during the COVID-19 emergency. However, this may not deter state regulators and/or private plaintiffs (i.e., patients) from suing telehealth providers if personal health information (PHI) is breached.
4. Your platform must be configured correctly
I predict that this is where a lot of mistakes will be made. For example, let’s say you want to allow your providers to utilize Facebook Messenger to keep in touch with patients that are self-quarantining for whatever reason. Looking at the average age of Facebook users vs. those of other popular social media platforms, it’s easy to understand why Facebook might be the medium of choice.
As mentioned earlier, HHS specifically calls out Facebook Messenger as one of the allowable tools. But, to be properly HIPAA compliant, interactions on Messenger should be encrypted, and that’s something the user has to do manually – each time they use the service. Here’s the Facebook help page that shows how this is done. Notice that this page specifically talks about “secret conversations” using Android or Apple devices.
5. Remember to encrypt devices
So far, we’ve been largely talking about platforms. But, while we’re on the subject of encryption, this seems like a good time to take a short detour to talk about devices. Many providers have asked their administrative staff to work from home. Some have providers, such as telehealth nurses, offering services from home as well. It’s important to remember that the devices they use should be encrypted, too. This includes voice channels as well as text.
6. Beware of ‘Zoom Bombing’
Video teleconferencing (VTC) hijacking is another consequence of misconfiguring your telehealth platform. The Zoom platform has been the target of several high profile attacks, so this form of cyberattack has become known as Zoom bombing. However, it can happen on other platforms as well. Both Zoom and Microsoft Teams have published posts focused on how to prevent VTC hijacking and other threats.
7. The HHS enforcement discretion will not last forever
One final note on the HHS guidance. The paragraph we shared above says the OCR will use enforcement discretion “during the COVID-19 nationwide public health emergency.”
HHS declared COVID-19 a public health emergency on January 31, 2020. Presumably, once the pandemic is inevitably over, the enforcement discretion will end. By then, it’s likely that many providers will have become accustomed to using telehealth to triage patients or provide care to those who don’t necessarily need to be “seen” by a doctor. Hopefully, many providers will use this period to test approaches they might not have tried were they being held to the usual non-crisis standards.
Contact Connectria for more information about IT security and HIPAA compliant support as you consider or begin offering telehealth services now and post COVID-19.