The
ongoing coronavirus epidemic is poised to launch a period of explosive
growth for remote health care providers. The HIPAA Privacy Rule implies
that exchanging ePHI remotely is acceptable for direct patient-physician
communications; however, existing HIPAA guidelines on telemedicine,
which affect physicians and healthcare organizations providing remote
services for patients, impose much stricter requirements than most
providers realize – until now.
At a March 18 press conference,
President Trump announced that “Medicare patients can now visit any
doctor by phone or videoconference at no additional cost, including with
commonly used services like FaceTime and Skype.” This announcement
effectively waives many of the HIPAA restrictions on telemedicine, in
that physicians will not be subject to penalties for breaches that
result from utilizing unsecured communications platforms. Shortly after
the press conference, the Office for Civil Rights (OCR) at the U.S
Department of Health and Human Services announced that: “effective
immediately, [OCR] will exercise its enforcement discretion and will
waive potential penalties for HIPAA violations against health care
providers that serve patients through everyday communications
technologies during the COVID-19 nationwide public health emergency.”
Ordinarily,
the channel of communication a telemedicine provider selects must be
HIPAA compliant. Under the HIPAA Security Rule, providers must use
platforms that allow access only to authorized users, securely protect
the integrity of ePHI, and are impervious to accidental or malicious
breaches. Even under the relatively broad standard of “reasonable and
appropriate safeguards,” this rule has, until now, prohibited the use of
unsecure communications channels. The HIPAA telemedicine guidelines
require platforms to be capable of monitoring and/or remotely deleting
ePHI if necessary, as well as automatic logoff mechanisms after a
relatively short period of non-use. For these reasons, unsecured
channels including SMS, Skype, FaceTime, and email have been unavailable
to telemedicine providers; instead, physicians must use relatively more
expensive options like Skype for Businesses, which typically charge a
monthly fee for encrypting their channels of communication so that
messages are unreadable and unusable if intercepted over an unsecure
wi-fi connection.
One reason covered entities have had to forego
inexpensive options like Skype and FaceTime is that the companies that
run those platforms have until now refused to sign Business Associate
Agreements (BAAs) with providers. A company that enters into a BAA is
then liable for any fines or civil actions in the event of a breach of
ePHI due to a lack of HIPAA-compliant security measures or a failure of
any existing security systems. The HIPAA Journal notes that the covered
entity “would also likely fail any HIPAA audit for failing to conduct a
suitable risk assessment – which might also affect receipt of payments
under the Meaningful Use incentive share.”
With the OCR’s Notification of Enforcement Discretion
(“Notification”), these concerns over financial penalties – the key
tool used to deter breaches – will effectively be eliminated. According
to the Notification, any covered provider who wishes to use audio or
video communication technology to provide telehealth to patients during
the COVID-19 nationwide public health emergency “can use any non-public
facing remote communication product that is available to communicate
with patients.” OCR will “not impose penalties for noncompliance with
the HIPAA Rules in connection with the good faith provision of
telehealth” using such channels of communication. Significantly, OCR’s enforcement discretion specifically extends to “telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
This means that covered providers may use “popular applications […]
including Apple FaceTime, Facebook Messenger video chat, Google Hangouts
video, or Skype […] without risk that OCR might seek to impose a
penalty for noncompliance with the HIPAA Rules related to the good faith
provision of telehealth during the COVID-19 [epidemic].” The only
platforms still currently prohibited are those that are “public facing,”
such as Facebook Live, Twitch, and TikTok.
Communication products
providers will still be required to enter into BAAs, however companies
that have been unwilling to enter into such agreements will likely leap
at the opportunity to break into an industry on the cusp of potentially
significant growth with drastically reduced financial risk. This new,
presumably temporary reprieve effectively eliminates large swaths of the
HIPAA Security Rule. Indeed, providers are not even required to notify patients that these third-party applications potentially pose privacy risks – rather, they are encouraged to disclose such risks.
ATTORNEY ADVERTISING: PRIOR RESULTS DO NOT GUARANTEE FUTURE OUTCOMES.