By Kelly McLendon, RHIA, CHPS
Effective in early 2020, during the federally declared COVID-19 nationwide public health emergency, all health care providers that are subject to HIPAA and needed to provide telehealth services were given a significant break via a notification of a waiver from Health and Human Services (HHS). This notice allowed the Office for Civil Rights to use enforcement discretion regarding the use of telehealth under HIPAA. This discretion, in effect, lessened provider liability related to enforcement of several areas and safeguards within the HIPAA privacy and security rules if telehealth was delivered with good faith.
The reasoning for the notice was that it was considered by HHS to be more important to provide patient care at a time when our nation’s health care providers were stretched to the maximum and the crisis was growing by the day. Provision of remote, electronically facilitated telehealth connections between both patients and providers was an important automation component that vastly expanded provider delivery reach in a very short period. Existing telehealth providers were overwhelmed, opening the doors for other technologies and vendors that were not originally known for telehealth to become used to deliver or administer care.
Possibly the most common, video conferencing, took off in health care as it did in other industries. At that point, many technology vendors, including teleconferencing, did not have the ability to sign HIPAA business associate agreements (BAAs) because their technology was noncompliant with HIPAA. Suddenly these vendors were called upon to serve health care customers for the delivery of care and to attend to administrative duties, even without their products providing HIPAA’s required security safeguards. To their credit, many vendors did step up and quickly make compliant versions of their products and their cover entities were able to sign BAAs.
At the same time, the growing crisis at health care delivery sites impacted the manner in which telehealth services were provided. Privacy safeguards, such as proper patient spacing and ensuring that clinical conversations were not overheard, became at times impossible to control despite the best efforts of privacy officers, HIM, and the entire site staff.
Over time the more typical safeguards increasingly have been reinstituted, but in some cases, it has taken years to overcome the privacy issues caused by the pandemic. Provision of telehealth services has likewise become more compliant on the privacy, as well as security, fronts as the patient populations stabilized to the new normal.
It is important to understand the HHS definition of telehealth from a HIPAA perspective.
HHS defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications. Telehealth services may be provided, for example, through audio, text messaging, or video communication technology, including videoconferencing software.”
Telehealth also can include administrative uses, such as remote employees using HIPAA’s protected health information to perform their daily health care operations or administrative roles.
Telehealth and Cybersecurity
To manage the compliance aspects of telehealth from a HIPAA Security Rule perspective, one must understand the controls and practices that are most impacted for cybersecurity.
Telehealth includes the following cybersecurity practices, each of which must now be coming into compliance:
Telehealth policies must fit into an organization’s overall risk mitigation strategy.
When the National Public Health Emergency Ends
On July 15, HHS extended the COVID-19 public health emergency for another 90 days until October 13. Additionally, HHS has stated that a 60-day warning would be given before the emergency was lifted. We would expect that warning date to be announced near mid-October if indeed the emergency is lifted on October 13.
Regardless of the exact date that the emergency ends, it is time for the use of telehealth to have migrated into compliance with all the HIPAA rules. These rules are not always easily complied with—some take time to procure technology and implement. Soon regulators will begin to ask providers whether their telehealth is compliant, technical changes have been made to products, and privacy safeguards, such as having private spaces to conduct sessions, have been reinstated.
To achieve HIPAA compliance, assess both privacy and security rules for risk. This requires an in-depth technical security, cybersecurity, and privacy study of all vulnerabilities and threats. The next step is to prioritize remediation actions.
Examine training methods to ensure the use of telehealth is technically secure, especially on the internet. Assign, track, and update all devices used for telehealth delivery. Implement encryption, MFA, and intrusion detection. Finally, document everything in policies and procedures, taking time to integrate telehealth as a new normal that must be integrated into other care delivery and administrative practices with full HIPAA compliance.
— Kelly McLendon, RHIA, CHPS, is senior vice president of compliance and regulatory affairs at CompliancePro Solutions.