April 28, 2020

HIPAA Compliant Telehealth during COVID-19

The COVID-19 pandemic has dramatically changed the way healthcare organizations interact with patients, especially as many doctors’ offices and dentist clinics are closing for elective appointments. There are two important elements of the response to the pandemic that can help ensure patients are still able to receive the healthcare they need and to receive COVID-19 related information to best combat the spread of the virus.

As a result, the Office for Civil Rights (OCR) announced that they would exercise enforcement discretion enabling medical providers to continue providing care remotely and to allow information to flow more freely between the private and public sector. This allows good faith telehealth remote communications during the COVID-19 emergency and would not impose penalties for violations of certain provisions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.

What is Telehealth?

The Department of Health and Human Services (HHS) defines telehealth as the use of electronic information and telecommunication technologies to support and promote long-distance clinical healthcare, patient and professional health-related education, and public health and health administration. Telehealth services should, however, be conducted in private settings when possible. For example, a doctor could be in an office or clinic while the patient is in their home or at another clinic.

Who Does the Enforcement Discretion Include?

The enforcement discretion is effective until HHS declares that there is no longer a public health emergency and applies to all covered healthcare providers that want to use telecommunication to provide telemedicine to patients during the pandemic. This is regardless of whether the healthcare being provided is related to COVID-19.

Telehealth Technology Communication

Telecommunication technologies could include anything from phone calls or texts to videoconferencing, as long as it is non-public facing. Examples of public-facing communication that are discouraged are Facebook Live or Twitch, while non-public telecommunication includes Skype, Microsoft Teams, and Zoom.

It is encouraged that patients are notified of any third-party application to administer telehealth and that this could potentially introduce additional privacy risks for the patient. In the situation that protected health information (PHI) is intercepted or stolen during transmission, the OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services by the provider.

Can You Share PHI if a Patient has COVID-19?

Another major reason for the notification of discretion was to allow the flow of information to regulatory and oversight agencies like the Centers for Disease Control (CDC), Centers for Medicare and Medicaid Services (CMS), state and local health departments and emergency operation centers who would potentially need quick access to COVID-19 related data, including PHI.

As it currently stands, the HIPAA Privacy Rule allows for covered entities to provide this information, but with the update, business associates are permitted to share this data without risk of a HIPAA violation as well. This allows for information about COVID-19 to be passed more freely and quickly, which helps better allocate resources and supplies and potentially saves lives.

Changes to Substance Abuse Records

Under the present COVID-19 emergency, the prohibitions on use and disclosure of patient identifying information under 42 C.F.R. Part 2 would not apply in these situations to the extent that, as determined by the provider(s), a medical emergency exists. While the enforcement discretion is due to expire after the public health emergency, there have been efforts to amend specific substance abuse privacy rules on a more permanent basis.

A provision of the Coronavirus Aid, Relief, Economic Security Act (CARES Act) amended the Public Health Service Act to expand the ability of healthcare providers to share substance abuse disorder records and to provide a greater degree of synchronization with the HIPAA Privacy and Security Rules. These changes are not to be implemented until early 2021. However, since they represent significant changes in the rules, additional implementation guidance will be published so that proper planning can be determined and implemented prior to the 2021 due date.

Stay Compliant During COVID-19

Stericycle helps healthcare organizations stay up-to-date on the latest HIPAA compliance and COVID-19 regulations. Learn more about how Stericycle can improve your HIPAA program to ensure you’re remaining compliant.

Receive Stericycle’s latest content, including news and regulations on how you can maintain business compliance.

Form Received - Thank You

Submission Error - Please Refresh and Try Again