As the COVID-19 pandemic continues to spread across the country, doctors, dentists, therapists and other healthcare providers have turned to telehealth use with their patients by way of videoconferencing applications such as Zoom, Skype and WebEx. The Office of Civil Rights and the Department of Health and Human Services (“OCR”) defines telehealth as “the use of electronic information and telecommunications technologies to support long-distance clinical health care, patient and professional health-related education, public health and health administration. Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and terrestrial and wireless communications.”
There are a number of privacy concerns healthcare providers should consider when utilizing telehealth technology. Generally, healthcare providers providing telehealth services are subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, not every videoconferencing application is HIPAA-compliant. HIPAA requires that a healthcare provider who utilizes a vendor to transmit or maintain protected health information, or who utilizes a vendor who has routine access to protected health information (PHI), must have a Business Associate Agreement (BAA) with each vendor.
In light of COVID-19, the OCR recently relaxed its enforcement of HIPAA’s privacy and security rules and issued a notification stating that it will practice “enforcement discretion” regarding HIPAA’s privacy and security rules. The OCR will not impose penalties for noncompliance with HIPAA for healthcare providers’ “good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency”, whether the telehealth services are related to a COVID-19 diagnosis and treatment or not, including for example, “a sprained ankle, dental consultation or psychological evaluation, or other conditions.”
The OCR advises healthcare providers to use public facing videoconferencing applications including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without the risk that the OCR will issue penalties for non-compliance with HIPAA. However, the OCR also specifically disallows the use of certain other public facing video apps such as TikTok, Facebook live, and Twitch to provide telehealth services.
Notwithstanding the OCR’s practice of enforcement discretion, healthcare providers should continue to engage in best practices to safeguard patient data. For example:
1. Consent. Before using video conferencing for medical consultations, request permission from the patient to do so and document their approval in their medical record.
2. BAA. Despite the fact that the OCR will not impose penalties against covered health care providers for the lack of a BAA, the OCR encourages healthcare providers to enter into a BAA with any vendor that provides videoconferencing services, and in its notification provides a list of vendors which represent that they are HIPAA-compliant video conferencing applications that will enter into a HIPAA BAA, including:
-
Skype for Business / Microsoft Teams
-
Updox
-
VSee
-
Zoom for Healthcare
-
Doxy.me
-
Google G Suite Hangouts Meet
-
Cisco Webex Meetings / Webex Teams
-
Amazon Chime
-
GoToMeeting
-
Spruce Health Care Messenger
3. Encryption. Healthcare providers should enable all available encryption and privacy modes when using the videoconferencing technology.
4. Password Protection. Healthcare providers should create a unique meeting ID and a strong password to access a virtual consultation.
5. Monitor. Healthcare providers should monitor all communications containing PHI. Additionally, healthcare providers should check that both employees and patients are accessing via a secure network connection prior to consultations.
According to analysts at Forrester Research, the adoption of telehealth services has increased dramatically, with virtual healthcare interactions projected to exceed 1 billion by year’s end. While the OCR’s relaxed enforcement of HIPAA during COVID-19 likely will end when the pandemic is brought under control, it appears telehealth services may become the “new normal” for healthcare providers.