HIPAA Changes for Telehealth and COVID-19

by Ira Bedenbaugh

As the Healthcare Industry deals with the emerging COVID-19 emergency, an effective way for providers to see patients who may have COVID-19, or to assess and treat patients with other medical questions is through telehealth visits. Some providers may already have the ability for telehealth visits through their electronic medical record system, while others are trying to determine how to implement the system.

A critical component of telehealth is compliance with the HIPAA Privacy and Security Rules. On Tuesday, March 17th the Office of Civil Rights (“OCR”) published a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency (the “Notification”) to ease the burdens under HIPAA of providing telehealth services to patients.

Effective immediately, the OCR will exercise its enforcement discretion and will not impose penalties should healthcare providers use methods for telehealth that may not meet the regulatory requirements under HIPAA.

In releasing the Notification, the Director of the OCR, Roger Severino, said, “We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

The Notification states, “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.”

Providers may request to examine a patient exhibiting COVID-19 symptoms or to assess or treat any other medical condition unrelated to COVID-19, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.

In the Notification, the OCR stated popular non-public facing applications that allow for video chats such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype could be used to provide telehealth services during this public health emergency without the risk that OCR might impose penalties. Providers should still notify patients that there may be privacy risks associated with using a third-party application, and providers should enable all encryption and privacy modes when using a third party application.

The OCR stressed that providers should not use public-facing applications such as Facebook Live, Twitch, TikTok, and similar type applications for telehealth.

The effectiveness of telehealth is dependent upon the willingness of physicians and patients to adopt the technology. Physicians may be skeptical to embrace telehealth assuming their patients would not want to be seen via a telehealth appointment. Until recently, I too was skeptical of how older adults would embrace telehealth until I had a conversation last week with my mother. She told me she was going to cancel a follow-up visit with her doctor because she was well and did not want to risk getting sick. She said, “I wish I could just Facetime with him to tell him I am OK.”

As Healthcare Providers explore the options of telehealth, there are a couple of points to remember.

  • Use common sense in evaluating the technology. Only use non-public facing applications. There are several telehealth applications that represent they are HIPAA compliant and will enter into a Business Associate Agreement; Skype for Business, Udox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet.
  • Not all patient encounters can be seen through a telehealth visit. Healthcare providers should use their professional judgment to determine whether a telehealth visit is appropriate.
  • If using a non-secured application for the telehealth visit, make sure to communicate to the patient that the visit is non-secure.

If the demands on the healthcare system materialize as predicted, telehealth will become one of the ways in which healthcare providers can meet the healthcare needs of all their patients while reducing their exposure to other illnesses.

If you have questions regarding telehealth and HIPAA you can contact Ira Bedenbaugh, Healthcare Consulting Principal, at ira.bedenbaugh@elliottdavis.com or 864.552.4715 or by filling out the form below.

For more helpful resources to navigate COVID-19, visit the Elliott Davis COVID-19 Resource Center

Questions on COVID-19?