Navigating HIPAA and telemedicine during COVID-19

Despite the U.S. Office for Civil Rights’ recent decision to waive penalties for violating certain HIPAA Security and Privacy regulations, there are still rules on what technology physicians can use to see patients remotely and how they can use it.

Lee Hamil Little, JD, and Brian Tuttle, CPA, CHA, explained the new legal do’s and don’t’s of telemedicine and HIPAA in an April 6 AOA/AOIA webinar.

HIPAA waiver announcement

Last month, HHS announced a limited waiver of HIPAA sanctions and penalties during COVID-19.

The waived sanctions and penalties, effective March 15, include those for failing to obtain a patient’s agreement before speaking with family members or friends involved in their care and failing to distribute a notice of privacy practices, among others. In addition, physicians practicing telemedicine are now effectively permitted to use popular software such as FaceTime and Skype to conduct virtual patient visits.

For more detailed information on how HIPAA privacy disclosures are permitted under emergency situations, please read pages 17-23 in the slides that accompanied this webinar.

Frequently asked questions

What disclosures are we permitted to make to public authorities relating to COVID-19 cases?

• Physicians may disclose PHI about suspected COVID-19 patients to public health authorities that are authorized by law to receive it, based on the “minimum necessary” standard. Some states require these disclosures.

What about responding to the media?

• Disclosures to the media are not permitted unless authorization is provided by the patient. However, physicians can share de-identified information such as the number of patients being treated.

What about the risks of internal staff access?

• Staff are not permitted to access patient records unless it is necessary for their job.
• Physicians should make sure their staff are aware that everything done within an EHR system is tracked.
• Audit logs must be reviewed periodically by the appointed HIPAA Security Officer or other designee.

How this impacts telemedicine

Following the good faith provision of HIPAA Rules on telehealth, as of March 17 and throughout the COVID-19 pandemic, there will be no OCR-imposed penalties for HIPAA noncompliance.

What does good faith mean in the context of selecting an appropriate technology to provide health care?

• From OCR: “A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.”
• Example: a physician exercising their professional judgement may examine a patient via a video chat application, which was previously a violation of HIPAA Rules.

What is a non-public facing remote communication product?

• These include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video and Skype (a list of other accepted technologies can be found on page 39 of the slide deck).
• Facebook Live, Twitch, TikTok, and similar video communication applications are public facing and should not be used in the provision of telehealth by covered health care providers.

Countering the risks of telemedicine

Little and Tuttle recommend putting a telecommuting policy in place at your office, emphasizing the following points:

• Protecting protected health information (PHI), electronic protected health information (EPHI) and the other confidential information is every employee’s responsibility.
• Any practice or patient-related materials taken to the remote work area should be maintained in your designated remote work area and not be made accessible to others.
• All confidential information, including PHI and EPHI, will only be accessed through and stored within the practice’s internal network or cloud-hosted electronic health records (EHR) system.
• Additionally, keep your voice low when speaking to a patient, and don’t use speaker phones.
• Do not copy or store protected health information on home computers or laptops.
• Ensure any wireless use is encrypted by avoiding public WiFi and making sure any portable laptop which maintains PHI is fully encrypted. If that’s not possible, file or folder-level encryption should be used.
• If you are not able to access a network drive or EHR system, but have the need to save files locally to the computer, notify the HIPAA Security Official or practice manager to discuss available options.
• Encryption must be used when transmitting PHI where possible.
  • If a patient requests their information be sent via non-encrypted means, such as texting, they should acknowledge the risk of this type of transmission and opt in.
  • Texting of PHI among staff members should never be done without encryption.

Beware of hackers

Unfortunately, hackers have taken advantage of this pandemic. Their risks are low and their rewards are high. To make sure your office is prepared, educate all staff members on common-sense cybersecurity measures and how hackers leverage spoof emails.

Be aware of ransomware, a type of virus that comes through emails that attacks databases and folders on your computers and requires you to pay a hacker in bitcoin for an encryption key. The OCR classifies ransomware attacks on non-encrypted folders with health information in them as HIPAA breaches. Safe Harbor may apply if a folder is encrypted and hacked anyway.

Legal ground

There is no private cause of action allowed to an individual to sue for a violation of the federal HIPAA or any of its regulations, Little and Tuttle note. This means you do not have a right to sue based on a violation of HIPAA by itself.

Nonetheless, physicians must stay diligent. If you are negligent and do not meet “good faith” requirements, you can be held accountable for civil violations of state negligence laws. Cases of these violations are creating precedence.

If a HIPAA violation resulted in damages, meaning a patient suffered some kind of verifiable financial loss, slander or defamation, they may have a civil claim against the individual who violated their HIPAA rights.

Resources

Security Risk Assessment Tool from HealthIT.gov.

HIPAA Administrative Simplification from HHS.

If you are audited by HIPAA, this is their protocol.

When in doubt, always fact check with HHS, and always check their information against your state’s laws.

Related Reading:

How to do telemedicine in the time of COVID-19