The coronavirus crisis has flipped the world on its head. Patients are staying home, often under government order, and health care providers are extending the reaches of telehealth in order to provide care. What does this mean for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act?
On March 30, the Office of Civil Rights (OCR) issued guidance to health care providers—including home health agencies and home medical equipment providers—extending leniency towards video conferencing applications that had previously been banned under the act due to patient privacy concerns, such as FaceTime, Google Hangouts, Zoom, Skype and others.
The notice reads: “A covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a covered health care provider
may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to
COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.”
That’s been widely interpreted as an across-the-board lifting of HIPAA requirements, but Benji Sawyer, president and CEO of Sawyer Solutions, an IT firm specializing in HIPAA compliance, said it may be more complex.
“It is important to be aware of what isn’t being said,” Sawyer said. “While they are not going to enforce compliance for this one thing, for now, the OCR did not say they are going to stop enforcing data breach reporting.”
And Kelly Grahovac, general manager for the van Halem Group, said it’s important that home medical equipment and other providers keep HIPAA rules in mind even if standards are more relaxed.
“Explain to the patient that these aren’t the typical circumstances and get approval for the visit. Ask the patient to make sure there’s no one around that shouldn’t hear the information,” she said. “The doctor consultation will probably be private, but the patient visit won’t be. Make sure that it will be similar to an office visit. The physician will probably be documenting, so include a statement that there was approval [for the video visit]. That will be helpful should the OCR want to enforce later.”
Grahovac added that since many delivery services have suspended getting signatures for packages during the pandemic, providers need to ensure that all of their documentation is related to COVID-19.
“Create a narrative,” Grahovac said. “Hopefully this will not be an audit scenario.”
The OCR recommends that providers use video conferencing applications that will sign a HIPAA-compliant business associate agreement (BAA) in order to avoid any possible conflict.
“If your patients get used to communicating with you in a non-BAA way, then when the crisis is over you will have to retrain them, which is not always the easiest thing,” said Sawyer. “Starting out with a solution that will work permanently is just a better idea from a business point of view.”
For small providers, the relaxed regulations provide a chance to meet patients where they are, regardless of technical ability or internet speed. But with the Office of Civil Rights continuing enforcement of HIPAA and the HITECH Act, it’s important for providers to remember that data breaches happen—and are on the rise.