You are here

HIPAA Compliance and Telehealth Updates: COVID-19 Pandemic

Author: Richard D. Rocchio

Telehealth is widely utilized in the healthcare industry for patients to be admitted and cared for virtually. During the COVID-19 pandemic, telehealth will be used more frequently by a larger number of providers, as encouraged by the federal government and healthcare professionals to limit the spread of COVID-19.

Effective March 17, 2020, the Office of Civil Rights (OCR) announced they will exercise their enforcement discretion to waive all potential penalties for Health Insurance Portability and Accountability Act (HIPAA) noncompliance. This is an effort to help healthcare providers more effectively communicate with and treat patients during the COVID-19 pandemic. This announcement applies to all providers using telehealth services, regardless of whether the treatment is related to COVID-19. Nonpublic-facing applications, as stated below, may not fully comply with HIPAA privacy requirements during a normal state of operations. However, during this unprecedented time, these applications are not only allowed, but encouraged.

For providers who haven’t utilized a telehealth platform, and are looking for a swift transition, nonpublic-facing communication applications such as FaceTime, Skype, Facebook Messenger, Zoom for Healthcare, and Google Hangouts are appropriate under the OCR’s waiver. These applications are more commonly known to patients and are generally easily accessible. In addition to ease of access, these applications are user-friendly to most patients. It’s important to note that applications that are public-facing—such as Facebook Live, Twitch, and Tik Tok—are still not permitted for telehealth use.

Below is a list of vendors who have stated that they provide HIPAA-Compliant Video communication products and will enter into a Business Associate Agreement (BAA)*

  • Skype for Business
  • Updox
  • VSee
  • Zoom for Healthcare
  • Doxy.me
  • Google G Suite Hangouts

*Wolf & Company, P.C. has not reviewed the BAA’s offered by these vendors, and this list does not serve as an endorsement.

Extension of 1135 Waiver

Under this newly enacted Waiver, Medicare can pay for any visit that is conducted via telehealth. Prior to this Waiver, Medicare could only pay for telehealth when the patient receiving care is living in a designated rural area.

Best Practices for Providers

When using telehealth technologies during the COVID-19 pandemic, it’s important to take these three best practices into consideration:

  1. Utilize applications that employ end-to-end encryption and enable as many privacy settings as possible
  2. Ensure that patients are informed of and acknowledge the potential security issues associated with telehealth, especially the alternate applications
    1. While written consent is used in most cases, an audio recording may be easier for record-keeping in this climate
    2. Below is a template script that providers may read or send to their patients prior to beginning a session:
      • "We are permitted to use this video chat app during the COVID-19 (Coronovirus) national health emergency. It does not fully comply with HIPAA security requirements, so there might be some privacy risk. Is that okay with you?"
  3. Telehealth sessions should always be documented, including the reading and acceptance of the above statement
    1. The following forms of session documentation are acceptable by HIPAA:
      1. Contemporaneous note taking
      2. Audio recordings
      3. Use of an authorized scribe

HIPAA Privacy Refresher

As a reminder, the HIPAA privacy rule relating to Public Health Activities states that providers may disclose needed protected health information without authorization for the following reasons:

  1. To a public health authority, such as the CDC or a state or local health department, that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease
  2. At the direction of a public health authority, to a foreign government agency that is acting in collaboration with the public health authority
  3. To persons at risk of contracting or spreading a disease or condition, if other law such as state law, authorizes the covered entity to notify such persons as necessary

For more information, review the U.S. Department of Health & Human Services’ full notification here.