Widely available communications apps have been given a pass on compliance with HIPAA regulations regardless of whether or not the virtual visit is directly related to COVID-19. On March 17, 2020, in an effort to maximize critical healthcare resources, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it will “exercise its enforcement discretion,” waiving penalties against healthcare providers for HIPAA violations while serving patients through non-secure communication methods, when used in good faith for telemedicine service, during the COVID-19 nationwide public health emergency.
“All of the efforts that CMS is making to give more flexibility to the healthcare system to make sure that they are better prepared to deal with this surge,” according to Seema Verma, Administrator of the Centers for Medicare & Medicaid Services (CMS) and a senior member of the White House Coronavirus Taskforce. “If we know that people can get good medical care, that’s also going to help keep down (fatalities).”
All the changes are on an emergency, temporary basis, Verma says. The OCR’s enforcement discretion applies to “non-public-facing” remote communication products, which it defines as products that, “as a default, allow only the intended parties to participate in the communication.” According to a recent HHS post entitled FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency:
Non HIPAA-compliant platforms included in the relaxed guidelines include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, WhatsApp video chat, or Skype, as well as texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, or iMessage. Not permissible or covered by the Notification are public-facing products such as Facebook Live, Twitch and TikTok.
A provider hosting a public presentation via livestream or in a chat room, for example, should not identify patients or provide individual patient advice.
While done to empower medical providers to serve patients during this national health emergency, the enforcement discretion measures do potentially leave telemedicine consumers, and their private healthcare data, exposed. Had HIPAA restrictions been relaxed six months ago, before COVID-19 was on anyone’s radar screen, the medical community would have pushed back over concerns around fraud and abuse. These concerns are still valid, despite the current crisis.
Impact on Telemedicine Sector
Providers (both healthcare providers and technology service providers) who invested in HIPAA and HITECH compliant technology are operating at a competitive disadvantage to those who didn’t. Further, providers will suffer reputational damage if large-scale breaches occur.
Impact on Healthcare Consumer
The annual number of breached patient records has nearly tripled since 2018, according to the recently released 2020 Protenus Breach Barometer®. Threats to patient data ranged from external incidents, like hacking, to insider-related incidents in which healthcare insiders, either unwittingly or maliciously, compromised sensitive patient information. These data breaches cause headaches for patients far beyond just the financial strain of mitigating damage to their financial and personal lives. Often, privacy and safety are also compromised. The rewards for online criminals who hack, sell or buy patient records may not be as rich as they once were, but recent estimates still put the value of a stolen patient health record at around $50. Still, experts warn that the data is “evergreen,” meaning it persists and can be sold multiple times because unlike when a credit card is stolen, healthcare data cannot simply be shut down, frozen, or changed. Reclaiming data, which often includes Social Security numbers, billing and appointment information and home addresses, (and preventing it from being reused or altered by criminals) can prove frightening and difficult. Ultimately, preventing health data breaches from occurring is the best course of action.
“Part of looking out for yourself and your family is making sure that your healthcare providers are HIPAA compliant, even when they don’t have to be,” said Mario Espino, CEO of MDsOnDemand.com, a HIPAA compliant telemedicine provider. “And once your data has been compromised, there is not a ‘do over’ button you can press.”
“There are unscrupulous providers out there, and they have much greater reach with telehealth,” said Mike Cohen, an operations officer with the Health and Human Services Inspector General’s Office, which investigates healthcare fraud. “Just a few can do a whole lot of damage.”
What Providers Need to Be Aware of Going Forward
The OCR has promised further guidance on how covered health care providers can use remote video communication products and responsibly offer telemedicine to patients. For now, the office emphasizes that providers should notify patients when third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. Currently, the new enforcement discretion measures have no expiration date. However, once the public health emergency is declared to be ended, the OCR has stated it will resume its normal HIPAA enforcement process and HIPAA-covered healthcare providers will be required to return to full HIPAA compliance. The enforcement discretion applies to:
• All patients whether they are covered by Medicare or Medicaid
• All health care providers covered by HIPAA that provide telehealth
• All types of telehealth, whether or not payors impose reimbursement restrictions
• Noncompliance with the HIPAA privacy, security and breach notification rules, but no impact on HHS regulations related to confidentiality of substance abuse disorders
• When a telemedicine session is breached or hacked
The Notification of Enforcement Discretion on telehealth remote communications is HERE.
The FAQs on telehealth remote communications is HERE.
In the short run, it’s good policy to reduce restrictions around telemedicine. Further down the road, a return to normalized guidelines will be in the best interest of patient and provider. Telemedicine is here to stay. COVID-19 is causing it to scale-up much faster than forecast. It promises to be a bumpy ride but, in the long-run, telemedicine promises to be a valuable part of the toolbox for those aspiring to the Triple Aim (improving the patient experience of care; improving the health of populations; and. reducing the per capita cost of health care).