HIPAA Telehealth Restrictions Lifted to Expand Patient Access During COVID-19 Crisis

Breaking telemedicine news!

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), “…will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers…during the COVID-19 nationwide public health emergency.” 

We know this is a bit of a mouthful, but it is good and important news for all of us in the healthcare industry.

The OCR enforces certain HIPAA regulations that protect the private health information of patients. On Wednesday, the office made it easier for more doctors to deliver remote treatment.

It’s another way the healthcare system has mobilized to meet the unprecedented challenge of delivering health care during a pandemic.

Currently, one of the safest ways to receive medical attention is via video chat or other remote telemedicine tools. Opting for virtual visits is an effective preventative measure in minimizing the spread of the virus.

As a result, telemedicine proves to be increasingly relied upon as a treatment approach in the coming weeks and months.

Read our breakdown of this HIPAA development below.

What HIPAA Penalties?

There are strict HIPAA telehealth regulations that providers must comply with.

However, in the face of our current health crisis, the OCR is suspending penalties they would normally impose on organizations for noncompliance with HIPAA telehealth standards.

Be mindful that this is not a reckless move. There is still much emphasis on the secure transmission of patients’ private health information.

Rather, it is reasonable leniency during a time that calls for quick, pragmatic action.

What You Need To Know

1) Care providers now have more flexibility in how they can deliver virtual treatment.

Effective immediately, care providers can use any “non-public facing” products or services to remotely communicate with patients, even if they do not fully comply with HIPAA requirements.

2) What does “non-public facing” mean?

This describes any telecommunication technology that allows for a private or secure connection between two parties.

Basically, the OCR does not want doctors and patients to communicate over open channels for the obvious security concerns.

The OCR gave examples of non-public facing video chat applications that can be used for telehealth services under this provision:

• Apple FaceTime
• Facebook Messenger video chat
• Google Hangouts video
• Skype

The OCR also noted that using “public-facing” applications for telehealth is prohibited, such as:

• Facebook Live
• Twitch
• Tik Tok

As you may notice, the non-public facing programs offer private, one-on-one communication. The video on applications like Tik Tok or Twitch is visible to everyone.

Here is a good way to think of the difference: you need to be invited to an appointment with a “non-public facing” product, but anyone could join your appointment on a “public-facing” application.

3) This provision is not just limited to telehealth services for treatment related to COVID-19.

The main reason for pulling back the regulatory restrictions on telehealth has been to allow more care providers to, “…assess a greater number of patients while limiting the risk of infection of others who would be exposed from an in-person consultation.”

However, this “HIPAA noncompliance forgiveness” extends to telehealth services that have nothing to do with COVID-19.

In the spirit of minimizing the spread of coronavirus, providers in all fields are allowed, and encouraged, to utilize remote treatment.

4) Safety Not Guaranteed 

The OCR notes that using these applications present potential privacy risks.

Don’t be afraid to confirm with your provider that they have enabled any available encryption or privacy modes when using a product that is traditionally not HIPAA compliant.

Things are moving very fast as the world’s health systems try to address this pandemic. It’s almost as if we are seeing a global treatment plan unfold and evolve in real-time.

Doctors and clinicians are figuring things out on the fly, so your emphasis on security could be a helpful reminder. When it comes to your private health information, it is much better to be safe than sorry.

5) HIPAA Business Associate Agreements

You may have seen this term, or its acronym (BAA) while researching this HIPAA provision.

We have found the language and literature surrounding this topic to be rather complicated. You may be a little unsure of what this part means.

Under normal HIPAA circumstances, care providers are required to enter into a business agreement with the entity that provides their telehealth tools.

Put simply, a BAA is a legal document that ensures a telemedicine service provider will sufficiently protect private health information.

Because of the current public health emergency, providers will not be penalized for the lack of a BAA with video communication vendors at this time.

The OCR identified a few vendors that claim to offer HIPAA-compliant telehealth services and a willingness to enter into a HIPAA BAA with care providers:

• Skype for Business
• Updox
• VSee
• Zoom for Healthcare
• Doxy.me
• Google G Suite Hangouts Meet

Conceivably, these products offer more substantial privacy protections than others.

However, the OCR notes that this is not an exhaustive or confirmed list. There may be other remote communication technology vendors that offer the same thing.

What Does This All Mean?

The jury is still out on, well, almost everything at this point.

But, as we try to take a bird’s eye view of this situation, it looks like telehealth is coming on strong and here to stay.

To be frank, we were surprised to see how these noncompliance penalties were rolled back. We are so used to the stringent HIPAA requirements being strictly enforced.

The OCR’s decision to loosen up its telehealth restrictions is an unexpected, yet prescient one. Their quick action should facilitate the safe, remote treatment of many patients in need.

We have been so encouraged to see how entities in all corners of the healthcare industry are doing their part to combat the COVID-19 pandemic.

The Sigmund team is committed to providing our customers with treatment options that extend outside their office walls during this evolving situation. Our comprehensive patient engagement software, which includes a dynamic patient portal and telehealth solution, creates a reliable virtual care environment for both providers and patients during this time.

Matt Prete, Sigmund’s VP of Software Development and Information Technology, recently presented a webinar that examined the true potential of the virtual care environment. He explores a variety of crucial patient engagement solutions that allow providers to deliver thorough and patient-centered care, even under the constraints of the pandemic. If you want to see what a dynamic and exhaustive virtual care environment looks like, you can view his presentation in full by clicking the button below.