HIPAA and COVID-19: Restrictions Loosened, But Experts Preach Caution
This week, in response to the spreading COVID-19 outbreak, federal health officials made important announcements around removing barriers that have historically discouraged providers from using telehealth and other forms of digital communication to deliver care.
For example, the Centers for Medicare & Medicaid Services (CMS) on March 17 said it would temporarily pay clinicians to provide telehealth services for beneficiaries residing across the entire country. Going forward, a range of healthcare providers, such as doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, will be able to deliver telehealth services in any healthcare facility including a physician’s office, hospital, nursing home or rural health clinic, as well as from their homes, according to CMS.
Prior to this announcement, Medicare was only allowed to pay clinicians for telehealth services such as routine visits in certain circumstances, such as providing care to a beneficiary in a rural area and would otherwise have to travel to a local medical facility to get telehealth services from a doctor in a remote location.
What’s more, the Office for Civil Rights (OCR) additionally announced that effective immediately, it will waive potential penalties for HIPAA violations against providers who serve patients through everyday communications technologies during the COVID-19 public health emergency. According to OCR, “This exercise of discretion applies to widely available communications apps, such as FaceTime or Skype, when used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.”
The temporary removal of certain telehealth restrictions is being seen by industry stakeholders as a necessary step to spur the adoption of virtual care at a time when in-person contact should be limited as much as possible. Beyond that, providers and IT leaders at patient care organizations are also welcoming that federal regulations will be loosened, allowing digital communication to occur via devices that may not be HIPAA-regulated.
“This will improve access to care. Providers have been anxiously seeking guidance from OCR that will allow them easier access to treat patients and an easier and faster ability to communicate with colleagues outside of their own health system in order to make real time/rapid differential diagnosis communications, including sharing data and images with peers,” says Alissa Smith, a partner at the international law firm Dorsey & Whitney and co-chair of its Health Transactions and Regulations Practice Group.
Smith, in emailed comments, specifically remarked on the few HIPAA waivers just made available to healthcare providers: (1) waivers for hospitals in the initial 72 hours of enacting a disaster protocol; and (2) waivers for all healthcare providers to allow them to use the aforementioned “everyday communications technologies, such as FaceTime or Skype, during the COVID-19 nationwide public health emergency” for the provision of patient care services.
For the first waiver, Smith informs that the HIPAA waiver will only apply to hospitals: (1) in the emergency area identified in the public health emergency declaration; (2) that have instituted a disaster protocol; and (3) for up to 72 hours from the time the hospital implements its disaster protocol.
Importantly, Smith adds, after the 72 hours elapses, the hospital is required to return to full HIPAA compliance, even for patients who are still under care at the time. Also, if the national emergency or the public health emergency is terminated, the hospital is required to return to full HIPAA compliance, even if the 72 hours has not elapsed.
As for the second waiver related to “everyday communications,” Smith says it’s “particularly refreshing for healthcare providers who have been anxiously seeking easier methods, such as the use of personal devices and specific technologies, to interact via audio and/or video technologies with their patients and colleagues.”
However, Smith does advise that providers proceed with caution in a few different areas. For one, she says, “The OCR encourages providers to notify their patients that these third-party applications potentially introduce privacy risks.” What’s more, she adds, “Providers should also take as many security precautions as possible to protect patient information such as enabling “all available encryption and privacy modes when using such applications,” and having these conversations in private spaces to avoid others who are not involved in the patient’s care overhearing the communication.” And finally, Smith contends that “even if a provider is using everyday communications technologies, providers should take care to record the interactions in the patient’s medical record to ensure that patients’ records are complete and accurate.”
It's also worth pondering what will happen when the emergency ends. Will the temporary restrictions remain loosened or will the government go back to enforcing its previous regulations? Matt Fisher, the chair of law firm Mirick O'Connell's health law group and a partner in the firm's business group, believes, “Once the privacy cat is let out of the bag, it cannot be put back in.” That means, Fisher opines, that “patient data hosted or stored in a non-HIPAA compliant platform could end up being used for a number of unexpected or non-desirable purposes.”
Fisher adds that “Understanding that it is essential to ensure a comprehensive ability to provide needed services to patients during this emergency, awareness of longer-term consequences cannot be completely ignored. Especially when immediacy does not need to be sacrificed to those considerations.”
Irrespective of HIPAA waivers, organizations must still be mindful that COVID-19, while a global crisis, actually presents an opportunity for cyber attackers. Errol Weiss, chief security officer at Health-ISAC, a healthcare cybersecurity information sharing and analysis center, notes that cyber criminals historically have taken advantage of events, such as natural disasters, to further their scams.
“Here we have a global event that knows no boundaries, and it literally [has brought] billions of targets across the globe that they could potentially pray upon,” Weiss says.