The Director of the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) declared that they would allow the use of telehealth technologies to communicate with patients during the nationwide public health emergency that may not fully comply with the HIPAA Privacy and Security Rules.
The question is, what does this really mean?
The HIPAA Security Rule, under 45 CFR 164.308(a)(1)(ii)(A), requires an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI held by the covered entity or business associate.
45CFR 164.308(b)(1) requires that an organization, before permitting them to create, receive, maintain, or transmit ePHI on behalf of a covered entity, obtain satisfactory assurances that the business associate will appropriately safeguard the information using business associate contracts and other agreements.
When we look at this notification and the HIPAA Security Rule, there are still several important pieces of guidance to follow.
This is not a blanket approval of insecure technologies that several people in the security field have noted.
- Compliant Vendors Encouraged. This notice encourages providers to provision these services through vendors that will enter into Business Associate Agreements for their products, thereby reducing the time needed to deploy solutions. As many of them are providing free trials now, this allows them to get started as soon as possible and enter into a formal agreement later.
- For the duration of this national emergency, they will not penalize providers for the use of products that will not enter into these agreements.
- The “good faith” or “appropriate prior” standards still need to be followed. According to Cohen Healthcare Law Group, in their article “Establishing the Physician-Patient Relationship: Telemedicine Law Often Requires It, but What does this Mean?”, these are statues that vary from state to state. In my previous and current experience, this has involved my customers getting legal opinions of the specific services provided and methods of delivery. Given the current situation, this is one that you will still want to consult a healthcare attorney and/or regulatory affairs specialist about usage in your state, as the telemedicine statutes, much like document retention dates, are not uniform for all services or established/enforced by OCR.
- This does not mean a lack of security. OCR’s expectation is that providers should enable all available encryption and privacy modes when using these applications. This indicates that applications that provide a reasonable and appropriate degree of security in transport, such as Facetime, Zoom, Google Hangouts or Duo, Microsoft Teams, and WebEx, should be used.
- No public/broadcast apps. Applications which facilitate public-facing communications, such as Facebook Live, Twitch, TikTok, or similar ones that allow you to broadcast to the Internet easily should not be used.
- Patient Notification. It’s recommended to notify patients that these third-party applications potentially introduce privacy risks. This is a standard disclaimer that should be part of the communications when using these products.
- Document Technologies Used. You should still document in the encounter notes of your Electronic Medical Record the date, time, and method of communication used as these systems may not log or audit this information the way a more compliant product would.
This is excellent guidance from the OCR that speeds the availability of critically needed technologies to the hands of providers by providing a temporary respite from the vendor risk analysis and contracting component. However, it does not absolve providers of their responsibilities under state laws, and still requires them to take reasonable and appropriate steps to protect patient privacy and inform patients of potential risks.