COVID-19: HHS Issues Limited HIPAA WaiversDesigned to Improve Patient Care Through Telehealth, Including Video Chats
The Trump administration on Tuesday announced immediate limited waivers of certain HIPAA privacy provisions to help improve patient care during the growing COVID-19 pandemic. For example, it's now OK for providers to offer telehealth services through certain applications that allow for video chats.
See Also: The Evolution of Email Security
"A covered healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any nonpublic facing remote communication product that is available to communicate with patients," according to the Department of Health and Human Service's Office for Civil Rights.
For example, healthcare providers can use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth "without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency," according to OCR.
OCR also notes: "Some of these technologies, and the manner in which they are used by HIPAA covered healthcare providers, may not fully comply with the requirements of the HIPAA rules."
The agency stresses, however, that certain public-facing platforms, including Facebook Live, Twitch, TikTok and similar video communication applications, should not be used in the provision of telehealth under any circumstances.
The Trump administration has also eased other restrictions related to telehealth amid the coronavirus outbreak, including allowing for reimbursement of wider telemedicine services for Medicare and Medicaid patients (see Telehealth: Coronavirus Privacy, Security Concerns).
Applies to All Telehealth
The HIPAA nonenforcement announcement applies to "telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19," OCR notes. "A covered healthcare provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the provider's or patient's phone or desktop computer, in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation."
OCR encourages healthcare providers to notify patients that these third-party applications potentially introduce privacy risks. And it says providers should enable all available encryption and privacy modes when using such applications.
In addition to the waivers related to telehealth during the COVID-19 outbreak, HHS on Tuesday announced other immediate limited waivers related to the HIPAA Privacy Rule.
HHS has waived sanctions and penalties against hospitals that do not comply with the following requirements:
- Obtain a patient's agreement to speak with family members or friends involved in the patient's care;
- Honor a request to opt out of the facility directory;
- Distribute a notice of privacy practices;
- Honor a patient's right to request privacy restrictions;
- Honor a patient's right to request confidential communications.
Impact of Waivers
Privacy attorney Kirk Nahra of the law firm WilmerHale notes that HIPAA privacy waivers "are relatively routine" in emergency situations.
"I'm never quite sure why they are necessary or where they make a material difference in actual practice, and we don't see enforcement activity in these specific issues in any event," he says. "In general, they send a message that healthcare providers who are trying to do responsible things don't have to worry about getting tripped up by HIPAA."
HHS wants to encourage the use of telehealth by making it clear the HIPAA shouldn't be an impediment, Nahra says.
"Providers can use telehealth in this emergency - but I still wouldn't say don't pay any attention to security - for example a telehealth appointment in your office or at home is better than talking to a patient in a Starbucks. I still want providers to be smart and thoughtful - they just don't have to worry about security rule enforcement here."
'Move in Right Direction'
But attorney David Holtzman of the security consultancy CynergisTek says OCR's announcement that it will not enforce the HIPAA standards for healthcare providers using commonly available messaging or videoconferencing applications is unprecedented. "When stacked along with the removal of Medicare restrictions on healthcare providers using telehealth to make treatment services available without visiting the doctor's office, it's a move in the right direction toward reducing the risk of spreading novel coronavirus," he says.
OCR's use of its enforcement discretion leaves a number of unanswered questions, he adds.
"Business associates, like contracted physician organizations may not be able to take advantage of the flexibility to use videoconferencing applications that do not meet HIPAA's security requirements. Healthcare organizations must also determine what state laws would pre-empt employing popular consumer video communication applications for telehealth treatment services. Left unanswered are questions on how to add the telehealth encounters into the patient's treatment records or to provide patients access to copies of the recordings or physician notes from the telehealth treatment sessions. But these issues should not stand in the way of healthcare providers giving potentially lifesaving access to care at this crucial juncture."
Information privacy and security teams will have to be especially vigilant against hackers, Holtzman says, "who have wasted no time to exploit the coronavirus pandemic to attack healthcare organizations as well as patients looking for testing and treatment. Healthcare organizations must carefully monitor traffic on their information networks and look into unusual activity that could represent an intruder scanning for sensitive data or exfiltration of files stored in the system."