How To Ensure HIPAA Compliance With Telehealth Visits During the Public Health Emergency of COVID-19?

Telehealth is a critical component of the current healthcare crisis that arose due to the sudden outbreak of the COVID-19. Telehealthcare is a promising strategy that can help practitioners to combat the increasing number of healthcare challenges. Before diving into details, let’s probe into the brief introduction of telehealthcare services.

Telehealthcare

The Health Resources and Services Administration (HRSA) of the U.S. The Department of Health and Human Services (HHS) defines telehealth as the clinical care that is delivered to patients by using electronic information and telecommunication technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration. It involves the use of technologies like; videoconferencing, the internet, store-and-forward imaging, streaming media, landline and wireless communications.

Telehealthcare services may also be delivered through audio, text messaging or video communication technology, including video conferencing software. Certain payers may impose restrictions on the types of technologies that can be used for telehealthcare services. However, these restrictions may not impact the scope of HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.

Implementation Of HIPAA Regulations On Telehealthcare:

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain regulations issued under the HIPAA regulations. As changed by the Health Information Technology for Economic and Clinical Health (HITECH) Act. It is amended in order to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).

Due to the National Emergency caused due to the COVID-19 outbreak, healthcare providers should abide by HIPAA regulations more rigorously to manage data coming from multiple locations. HIPAA rules can help providers to manage data flow across the communication channel that is spread through remote locations via telecommunication.However, still, there are some entities that are not covered under HIPAA regulations for telehealthcare services. We have enlisted specific entities that are included and excluded from the Notification of enforcement Disease.

ENTITIES THAT ARE INCLUDED IN NOTIFICATION OF ENFORCEMENT DISEASE

HIPAA Notification of Enforcement Discretion covers the following entities;

1. This notification applies to all healthcare providers that are covered by HIPAA and deliver telehealth services during the COVID-19 crisis.
2. This notification is applicable to all patients who receive care services from HIPAA-covered providers.
3. Centres for Medicare and Medicaid (CMS) patients are also considered in this notification.
4. Covered healthcare providers who ensure the resilience of HIPAA commitment will not be subjected to any penalty.

This Notification does not affect the application of the HIPAA Rules to other aspects of health care services outside of telehealth during the emergency.

ENTITIES THAT ARE EXCLUDED FROM NOTIFICATION OF ENFORCEMENT DISEASE

1. A healthcare insurance company that is responsible for the payment of telehealthcare visits is not included in the NED.
2. It also doesn’t apply to violations of CFR PART 2 (the HHS regulations that protect the confidentiality of substance use disorder patient records).

OCR will exercise its enforcement discretion and will not impact penalties for noncompliance with the regulatory requirements under the HIPAA Rules. Especially, for those rules that are against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Hence, this notification is applicable to telehealthcare services immediately.

Note:

Consequently, this exercise of discretion applies to telehealthcare provided for any treatment or diagnostic procedure. It is regardless of whether the telehealth service is related to any category of diagnosis and treatment of health conditions related to COVID-19.

Which Applications Are Covered Under OCR?

According to this notice, healthcare providers may use any popular software applications to communicate with their patients in order to deliver telemedicine. They can use applications like; Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth. They don’t need to worry about the risk that OCR might seek to enforce a penalty for non-compliance with the regulations defined under HIPAA.

As a medical practitioner, it is already well-known to you that HIPAA Rules are related to good faith provision of telehealth during the COVID-19 nationwide public health emergency. Therefore, it makes providers stay encouraged and notify patients that these third-party applications potentially introduce privacy risks. Thus, providers should enable all available encryption and privacy modes when using such communication apps for telemedicine.

Applications That Are Prohibited For Telehealthcare:

Providers should consider that using Facebook Live, TikTok, and similar video communication applications are prohibited for telehealthcare. As these applications are public-facing and don’t guarantee patient information security.

HIPAA COMPLIANT TECHNOLOGY

Now practitioners should consider that they should only utilize such applications and technology that are HIPAA compliant and bring reimbursement in return. Providers should implement telehealthcare through technology vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. I have underscored a list of applications that provide HIPAA-compliant video communication products that can be the part of HIPAA BAA.

1. Skype for Business / Microsoft Teams.
2. Updox.
3. VSee.
4. Zoom for Healthcare.
5. Doxy.me.
6. Google G Suite Hangouts Meet.
7. Cisco Webex Meetings / Webex Teams.
8. Amazon Chime.
9. GoToMeeting.
10. Spruce Health Care Messenger.

Note:

OCR has not reviewed the BAAs offered by these application vendors. Also, this list does not constitute an endorsement, certification, or recommendation of the specific technology, software, applications, or products that are compliant with the federally mandated laws. There may be other technology vendors that may offer HIPAA-compliant video communication products and complies with a HIPAA BAA with a covered entity.  Moreover, OCR also doesn’t embrace any of the application software that allows for video chats listed mentioned-above.

Conclusion

Under this Notice, OCR will not charge penalty against covered telehealthcare providers for the lack of a BAA with video application vendors. However, apart from these applications, any other application that is noncompliant with the HIPAA Rules that relate to good faith provision of telehealth services will also not be subjected to any penalty by OCR nationwide during a public health emergency.

Medical Billing Benefits is your leading source for the latest information about the healthcare industry. Get the latest updates and news about healthcare reforms, regulations of insurance carriers, and bold new strategies for reimbursement models.