Given the evolving implications of COVID-19 and its rapid influence on the healthcare industry, the manner in which healthcare services are delivered will continue to change the way patients seek and obtain medical care. It is important to discuss how the Health Insurance Portability and Accountability Act (HIPAA) regulation, and those organizations that must comply with it, are likely to adapt to this new environment. Telehealth, which is a healthcare service application that allows individuals to communicate with healthcare providers from the comfort of their own homes, has become a necessity as we strive to flatten the curve. As the need grows for telehealth services, our team takes a closer look into how the Office of Civil Rights’ (OCR) recent flexibility of enforcement on some requirements within the HIPAA Security Rule may lead to uncertainty in the healthcare space now and in the near future.
Impact of Telehealth Services on HIPAA
Since the 2013 Final Omnibus Rule, no additions or changes have been made to the HIPAA regulation in order to address changes in the healthcare sector. Since that time, emerging technologies have outpaced the regulation, with the framework not explicitly designed to address digital health options such as telemedicine. The U.S. Department of Health and Human Services (HHS) have offered limited guidance on acceptable communications platforms as a short-term method to conduct healthcare services during the ongoing public health crisis.
In order to deliver healthcare to individuals, providers may now opt to telecommunicate by utilizing atypical telehealth applications such as, Skype, a non-public facing application, in order to provide healthcare services to their patients. This platform ensures only the intended participants can join the communication session by implementing security controls like encryption and user authentication to safeguard the communication channel and can only be viewed, accessed or read by the appropriate parties.
Applications that are deemed public-facing services, however, like Facebook Live, should not be used as a mode of telecommunicating with individuals in the healthcare environment. Without all the necessary controls in place, applications like Facebook Live may enable unauthorized individuals to access and share patient information related to an interaction and create risk of impermissible disclosure to ePHI. Although short-term solutions may be permitted to accommodate the need for virtual services, the long-term implications of using these services and their impact on alignment to the HIPAA Security Rule is not yet clear.
Influence of Audit and Enforcement on Telehealth Services
The OCR has stated it will exercise its discretion in rendering enforcement against certain organizations that fail to comply with HIPAA during the COVID-19 outbreak. For example, covered entities that do not execute a business associate agreement (BAA) with their respective telehealth related business associates, may not face enforcement for failing to execute a BAA under the current circumstances, provided that the organization acts in good faith. It should be noted these enforcement measures are specific to telehealth and would not apply to those companies that currently offer telehealth, i.e., nurses’ hotlines or insurance companies.
Regardless of how the present COVID-19 situation develops, telehealth has demonstrated its presence and value in the healthcare industry. However, because certain enforcement considerations have been relaxed due to the current circumstances (i.e., not having a BAA in place), the OCR will need to provide clarity on certain situations, for example, how issues resulting in breaches during this time will be handled retroactively.
Amid this situation, organizations are still responsible for enforcing and ensuring the safety of their ePHI. As a proactive measure, businesses should continue to be as thorough as possible, or even expand their third-party due diligence programs to handle potential aftereffects on incidents that may occur during the COVID-19 pandemic. Organizations may consider developing a method to track gaps or areas of noncompliance resulting from their use of novel technologies or other contingencies during the COVID-19 outbreak. This will help map current practices to HIPAA compliance objectives in order to understand and prioritize the areas that must be addressed once guidance or updates on maintaining HIPAA compliance in the new healthcare reality is released.
Conclusion
As current events and emerging technologies shape a new era of healthcare, services like telehealth will continue to become more valuable and widespread. The current public health crisis has led some healthcare providers to rely on nontraditional communication channels, methods, and providers that do not achieve the clear requirements of HIPAA. While these contingencies may serve their short-term objectives of patient care, the longer-term impact on HIPAA compliance must be considered. As technology continues to outpace the HIPAA Security Rule, enforcement, guidance and updates will be needed in order to provide organizations with a clear picture of what is expected in this new healthcare landscape. In the meantime, organizations that can begin applying controls where feasible (e.g., scaling third-party risk management and due diligence) should begin doing so. Also, where organizations are not able to address requirements during this time of uncertainty, a method for tracking the gaps and issues for remediation will increase the odds that you can remain resilient in light of upcoming changes and enforcement.
Are you looking for more information on aligning to the HIPAA Security Rule? Get in touch with us.