Telehealth has been an effective tool for improving access to care and creating more flexibility for providers. During the pandemic, the U.S. Department of Health and Human Services offered regulatory permissions to promote and expand the adoption and use of telehealth services, supporting the health and safety of patients and providers alike.
While some permissions have become permanent, others expired on May 11, 2023. The Office of Civil Rights (OCR), which is responsible for protecting the privacy and security of protected health information (PHI) through the enforcement of certain regulations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act (collectively known as HIPAA Rules), allowed a transition period to give providers time to modify operations to ensure full compliance with HIPAA by August 10, 2023.¹ Below, we will review some of the pertinent areas where this discretionary enforcement period has ended.
Telehealth Remote Communications²
Any audio or video communication technology used in communicating with patients must be through HIPAA- compliant platforms with vendors that will enter into a HIPAA business associate agreement in connection with the provision of their video communication product. While the Public Health Emergency (PHE) permissions allowed for providers to communicate with patients using popular applications such as Apple FaceTime, Google Hangouts, or Skype, these modes of communication are non-compliant with current privacy regulations.
Online or Web-Based Appointment Scheduling for COVID-19 Vaccinations³
Any appointment scheduling system for COVID-19 vaccinations must be HIPAA compliant. While the OCR permitted the use of web-based scheduling applications to accommodate the need for large scale appointments for persons to obtain the COVID-19 vaccines, any scheduling application currently used must be through a HIPAA-compliant platform.
Use and Disclosure of Protected Health Information for Public Health Activities in Response to COVID-194
The HIPAA Rules permit a business associate of a HIPAA- covered entity to use and disclose PHI to conduct certain activities, functions, or services on behalf of the covered entity, pursuant to the terms of the business associate agreement or as required by law. During the PHE, federal public health authorities, oversight agencies, and departments relaxed the enforcement of these business associate agreements, allowing business associates to provide PHI to these entities in a timely manner. At the time of this article, this agreement is no longer the case, and a business associate of a HIPAA-covered entity must have express permission to disclose any PHI per the business associate agreement and/or as required by law.
Potential Repercussions of HIPAA Non-Compliance5
In 2015 and 2016, the OCR settled a number of potential HIPAA violations. The settlements included significant monetary payments and required the entities to abide by administratively burdensome corrective action plans. As of September 2016, 39 cases resulted in payments totaling $45.9 million, amounting to an average payment of over $1 million per case. Additionally, the OCR referred 584 cases of HIPAA violations to the Department of Justice (DOJ) for potential criminal violations. From 2017 to 2021, studies show that HIPAA complaints and large-volume privacy breaches rose significantly.6 The bottom line is that taking steps now to ensure your practice’s compliance with HIPAA—both with your staff and the technology and applications you use—demonstrates your commitment to upholding the privacy of your patients.
How to Avoid Pitfalls and Implement Best Practices
Using non-compliant telehealth platforms can pose risks to patient privacy, data security, and overall quality of care. To avoid these pitfalls, consider the following steps when choosing a HIPAA-compliant telehealth and patient communication platform:
1. Research Platform Compliance: Before adopting a telehealth platform, thoroughly research its compliance with relevant HIPAA regulations. Look for clear documentation of compliance measures and security protocols.
2. Privacy and Security: Ensure the platform uses encryption for data transmission and storage. It should have features like secure login, data access controls, and regular security updates.
3. User Authentication: Verify that the platform provides robust user authentication methods, such as two-factor authentication, to prevent unauthorized access.
4. Data Ownership and Storage: Understand where patient data is stored, who owns it, and for how long. Ensure that the platform adheres to data retention and disposal policies.
5. Informed Consent: Platforms should allow patients to provide informed consent for telehealth services and data usage. Make sure the platform facilitates obtaining and documenting patient consent. If the platform does not allow for electronic consent, ensure it is obtained via paper.
6. Regular Auditing: Choose a platform that undergoes regular security audits by third-party organizations to assess its compliance and security measures.
7. Vendor Reputation: Opt for platforms from reputable vendors with a track record of reliable and secure services. Read reviews and testimonials from other healthcare professionals.
8. Technical Support: Ensure the platform offers reliable technical support to address any issues promptly, especially security-related concerns.
9. Data Transfer and Sharing: If the platform allows data sharing, ensure it's done securely and with appropriate patient consent. Avoid using platforms that encourage sharing sensitive information through unsecured methods like email or messaging apps.
10. Compatibility: Check the platform's compatibility with your existing electronic health record (EHR) systems and other tools for seamless integration, or check with your EHR vendor to inquire about telehealth tools that may be available.
11. EHR Integration: If possible, choose a telehealth platform that integrates with your existing EHR system to facilitate accurate record-keeping and continuity of care.
12. Patient Verification: Implement processes to verify patient identity before starting telehealth sessions to prevent unauthorized access.
13. Transparent Policies: The platform should have clear policies regarding data usage, sharing, and security. Review these policies to ensure they align with your ethical and legal obligations.
14. Regulatory Compliance: Be aware of any changes in telehealth regulations and ensure that the platform remains compliant with evolving requirements.
15. Feedback and Monitoring: Encourage patients and providers to provide feedback on their experiences with the platform. Regularly monitor for any breaches or unauthorized activities.
Remember, your priority is to provide safe and secure care to your patients. If you have concerns about a platform's compliance, it is better to err on the side of caution and explore alternatives that better meet your needs while ensuring patient safety and data security.
This information is provided as a service to CAP members from a risk management perspective and is not intended as legal advice. If you have questions or a specific patient situation and need guidance, please contact CAP’s Risk Management Hotline at 800-252-0555.
Yvette Ervin is a CAP Senior Risk Management & Patient Safety Specialist. Andie Tena is CAP’s Assistant Vice President of Practice Management Services. Questions or comments related to this article should be directed to YErvin@CAPphysicians.com or ATena@CAPphysicians.com
References
¹U.S. Department of Health and Human Services, “HHS Office for Civil Rights Announces the Expiration of COVID-19 Public Health Emergency HIPAA Notifications of Enforcement Discretion (Apr. 11, 2021),” Sept. 2023, https://www.hhs.gov/about/news/2023/04/11/hhs-office-for-civil-rights-a…| HHS.gov
²Federal Register/Vol. 85, No. 77/ April 21, 2020/ Rules and Regulations, HHS.gov, September, 2023, 2020-08416.pdf (govinfo.gov)
³Federal Register/Vol. 86, No. 35/ Feb. 24, 2021/Rules and Regulations, HHS.gov, Sep. 2023, 2021-03348.pdf (govinfo.gov)
4Federal Reister/Vol. 85, No. 67/ April 7, 2020/Rules and Regulations, HHS.gov, Sep. 20232020-07268.pdf (govinfo.gov)
5Emergency Care Research Institute, Ambulatory Care Risk Management- Guidance, “The HIPAA Privacy Rule (1/27/2017),” ecri.org, Sep. 2023, https://www.ecri.org/components/PPRM/Pages/RS5.aspx
6Emergency Care Research Institute,, “HIPAA Compliants, Large Breaches Rose Singnificantly from 2017 to 2021 (3/14/2023),” ecri.org, Sep. 2023, https://www.ecri.org/components/PhysicianPracticeENews/Pages/Phys031423_HIPAA.aspx