Telehealth, HIPAA and COVID-19: What you need to know

During the COVID-19 outbreak, healthcare providers are swamped and short-staffed. And office visits increase the risk of contagion. So it’s no surprise that remote medical care and electronic patient communications are rapidly going mainstream.

Many providers have questions about managing remote patient communications and services while remaining compliant with HIPAA, and even telehealth veterans need to get up to speed with the new rules. Here are answers to some of your telehealth and HIPAA questions.

Telehealth, telemedicine — what’s the difference?

According to the Health Resources and Services Administration, telemedicine refers specifically to remote clinical services. Telehealth is a broader term that includes clinical services, patient reminders, provider training, staff meetings and continuing medical education. Although the terms are often used interchangeably in the press, you should know the difference when you’re reading official government guidance.

Has HIPAA enforcement been relaxed during COVID-19?

Yes. The Office of Civil Rights recently issued a notice saying it will practice “enforcement discretion” for HIPAA’s privacy and security rules, although the agency expects healthcare providers to make a good-faith effort to comply as best they can. So far, no end date has been set for the relaxed enforcement period.

The notice applies only to COVID-19 treatment and communications, right?

No. The relaxed rules apply for all medical care and communications during this period, whether you’re helping patients suffering from COVID-19, a sprained ankle or an abscessed tooth.

Who does the notice apply to?

All healthcare providers covered by HIPAA, including doctors, nurses, clinics, hospitals, home health aides, therapists, mental health providers, dentists, pharmacists and laboratories, among others. It does not apply to insurance companies that pay for telehealth services.

What do I need to do to be HIPAA compliant?

Enforcement may be loosened, but you must still try to follow a high standard of care when handling patient health information (PHI). That means you should do your utmost to provide:

• Access control: Make sure no one can listen in on conference calls or video chats without the patient’s permission.
• Encryption: Use communications services and storage providers that encrypt patient data in transit and at rest.
• Physical protection: Do your best to keep phone conversations and information on computer screens private, and encourage patients to do the same.
• Privacy expectations: Disclosures of PHI should still follow “minimum necessary” rule, provided it doesn’t negatively impact the welfare of the patient. Before exchanging PHI via telehealth or video conferencing, every reasonable attempt should be made to obtain a signed “Informed Consent” form for telemedicine services. (Download sample consent form) 
• Service provider protection: Follow HIPAA standards in dealing with service providers that handle PHI. Document your rules in your policies and procedures. Seek cloud hosting providers willing to sign a HIPAA-compliant business associate agreement (BAA).

Can I use videoconferencing apps?

Yes, but try to stick to those that are non-public-facing — that is, those that use end-to-end encryption. Here are some examples:

• Apple FaceTime
• Facebook Messenger
• WhatsApp
• Google Hangouts Meet
• Zoom for Healthcare
• Microsoft Teams/Skype for Business
• Cisco Webex/Webex Teams
• GoToMeeting
• Amazon Chime
• Doxy.me

Stay away from public-facing apps, including:

• TikTok
• Facebook Live
• Twitch
• Slack chat rooms

You will not be penalized for using less-secure apps to communicate with patients during the epidemic. But if you do, you should explain to patients that they carry privacy risks.

You can also communicate health information with patients through a telephone conversation or a telephone conference. For conferences, try to get patient permission to include other participants.

What if I get hacked?

You will not be penalized for a hack that exposes PHI from a telehealth session during COVID-19.

What about communicating with the patient’s loved ones?

Try to get verbal permission from the patient first. If you can’t, use your professional judgment to act in the patient’s best interest.

Can I share patient information with organizations that are trying to help?

You can share PHI without patient consent with government organizations like the Centers for Disease Control and Prevention (CDC) or state health authorities. You can also share it without consent with relief organizations like the American Red Cross in situations where they are responding to an emergency. Do not disclose PHI to the media without written patient permission.

For more information about telehealth and HIPAA compliance during the pandemic, visit the Health and Human Services (HHS) website, where you can also sign up for updates and find links to other COVID-19-related information. You can also consult your Wipfli advisor for advice specific to your industry and organization.

Need more help with COVID-19 issues?

We’re here to help you navigate the uncertainty of the COVID-19 pandemic and its impact on your people, finances and business. We have developed a library of resources in our COVID-19 resource center to help you stabilize today and prepare for tomorrow.

See our articles on:

Talent and strategy
Business finance
Legislation and regulation
Cybersecurity
Technology
Personal finance