HIPAA Compliance and Telehealth

In this digital age, keeping personal identification information secure is a priority. Entire industries have been created that focus solely on helping people protect their digital footprint with robust passwords, multiple levels of safeguards, and constant monitoring of transactions and cyberattacks.

And while the medical industry is required to protect and safeguard patient information, the explosion of telehealth practices — especially during the COVID-19 pandemic — is forcing a reevaluation of how sensitive patient information is stored and shared.

Telehealth Becoming Essential

While telehealth has for years been a steadily growing option for specific groups — typically those living in rural areas or patients already in a hospital — the global outbreak of COVID-19 accelerated the need for telehealth medical practices. Older adults, who were at higher risk for severe illness and complications from the virus, were especially in need of new solutions that reduced their potential exposure while still allowing them to see their providers.

In 2020 the federal government worked with the Department of Health and Human Services (HHS) to remove barriers to virtual care by implementing temporary changes like reimbursing telehealth appointments at the same rate as in-office visits, expanding the number of services available through virtual care, increasing payments for audio-only visits, and even allowing providers licensed in one state to provide services to patients in another.

HIPAA in the Age of Telehealth

Enforcement of the Health Insurance Portability and Accountability Act (HIPAA) was also temporarily relaxed in 2020 as providers scrambled to find the right technology and processes that would help them continue to serve their patients remotely. As a result, the use of telehealth services skyrocketed, with the Centers for Medicare & Medicaid Services (CMS) reporting an increase of more than 11,718%in just a month and a half.

Now as the dust settles in 2021, providers, HHS, and government officials are grappling with the need to move out of emergency response mode and find a new balance between virtual care and the protection of patient information. Some technology providers are stepping up to establish new best practices to enforce the HIPAA requirements that protect patient data in the telehealth environment.

The History of Protected Health Information

In 2003, HHS first issued its “Standards for Privacy of Individually Identifiable Health Information” (also known as the Privacy Rule) to implement the requirements of HIPAA. The Privacy Rule addressed the use and disclosure of individuals’ health information, called “protected health information” (PHI), by organizations and created standards for individuals’ rights to understand and control how their health information is used.

Why It’s Important to Take PHI Seriously

While healthcare providers know the value and importance of patient information, adherence to strict guidelines may seem like a secondary thought or even a nuisance in the daily workflow. However, understanding and educating staff on current HIPAA requirements is an important and necessary practical reality for organizations.

New privacy guidelines and rulings have continued to roll out over the last two decades. Healthcare organizations are required to be knowledgeable and to take the guidelines seriously, as a failure to do so can result in hefty fines and even lawsuits. Additionally, any breach of the HIPAA requirements for PHI must be reported to the U.S. Office for Civil Rights, with consequences of failing to report a breach possibly including federal investigation, additional fines, and civil legal action from patients.

HIPAA requirements on PHI also extend to the prehosptial setting, although standards of “reasonableness” on privacy apply differently to the field. EMS agencies are typically required to protect PHI as much as possible when sharing information, taking special care to transmit the minimum amount of PHI necessary and to diligently check who is requesting the information. That said, HIPAA violations for EMS agencies can still carry heavy punishments, including civil penalties like fines or criminal penalties like jail time.

Ongoing Uses of Telehealth for Patient Care

While many organizations were faced with the challenge of quickly adopting telehealth in the pandemic, the options for virtual care are increasing. Potential opportunities for telehealth in healthcare include:

• Tele-triage:Screening patients remotely to determine the patient’s condition and the care needed.
• Tele-emergency Care:Connects providers at a central hub emergency department to providers and patients at spoke hospitals (often small, remote, or rural) through video or similar telehealth technology.
• Virtual Rounds:Allows providers to check on emergency department patients virtually, saving time and PPE, while reducing the number of people physically present at the ED.
• E-consults:Help providers get recommendations from other providers with specialty expertise.
• Telehealth Follow-ups:Provide follow-up care for patients who were triaged but not sent to the ED, or for patients after they are discharged.

Recommendations for Protecting PHI in Telehealth

While a return to “normalcy” will undoubtedly spark new discussions on HIPAA guidelines for telehealth practice, healthcare providers in both prehosptial and hospital settings can continue to look for ways to protect patient information during virtual interactions. While providers currently have more flexibility to use everyday technology for virtual visits, due diligence in selecting tools that are HIPAA-compliant will help protect PHI.

Currently, covered healthcare providers may use popular applications (both video and text-based) to deliver telehealth as long as they are “non-public facing” (for example, Facebook Live, Tik-Tok, and Twitch are public facing and not allowed). It is recommended, however, that providers use technology vendors that are HIPAA compliant and will enter into business associate agreements in connection with the provision of their video communication products. For a full list of example technologies, visit the U.S. government’s telehealth guidance portal.

Additionally, healthcare providers should, to the best of their ability, conduct telehealth appointments in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings if at all possible. If telehealth cannot be provided in a private setting, providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of PHI, such as using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.

While the global pandemic of 2020 fast-forwarded the adoption of telehealth in a major way, it has undoubtedly opened many doors to more efficient treatment options for a large population of patients. As providers continue to work with the government and insurance agencies to strike the right balance of care options, telehealth will remain a viable and helpful tool in the years to come.