HIPAA Restrictions Exist to Protect Patient Privacy. Can We Have Telehealth More Broadly and Still Comply?
It has been just over a year since the Office of Civil Rights (OCR) issued its Administrative Waiver for Telehealth as part of an overall effort to ease HIPAA restrictions during the COVID-19 pandemic.
There is little doubt that making it easier for health care professionals to use video calls for appointments has helped immensely in efforts to diagnose patients during this pandemic. At the same time, however, as vaccines roll out, discussion is underway around whether or when the rules surrounding patient privacy need to be reinstated or at least revisited in a post-pandemic setting.
Here we look at some of the considerations for risk managers on the HIPAA waivers moving forward.
Ways We’ve Benefitted
First and foremost, relaxing the HIPAA rules around telehealth increased access to remote care for patients. People who could not physically go to a doctor’s office — or were too afraid — could describe their symptoms to a health care professional in a teleconference.
Importantly, these appointments could now be legally scheduled and conducted across state lines and in some cases, reach rural and underserved patient populations.
Telehealth also cut down on risk — fewer in-person visits for patient and doctor meant a lower chance of virus spread while more virtual visits conserved Personal Protective Equipment (PPE) for critical uses.
More recently, in January 2021, as vaccines became available, the OCR eased the HIPAA rules around booking an appointment online. While using a web-based app to book a vaccine appointment in the past would potentially have been a HIPAA violation, the waivers have enabled online scheduling by vaccine seekers and health care professionals alike.
Today, third-party technology is used to crawl websites to help people find available appointments and to reduce vaccine waste.
Why We Must Remain Vigilant
While there are many benefits of the HIPAA waivers for broadening access to telemedicine, like so many realities in managing risk, the potential for abuse and recklessness exists.
This is especially the case as personal health care information moves down the line from the provider to vendors, suppliers and business associates.
Those who advocate for revisiting the HIPAA waivers cite weaknesses in the business associates waiver, in particular. Under this waiver, the OCR indicated that it would not impose penalties on the business associates of a health care provider for the violation of certain HIPAA privacy rules as long as that business associate was acting in “good faith” when it came to the disclosure or use of protected health information (PHI).
The problem, as detractors see it, is that the list of business associates could be very long. Indeed, in the provision of virtual care, the resources could include web hosting, cloud service providers, software applications, texting services and more.
There are video conference services deemed safe for telehealth visits and some encrypted email programs that are HIPAA compliant. The concern among patient privacy advocates is that, in the justified rush to provide telehealth during the pandemic, do medical professionals know what they have? In addition, do vendors understand and appreciate patient privacy laws?
The World Privacy Forum, which has extensively studied the HIPAA waivers, makes the point in a September 2020 white paper that many people now handling PHI may have never worked in a health care setting before. Thus, well-intentioned “good faith” efforts by suppliers and vendors during a national crisis to share information with health authorities could easily lead to PHI being leaked to “bad actors.”
Indeed, cybercriminals had identified telehealth as an opportunity for fraud even before the pandemic. Now, with many more players and loosened HIPAA restrictions, the stage could be set for more misuse of PHI.
Striking a Balance Between Adoption and Risk
With telehealth continuing to prove itself and demand continuing to grow not just in the United States, but around the world, it is unlikely that we will return to a pre-pandemic norm.
COVID-19 has accelerated health care’s transition into the virtual world and onto the internet, with all the risk that entails.
However, HIPAA was signed into law in 1996 for good reason. There was no doubt that “playing loose and fast” with protected health care information was causing Americans real harm from the unwanted disclosure of an illness or medical condition to identity theft and financial losses. The task at hand for risk managers and their insurance partners is to help preserve the balance of patient privacy with all the good that has come — and will come — from telemedicine. &