Justin Bonk, CISSP, PCI-QSA, CIA, CFE, CISA, CIPP/US
Senior Manager, Freed Maxick Risk Advisory Services
Notification provides guidance on the use of video conferencing technologies to provide telehealth services
On March 17, 2020, the Office for Civil Rights (OCR) announced the “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency.” This notification provided guidance on the use of video conferencing technologies to provide telehealth services to a health care providers patients, and communicates the OCR’s official stance on the issue as the country continues to address the COVID-19 pandemic.
What Does the Notification Actually Say?
Specifically, the notification states the following:
“During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.”
Aware of the privacy risks associated with the use of video conferencing technologies, the OCR clarifies its official position, stating that health care providers can “use any non-public facing remote communication product that is available to communicate with patients.” Effectively, “non-public facing communication product,” describes a software product that communicates directly between two parties, rather than communications intended for a group audience, such as Facebook Live, Twitch, or TikTok, which the OCR expressly mentions in the notification.
The OCR further states that health care providers “may use popular applications that allow for video chat” such as Facetime, Facebook Messenger, Google Video Calling, Zoom, or Skype, which the OCR again expressly mentions.
Lastly, the notification clarifies that health care providers may use telehealth services “regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
How Does That Affect Me?
What this means is that, as a health care provider, if you want to provide telemedicine services to your patients, regardless if the services being provided are directly related to COVID-19 or not, the OCR has given this approach its blessing. In the notice, the OCR states that it “will not impose penalties for noncompliance with regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of the telehealth during the COVID-19 nationwide public health emergency.”
If, as a company, you wish to receive additional privacy protections, OCR lists (but does not endorse) video conferencing service providers that have asserted to the OCR that their product is HIPAA compliant, and that they will enter into a Business Associate Agreement with clients. The OCR clarifies, however, that this is a discretionary undertaking for your organization, and that the OCR will not impose penalties for not having a BAA in place with video conferencing vendors.
Lastly, we recommend monitoring of the Health and Human Services website, where the federal government will release official communications clarifying HIPAA related information.
How Can I Reduce my Risks?
There are several ways you can help reduce the risks being introduced by the use of telehealth services. We recommend the following considerations, at a minimum:
- Regardless of the technology you choose to implement, it’s important to eliminate the risk of an unanticipated intrusion on a telehealth session. Each patient session should be unique to that patient. Links, session IDs and passwords should not be used for multiple patients.
- Encrypt email containing sensitive links to eliminate the risk of an email being intercepted and read. Many email solutions have built-in secure email functionality that will encrypt the message.
- Include clear, concise instructions on how to use the technology when you communicate the meeting details to the patient. In the email, request an acknowledgment from the patient that the message has been received and the instructions are understood. This may be beyond the comfort zone and technological understanding of some patients, so easily understood instruction help ensure a technology functions as expected.
Assistance and Guidance from Freed Maxick
The Freed Maxick Covid-19 Resource Center has a wealth of information and guidance on a wide range of topics related to tax relief and benefits, regulatory relief and benefits, and business continuity in the era of Covid-19.
Click on the button to explore insights, observations and updates.
If you wish additional guidance, we are available to discuss your issues and concerns. Connect with us by email at COVIDResponse@freedmaxick.com or call Freed Maxick at 716.847.2651.
Please keep in mind that due to the quickly-changing nature of the COVID-19 pandemic, you should always discuss changes with your Freed Maxick advisor or legal counsel.