The current pandemic has brought a sweeping number of changes culturally and professionally on a domestic and global scale. On January 31, the US Department of Health & Human Services (HHS) declared a national public health emergency for coronavirus disease (COVID-19),1 and the White House followed with a similar proclamation on March 13.2 These two declarations consequently paved the way for a temporary modification in how health care is conducted and billed throughout the duration of the pandemic.
Thus, the Office for Civil Rights (OCR) at the HHS announced that it will not impose penalties for noncompliance with HIPAA Privacy, Security, and Breach Notification Rules in regard to the good faith provision of telehealth during the COVID-19 pandemic.3 For clarification, HHS defines telehealth as the “use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.”4 The Centers for Medicare & Medicaid Services (CMS)5 and private payers6 have noted of any waivers or updates in their coverage of telehealth as well.
Most notably, this announcement is a benefit to those physicians who are attempting telehealth, as the technical requirements for a telehealth system have been relaxed. Now, almost any point-to-point system can be used to deliver care remotely. The March OCR notice to providers states “Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”2 With this, physicians who are beginning to set up their practice in a virtual format can theoretically avoid the upfront resource expenditures associated with choosing a specialty platform.
Considering HIPAA Requirements
Dermatologists should be wary that certain popular consumer video chat applications have come under scrutiny for unsafe privacy and security practices despite approval and reimbursement for use. While consumer teleconferencing software are easily accessible, a platform that focuses solely on HIPAA-compliant communications between patient and provider is highly recommended. So, what steps can clinicians take to mitigate potential privacy and security challenges as telehealth continues to rise in utility?
The first and most important thing to do is make sure the telehealth specialty platform will provide a signed business associate agreement (BAA). The BAA will assure you, if you carefully and properly vet the document against HIPAA standards, that the platform is following HIPAA regulations. It should detail where and how (ie, encrypted format) any video conferences are stored; the post-visit security is crucial, as the chances of a live video stream being interrupted and accessed by a third-party bad actor are small, but a post-visit hack can be more prevalent. Further, connections should be (in general) encrypted. The software should create a VPN (virtual private network) connection, which creates a secure tunnel between a client (ie, end user or device) and the telehealth server. If a VPN client is not possible due to the chosen the telehealth platform, the bare minimum would be ensuring that the service or browser you are connecting to is encrypted. An easy way to tell is if the URL address starts with https://, as opposed to https://.
It bears repeating that during the COVID-19 pandemic most point-to-point, basic consumer teleconferencing systems that do not meet the technical requirements under HIPAA are approved for use during the pandemic. A few of the paid subscription equivalents for these platforms, including Skype for Business/Microsoft Teams and Zoom for Healthcare, have stated that they provide HIPAA-compliant products and will enter into a BAA.4 However, should dermatologists decide to keep telehealth as a permanent component to their practice, a BAA is an absolute must for security and even legal purposes.
In addition to the BAA, physicians should communicate with patients the practice’s telehealth use. This should be added as a paragraph within the practice’s consent for services paperwork that the patient is requesting an alternative communication protocol; this paragraph should also include a brief explanation of the risks of telehealth, including potential cybersecurity issues.
Prior to offering telehealth, physicians should perform a security risk assessment (SRA) of their practice. Note that HIPAA regulations require an update to the SRA whenever there is a system or operational change.7 I recommend that all the technical and physical safeguards be reviewed at a minimum, but a full SRA should be performed so as to not overlook or miss anything.
Remember that your practice’s remediation plan will need to be updated to reflect the additional modality of telehealth. It is also crucial to maintain revision control for any of the policies, procedures, or safeguards that are changed. The OCR can require you to provide 6 years’ worth of this revision control, so it is best practice to maintain these records. Also, be sure to conduct trainings with all staff on these modified policies, procedures, and safeguards.
Alternative Causes for Concern
A potential benefit to the current changes in HIPAA compliance rulings is the slim chances of being a target of the random audit program. In 2019, only audits of 2013 records were conducted, so the odds today of an audit are negligible.
Having said that, there is a greater risk lurking in cyberspace to your practice and patients. There is a 90% chance is that you will have at least one reportable breach every 24 months, and 45% of practices will have 5 or more breaches in that same time period.8 There is also the very real possibility of having a complaint filed against you with the OCR. For any of these situations, you should have (and are required to) conducted a periodic internal audit as part of your privacy and security program management. During any investigation, you want to be able to demonstrate how your policies, procedures, and safeguards accurately reflect how your practice actually operates.
Again, the OCR and payers have noted that these telehealth changes are temporary solutions for the current public health crisis. Given the fluidity of the situation and patient comfort levels following a return to more “normal” daily life, dermatologists may wish to permanently integrate telemedicine into their practice. With the exception of the use of telehealth systems that will not follow and attest to their compliance with HIPAA regulations (ie, will sign a BAA) and allow an investigation into their compliance, what physicians do in the short term is what will need to be done for a long-term plan. Much of the cost of implementing the telehealth system will be in the cost of the system, which can be deferred during the crisis. Post crisis, dermatologists would only move to a HIPAA-compliant system, should they still need to do so.
Conclusion
Even after countless stories of security breaches across all medical specialties, many practices are not conducting appropriate SRAs; creating remediation plans; conducting training around their own policies, procedures, and safeguards; conducting internal audits; or vetting their business associates, all as required by traditional HIPAA Rules. Compliance with HIPAA and the other proliferating privacy and security regulations is still abysmal.
But the adjusted schedule due to COVID-19 provides ample opportunity to review those critical aspects of your practice. Take the time to perform a proper internal audit and update your remediation plans based on your SRA—it may save you and your patient’s PHI in the future.
Mr Shindell is chief executive officer of Carosh Compliance Solutions. He is the former chairman of the HIMSS Risk Assessment Work Group, a member of AHIMA’s privacy and security council, and a board member of the Indiana Chapter of HIMSS. Mr Shindell has more than 30 years of multidisciplinary experience in health care and has served as an advisor and principal in health care, technology, and service companies. He may be reached at rshindell@carosh.com.
Disclosure: The author reports no relevant financial relationships.
References
1. Secretary Azar declares public health emergency for united states for 2019 novel coronavirus. News release. US Dept of Health & Human Services. January 31, 2020. Accessed May 1, 2020. https://www.hhs.gov/about/news/2020/01/31/secretary-azar-declares-public-health-emergency-us-2019-novel-coronavirus.html
2. Trump DJ. Proclamation on declaring a national emergency concerning the novel coronavirus disease (COVID-19) outbreak. The White House. March 13, 2020. Accessed May 1, 2020. https://www.whitehouse.gov/presidential-actions/proclamation-declaring-national-emergency-concerning-novel-coronavirus-disease-covid-19-outbreak/
3. Office for Civil Rights. Notification of enforcement discretion for telehealth remote communications during the COVID-19 nationwide public health emergency. US Dept of Health & Human Services. March 30, 2020. Accessed May 1, 2020. https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
4. Office for Civil Rights. FAQs on telehealth and HIPAA during the COVID-19 nationwide public health emergency. US Dept of Health & Human Services. Accessed May 1, 2020. https://www.hhs.govhttps://s3.amazonaws.com/HMP/hmp_ln/imported/telehealth-faqs-508.pdf
5. Medicare telemedicine health care provider fact sheet. Centers for Medicare & Medicaid Services. March 17, 2020. Accessed May 1, 2020. https://www.cms.gov/newsroom/fact-sheets/medicare-telemedicine-health-care-provider-fact-sheet
6. COVID-19: teledermatology. American Academy of Dermatology. May 5, 2020. Accessed May 5, 2020. https://www.aad.org/member/practice/coronavirus/teledermatology
7. Guidance on risk analysis. US Dept of Health & Human Services. July 22, 2019. Accessed May 1, 2020. https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
8. Ponemon Institute LLC. Sixth annual benchmark study on privacy & security of healthcare data. May 2016. Accessed May 1, 2020. https://www.ponemon.org/local/upload/file/Sixth%20Annual%20Patient%20Privacy%20%26%20Data%20Security%20Report%20FINAL%206.pdf