Telehealth and HIPAA – A 5 Minute Guide
In 2020, a lot like work from home options, the US got a crash course in Telehealth thanks to the COVID-19 pandemic. If the healthcare world has its way Telehealth is going to remain a big part of healthcare going forward.
A lot is still not clear to healthcare providers as it relates to telehealth and HIPAA. What are the rules normally? Have any of the rules been relaxed during the pandemic? When are those rules going to be enforced again?
Let us first start with a definition. What is Telehealth?
Telehealth is the use of videoconferencing and telecommunications to provided healthcare support and long-term care for a patient. These types of services are frequently associated with mental health, routine check-ins, health administration, and health education. They are often provided with streaming or video conferencing services or telephone service but may include other forms of communication such as text messaging.
Telehealth services can be any healthcare service provided via the methods listed safely and effectively based on the healthcare providers’ best judgment. This can include the diagnosis or treatment of COVID-19.
Insurance carriers must approve the use of telehealth services and prior to COVID-19 did so on a case by case basis. After the pandemic was declared rules around telehealth were relaxed somewhat to allow for easier access to healthcare for patients who would otherwise put themselves or their families at risk when visiting a healthcare facility.
As of this writing, telehealth services can be provided through “less secure” applications like Facetime, WhatsApp, and Facebook Messenger. You must still advise the patient that these applications are not encouraged but acceptable during the pandemic. You cannot use “public-facing” applications such as Facebook Live, Twitch, or TikTok because you are likely to expose PHI during the telehealth session.
As it relates to Telehealth and HIPAA the covered entity should still make the best efforts to provide healthcare services in a private setting. Despite the relaxation of the HIPAA privacy and security rules for telehealth purposes covered entities still need to take reasonable precautions when providing services to avoid the incidental or accidental exposure of PHI (protected health information).
Telehealth includes the communicating of ePHI. This is usually accomplished through the healthcare providers’ EHR system and a corresponding mobile application. This allows the healthcare provider to communicate with an authorized individual via an encrypted application using a system the healthcare providers are already familiar with. It also means the patient has their healthcare records available and easily accessible via a mobile application.
Telehealth and HIPAA When the Pandemic is Over
Prior to COVID-19 telehealth services were not in high demand. That is expected to change once the COVID-19 pandemic is over. Many healthcare providers have indicated they would like to continue to offer telehealth services after the pandemic.
What will change is the notice of discretion from the OCR. Currently, it is not set to expire, in large part because there is no end date on the pandemic. However, it will eventually come to an end. When it does the use of Facebook Messenger, WhatsApp, Facetime, and other communication apps will no longer be permitted for telehealth. Why? Because the application owners will not sign a Business Associate Agreement with the Covered Entity, and because Insurance Carriers will likely pull back on allowing telehealth for some patients and providers.
To continue to provide telehealth you will need to use a secure application that will sign a BAA with the covered entity. Applications that will sign a BAA with a covered entity for the purpose of telehealth include:
- Skype for Business/Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Amazon Chime
- Cisco Webex
It is important to note that Google and Microsoft will only sign a business associate agreement if you are using the paid plans. Zoom will only sign a BAA with the Zoom for healthcare plan, and not the other paid plans they offer. This list is not exhaustive.
Telehealth and HIPAA in the Future
The explosion of telehealth services being provided over the last 6 months can be compared to the remote work dilemma. It is great that covered entities can continue providing healthcare services remotely while minimizing the risk of COVID-19 spread but the rapid expansion did not come without its own set of problems.
Nearly half of healthcare executives surveyed indicated that either telehealth functionality or capacity has been their primary problem. This should not come as a surprise when you consider the rapid expansion of work from home and the problems that were discovered almost as quickly. The problems are similar. Systems become taxed, security is tested, and you may not have the same functionality and features available when you are in the office.
What is likely to happen is a modified version of what we have as of this writing. The OCR will most likely not allow the use of Facebook Messenger, Facetime, WhatsApp, and others for telehealth services to continue. That is not to say telehealth will go away. There are benefits to using telehealth if the covered entity and patient are on board. It eliminates travel, unnecessary office visits, risk of exposure to virus/bacteria, and wasted time. It is more efficient than office visits. Healthcare providers are working to expand telehealth usage after the pandemic.
Telehealth is here to stay; just as remote working is here to stay. It will continue to evolve and mature. The OCR will continue to gently enforce the rules around it while evolving as well. The one thing that will not change is the business associate agreement requirement. It is best to get on board with that now. When it is time to pull back on using Facetime to provide telehealth services you will find patients might have a hard time accepting this initially. While the OCR will likely provide a “grace period” we know from the past covered entities tend to ignore the grace period.
Telehealth and HIPAA Final Thoughts
We have learned a lot about our capabilities in 2020. Part of what we learned is that not all healthcare services require the patient to come to the healthcare provider’s office.
Telehealth is here to stay and while it is not a finished product (and may never be) it is going to continue to be utilized to provide health services to those who benefit from it. It is best to at the very least investigate offering telehealth services where appropriate, and how you can implement it effectively while maintaining your HIPAA compliance.
If you need to implement a HIPAA compliant telehealth plan for your small to medium healthcare practice contact us at 203.680.8151 or simply fill out this form.