The proliferation of COVID-19 in the United States has created challenges for the health sectors and therefore has created changes in compliance with telemedicine. With the rising cases of the novel coronavirus being reported every day, there is a need for healthcare providers to use technology to meet the increasing demand for their services.
To this end, the Office for Civil Rights (OCR) on March 17th announced that it will exercise its enforcement discretion and will waive any potential penalties occasioned by violations against HIPAA Rules committed by healthcare services providers who serve patients using everyday communications technologies while we face the nationwide COVID-19 public health emergency.
OCR being the body charged with the responsibility of protecting patients’ privacy under HIPAA rules, will not impose penalties for the good faith use of communications technologies/platforms/apps such as Skype and Face Time. The waiver is for any telehealth uses for diagnostic or treatment purposes, for COVID-19 and other cases.
On April 2nd and 9th, the OCR HHS also announced an exercise of enforcement discretion of not imposing penalties for HIPAA Rules violations by businesses and entities for good faith uses and disclosures in public health and health oversight activities.
While the relaxation of the HIPAA Rules is meant to aid service delivery, there is also a need to operate in compliance with the relaxed enforcement rules. So, how do healthcare services providers (nurses, physicians, clinics, hospitals, dentists, laboratories, pharmacists, therapists, home health aides, etc.) operate in compliance with the relaxed rules enforcements? We will explore the compliance aspect of telehealth below in intricate details.
What Telehealth Services Can You Provide Under the Enforcement Discretion?
Under the relaxed enforcement discretion, health care providers can provide any telehealth services that, based on their professional judgment, can be provided remotely. For instance, they can render diagnostic services and treatment, including adjustment of prescriptions, mental health counseling, etc.
What Are the Remote Communication Channels You Should Not Use?
Under the Notice, health care services providers can use everyday communications apps in good faith to render telehealth services. Some of the platforms they can use include Skype and Face Time.
However, under the Notice, healthcare services providers cannot use public-facing communications apps. As such, they are prohibited from using TikTok, Facebook Live, Instagram Live to provide telehealth services.
How to Deal with Protected Health Information
While providing telehealth services during the COVID-19 public health emergency, it is still important to treat PHI with utmost care. To this end, you need to maintain accountability and privacy while handling PHI.
For instance, to maintain the privacy of PHI:
- Enable and use encryption when storing and transmitting the information,
- Shred all home-printed documents,
- Use remote access to the office computers, and
- Create and use work profiles on personal/home computers.
Additionally, to maintain accountability, health services providers should:
- Review security risk,
- Terminate access to all systems,
- ePHI access log, among other measures.
The Best Practices to Follow When Providing Telehealth Services
Under the Notice, healthcare services providers should use teleconferencing technologies in good faith. To meet this requirement, healthcare providers should:
- Document all their encounters with patients in a secure system,
- Provide telehealth services from a private environment,
- Use non-public facing teleconferencing apps/platforms,
- Ensure their exchange is private, and
- Keep current with HHS and CMS.
Following these simple pointers will enable you to offer healthcare services in compliance with the relaxed telehealth rules.