More HIPAA and Telehealth

By Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

As the telehealth flood gates are being opened, privacy and security considerations still remain. HIPAA will continue to lurk in the background even with the Office for Civil Rights (OCR) pre-announcing the exercise of discretion to not enforce telehealth related violations during the COVID-19 pandemic. The discretion to permit the use of non-compliant services (such as FaceTime, Skype, or Facebook Messenger) is leaving many questions.

To help address the concerns, OCR released a new set of FAQs covering telehealth and HIPAA, at least for the duration of the pandemic. The new FAQs do not further expand who can receive services pursuant to telehealth or what can be billed but do help clarify what OCR meant when it stated discretion would be utilized in enforcement.

Question 1-3: Definitions
The first few questions go to defining telehealth and identifying who is covered. For purposes of the discretion, telehealth is defined very broadly to mean the use of electronic information and telecommunications (which really means any form of communication) to support the delivery of healthcare services not in person. interestingly, OCR includes audio, texting, and video conferencing in the scope of its definition. However, OCR includes a very important caveat that OCR does not determine reimbursement requirements, which means that even if OCR would turn a HIPAA blind eye to a particular means of communication, a payor may not view all communications as sufficient to support billing and payment.

In terms of who is covered by the enforcement discretion, OCR states that any healthcare provider will benefit from the discretion, which makes sense since OCR would not really be in a position to distinguish one type of provider from another. However, as with how to deliver telehealth services, OCR cannot commit to whether all providers will be paid for providing telehealth services. An important distinction is drawn by OCR though in that only providers are covered by the enforcement discretion. OCR uses the example that a health insurance company that just pays for telehealth does not benefit from the waiver.

Lastly, OCR makes no statement as to which patients can receive telehealth services. That question can only be answered by the payors.

Question 4-6: Scope of Discretion
The non-enforcement of HIPAA extends to all aspects of the HIPAA rules. That means OCR will not enforce a violation of the Privacy Rule, the Security Rule, or the Breach Notification Rule that may occur in connection with the good faith provision of telehealth services. As some commentary, it is understandable that no enforcement will occur with the Privacy Rule and Security Rule. However, it would seem better to only partially waive compliance with the Breach Notification Rule. For example, if data are clearly inappropriately used or disclosed as a result of providing telehealth services, it would seem reasonable to still require a breach notification. By contrast, it is supportable to say that notification is not required merely because the ability to use a non-compliant service is followed, which would normally be a violation requiring notice of a breach.

The discretion is also limited solely to HIPAA. If an entity provides substance use treatment services and is subject to the more stringent privacy requirements of the Part 2 regulations, Part 2 must still be followed.

Lastly, the enforcement discretion will remain in place until revoked by OCR. Ostensibly that will be so long as an emergency declaration remains in place concerning COVID-19. Even if OCR “forgets” to immediately revoke the enforcement discretion once the emergency ends, it would be advisable to shift to full compliance as soon as that event occurs.

Questions 7-11: How to Conduct Telehealth
Without getting into whether a particular form of telehealth will be reimbursed (again because that goes well beyond the scope of what OCR governs), the FAQs help to clarify where and how to actually provide the service. Any form of telehealth involving an audio or video conversation should still be done in a private setting where the interaction cannot be overheard. That means a telehealth visit should not occur in a public setting, which arguably is being made easier all of the time with social distancing and potential shelter in place becoming the norm in many places. Clinicians can perform any type of service through telehealth too if the clinician feels that doing so is an appropriate way of delivering the service. This guidance is not really a novel interpretation from OCR< but parroting statements that are always made about telehealth.

OCR’s clarification about what constitutes “bad faith” in pursuing telehealth may be the most helpful. If telehealth is delivered in a bad faith way, then the enforcement discretion will not apply. The list of bad faith examples provided by OCR is as follows:

  • Acts that represent a criminal act, including fraud, identity theft, or invasion of privacy;
  • Using a patient’s information in a way not permitted by HIPAA other than for the delivery of telehealth, meaning selling the information or using for marketing beyond permitted purposes;
  • Violating state licensure laws (implicit recognition that the federal government cannot waive state licensing requirements) or professional ethical standards (another implicit recognition that state law governs the direct practice of medicine); and
  • Use of public-facing services that can broadcast live to a general audience such as Facebook Live or TikTok.

The last point around public-facing services then goes into what constitutes a non-public facing remote communication service. Ultimately the definition comes down to a service that, even if not secure by HIPAA standards, basically allows for direct connections between individuals and does not or cannot be broadcast to a larger audience.

Taken in full, the FAQs help to shed some additional light on how to provide telehealth services on any almost any platform during the course of the COVID-19 emergency. The steps largely mirror the initial announcement and provide a little additional color around the edges. Even in this time of decreased enforcement, all available means of protecting privacy and security, even in non-HIPAA compliant services, should be utilized and implemented. With all of these considerations though, stay safe and help provide access to patients in need.

This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.