COVID-19 and HIPAA
The Office for Civil Rights (OCR) issued several documents about how to approach the pandemic situation and still be compliant with HIPAA since the COVID-19 pandemic does not alternate the privacy rule concerning protected health information (PHI).
These guidelines and documents talk about various points, from the media involvement, telehealth, and even health plans, though some flexibilization occurred because of the national emergency, PHI still needs to be protected.
One of the main flexibilizations is telehealth. Telehealth or telemedicine is the use of telecommunications to promote long-distance health care, patient and health professional education about healthcare, public health, and health administration. These technologies include video calls, streaming, sharing images and messages, and landline and wireless communications.
The OCR, during this pandemic period, put out a notification saying that it will not apply penalties for noncompliance with the requirements of HIPAA Rules, to the covered health providers, concerning telehealth, as long as good faith and discretion can be maintained. This notification is valid for as long as the OCR understands that the pandemic scenario does not change, based on the latest facts.
Where the health professional can conduct the telemedicine attendances?
According to the OCR notification, the health providers can make their appointments using telemedicine in their private offices or clinic, connecting with the patient that is at home or another place.
For the professionals, they must always carry the appointment in a private location, where they can talk and take notes about the patient health information without the risk of being heard by others, and the orientation to the patients is to never take telemedicine consults in public, without giving consent or in exigent circumstances.
Even if the telemedicine cannot happen in a private space, the health professional need to keep in mind and attend to other HIPAA specification concerning the PHI, and the professional needs to make sure that the patient takes reasonable precautions like not using the speakerphone, avoid crowded places and even lower the voice if necessary.
Telehealth: for what and how can I use it?
Not only to identify COVID-19 symptoms but telehealth can also be used in consultation and diagnostics of any specialties, reducing the risk of infection for the patient and for the health professional, no matter what is the service since it won't happen a physical contact.
Within this notification, OCR allows for the health care providers the use websites and applications for video chats like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, without the risk of exposure or penalties by HIPAA Rules. The health professionals are also advised to inform the patients about the potential risk of using these applications and enable all the available encryption or privacy modes that the apps may have.
The notification, also forbidden expressively the use of public-facing applications, like Facebook Live, Twitch, TikTok, or similars.
You can check the sources at the end of this article to see the complete list of apps for telehealth.
The OCR also issued a bulletin to emphasize the laws against discrimination on the base of race, color, age, sex, national origin, disability, and religion, in the provision of health care during COVID-19.
What happens if any PHI is intercepted during these calls?
During the period of the COVID-19 pandemic, the OCR will not apply any penalties for breaches that come from the use in good faith of the chat apps. And good faith can be considered if the health professional follows the terms of the notification, as well as the OCR rules (FAQs on COVID and HIPAA).
The professionals may use other types of video communication products outside the recommended ones without fearing any penalty.