Covid-19, Telemedicine, and HIPAA

*** NEWS FLASH ***

As I write this, the Federal government is announcing they are relaxing the HIPAA requirements as they directly pertain to the use of telehealth to treat patients. While the below reminder, written just a day ago, is still relevant, the waived rules mean providers are temporarily permitted to use tools like Skype and facetime to conduct virtual encounters with their patients. This is an effort to protect our care providers and allow patients to remain in isolation while we attempt to contain Covid-19. While we welcome this new announcement with open arms, we urge you to use caution while engaging in telehealth under the relaxed rules. Despite the current crisis, a patient’s medical history is still sacred to each patient and, if exposed under these rules, could remain “in the wild” in perpetuity, long after this moment has passed. Thank you for reading.

As I sit here in my toilet paper roll lounge chair, I have to admit it’s driving me a bit crazy how people are calling Covid-19 the “Coronavirus”. Yes, it is part of the Coronavirus (aka “common cold”) family, but we would all test positive for Coronavirus, far fewer for Covid-19. It’s important to make the distinction because when the media reports “many people are testing positive for the Coronavirus with no symptoms” – what does that mean, you tested people for a cold? Fear and uncertainty can be reduced with facts and accuracy. We don’t need more uncertainty right now. 

Let’s get to it. In an effort to provide care for their patients while protecting themselves, their staffs, and other patients, many providers are turning to alternatives to provide remote care. Well, it’s not just as simple as picking up a phone to talk to your patients. Here are some general guidelines as detailed in the Security Rule.

1. Any remote care system should restrict access to necessary personnel only, and limit that to what each user needs to see.
2. Standard texting, Skype, and regular email are NOT HIPAA COMPLIANT methods of communicating with your patients. Having a policy that says thou shalt not share Protected Health Information while texting or emailing patients is NOT a HIPAA compliant policy. The communication tools you use with your patients MUST be secure, in most cases that means encrypted. Keep in mind there’s a reason why Verizon, Skype, Google and others will not sign BA Agreements for certain services with Covered Entities. 
3. Whatever system you use must keep a log of the communications. Again, not all systems do, and some that do are not securely locking down this information. Be sure to check.

Well, you’re saying, this is problematic. I don’t have a telehealth solution right now, I’m not spending the money for one, and even if I did, I probably wouldn’t have it up and running in time to address this crisis. In truth, encrypted texting and email solutions are available, inexpensive, and can be implemented quickly. But if that doesn’t work for you, here’s your way around the problem. I encourage you to have your attorney draft (or find a copy of acceptable verbiage) of a disclaimer where your patient acknowledges waiving their rights to protect the information they are sharing with you over the medium you have chosen, and that they acknowledge the means being used is neither secure nor HIPAA compliant. If your patient says they understand the risks and accept them, then you’re on stronger ground than you are without that. This is NOT ideal, but under the current circumstances, if that’s the best you can do, our position is you are better off rendering care to those in need than turning them away because you can’t accommodate them in a HIPAA compliant manner.

And that gets to my final point. HIPAA is not meant to be an excuse to refuse care, nor is it intended to hinder your ability to provide that care. Under the current health crisis, we urge you to be considerate of your patient’s privacy, and to act responsibly when responding to media and others, but don’t allow HIPAA to stop you from treating those in need. We all have bigger issues to tend to.

J. Mongelli

If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.

For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.

The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.