Prepare for HIPAA Compliance for Telehealth Services | MJM Advisory and Educational Services

As practices start to reopen and continue to use telehealth services, they must be aware of HIPAA compliance issues. The Office of Civil Rights (OCR) will start to consider reintroducing HIPAA regulations regarding telehealth services. Part B News has provided an overview of the considerations that are going on at OCR, HIPAA industry representatives and providers.

Health and Human Services (HHS) provision of telehealth waivers gave providers a boost, but as states reopen the prospect looms of a return to the old ways. That is notable from a compliance perspective, because the HIPAA enforcement discretion that lets you perform telehealth with consumer products is likely the first policy to be reinstituted.

HHS instituted its COVID-19 public health emergency (PHE) telehealth waivers on March 17, and since then use of these services — previously only reimbursable by Medicare if providers met stringent requirements — has skyrocketed. In a June 15 letter to Senate Majority Leader Mitch McConnell, several U.S. Senators wrote that since the expanded policy changes took hold, “available data show that the number of Medicare beneficiaries using telehealth services during the pandemic increased 11,718% in just a month and a half.”

But now that states and medical practices are slowly reopening and returning to a semblance of normal, attention is turning to the post-COVID future. While many telehealth enhancements are expected to endure as permanent changes, experts expect that the enforcement discretion on telehealth announced by the HHS Office for Civil Rights (OCR) is likely to come to an end.

Under the OCR discretion, the agency agreed it would not impose penalties for HIPAA violations against covered health care providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” That has protected practices that use platforms such as FaceTime and Zoom to deliver telehealth even when they do not follow HIPAA-mandated protocols, such as business associate agreements (BAAs) or encryption.

OCR’s discretion is based on the “good faith” provision of telehealth services — meaning you cannot entirely disregard HIPAA standards and still have the responsibility of maintaining the security and integrity of electronic protected health information (PHI). Good vs. bad faith is something that, like everything in modern medicine, ought to be supported by documentation.

Even with the OCR discretion in place, you still retain other responsibilities under HIPAA, including the process to remediate when your practice suffers a breach of PHI. While OCR is unlikely to fine you for a breach caused by use of technologies encouraged by their discretion, you “would still be required to follow the breach notification and reporting procedures.

In addition to the ability to continue telehealth services under less stringent guidelines, providers need to be aware of the changing HIPAA regulations as we return to a “new normal”. It has been recommending throughout this (PHE) that providers continue to make their best efforts to comply with HIPAA regulations.