How does HIPAA currently govern telemedicine?

The U.S. Department of Health and Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration.” Telehealth technologies can include videoconferencing services such as Skype and Zoom, internet and chat-related applications, *store-and-forward imaging*, streaming media, and other communications. Telehealth is an increasingly important area for patients, especially in the wake of the COVID-19 pandemic. 

Telehealth is currently governed by the HIPAA Security rule, which states that only authorized users may have access to a patient’s ePHI through a system of secure communication. When medical information created by a medical professional or a specific organization is stored by a third party, that third party must have a *Business Associate Agreement* (BAA) with that organization. *Business associates* that are specifically responsible for storing *ePHI* must comply with HIPAA standards that allow for external auditing and secure communications. For example, if a patient were to communicate with a healthcare provider through a Skype Call, barring a formal agreement with Skype, that information falls outside of the purview of HIPAA. In the case that any third party company, like Google or Skype, experiences a security breach, that company and the healthcare provider may be liable for the breach. 

Several companies, like Microsoft, have certified select portions of their business, like Skype for Business, as proper telehealth vendors. Moreover, many healthcare providers have incorporated virtual messaging applications into their workflows and into AI chatbots that can quickly communicate with patients. 

What changes have been implemented to HIPAA’s oversight of telehealth in light of COVID-19?

The Coronavirus Preparedness and Response Supplemental Appropriations Act (CARES) has allowed the Centers for Medicare and Medicaid Services (CMS) to change their interim rules to ensure that members can receive the services they need. The “Telehealth Services During Certain Emergency Periods Act of 2020” grants the HHS Secretary authority to waive or modify certain provisions of telehealth requirements during the COVID-19 pandemic. 

To help guide the implementation of specific actions, the HHS Office of Civil Rights (OCR) recently issued a set of frequently asked questions that seek to address the major changes in Telehealth during this period. As the HIPAA-enforcement arm of the HHS, OCR announced that it will exercise “enforcement discretion” and would not impose penalties for noncompliance with regulatory requirements during the “good faith provision of telehealth” services during the COVID-19 national public health emergency. 

As a result, HHS is allowing health providers and their associated BAAs to use HIPAA-compliant platforms such as Zoom, Skype for Business, Google G Suite, Cisco Webex, and GoToMeeting. All communications platforms must be non-public facing which means that they employ end-to-end encryption that allows the individual and the party with whom the individual is communicating to see that communication. As a result, public-facing communications platforms like Tik Tok, Facebook, and Twitch are not acceptable websites for communication. The FAQ sheet points out that if PHI is intercepted during transmission of a telehealth appointment, the OCR will not impose a penalty on the provider as it normally does through the HIPAA Security Rule. 

How has Medicare adjusted its telehealth policy?

Prior to COVID-19, there were five key components that governed telehealth visits under Medicare. Those included geographic restraint, location of a specific site, eligible providers, the modality of the visit, and a restricted list of eligible services. Based on COVID-19, Medicare has relaxed those policies substantially with the following updates:

  • All locations allowed: CMS has waived the rural geographic restraint, which originally restricted most telehealth visits to patients located in rural areas. With Stay at Home orders across the United States, Medicare is now allowing patients from a variety of geographic contexts to use telehealth services. 
  • More Site Locations Permitted: Medicare has expanded the available range of sites that patients and providers can be located in during telehealth appointments.
  • Expanded Eligible Providers: CMS has waived restrictions for federally qualified health centers (FQHCs) and rural health clinics (RHCs) which can now serve as fully qualified telehealth providers. 
  • Modalities Are the Same: CMS has maintained that modalities of audio-visual capabilities as dictated by the CMS Interim Final Rule for COVID-19 planning.
  • Expanded List of Services: CMS has increased the volume of services that it now permits and allows for additional services ranging from virtual home visits to emergency consultations under the new final rule. 

CMS has also expanded the range of telehealth services provided during the pandemic through the 1135 waiver and currently offers three types of services:

  • Medicare Telehealth Visits: Medicare patients may use telecommunication technology for office, hospital visits and other services that generally occur in-person.
  • Virtual Check-ins: Medicare patients may have the opportunity to check-in with their provider through a standard communication service or by sending images or videos to a provider. These forms of communication are typically initiated by the patient and are paid for by Medicare so patients can avoid the doctor’s office except for necessary visits.
  • E-Visits: These are established non-face to face communications with doctors through an online patient portal.

Specific Use Case: The AMA Guide to Telemedicine in Practice

This helpful resource from the American Medical Association provides a range of tools and resources for helping practices arrange their telemedicine protocols with patients. “The AMA Digital Health Implementation Playbook series offers comprehensive step-by-step guides to implementing digital health solutions, specifically telemedicine, in practice based on insights from across the medical community. Each Playbook offers key steps, best practices and resources to support an efficient and clear path to implementation and scale.” These playbooks include the Implementation of Telehealth toolkit, Telehealth Workflow Best Practices, examples of workflows, and other key materials. 

For Health Providers, the AMA recommends the following steps:

  • Scope Out Your Telehealth Practice: Create a team that can help guide you through the telehealth practice and ensure that you’re meeting HIPAA guidelines.
  • Evaluate Possible Vendors and Contracts: After confirming that you can streamline telehealth practice through your EHR vendor, ensure that your practice comprehends the parameters of HIPAA compliance and data ownership. 
  • Build Your Workflow: Create a space in your practice for telehealth and train providers and physicians on how to best implement these practices. 
  • Inform Patients: Let patients know that your practice is now accommodating telehealth visits and explain the consent procedures to patients. This will ensure they’re aware of how these visits work and how their health data is protected.

Policymakers should consult the AMA’s latest updates on telehealth policies and procedures, especially for Medicare providers. 

Key resources to use for telehealth research:

https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

https://itsecurity.org/telehealth-and-coronavirus-privacy-security-concerns/

How does HIPAA cover patient data?

HIPAA is the primary governance framework for managing health data privacy in the United States and continues to be the legal standard for safeguarding sharing and use of sensitive patient data. This section describes some of the basics of HIPAA.

  • Covered Entities include qualified healthcare providers, healthcare clearinghouses, and health plans. Covered entities may include employer sponsored health plans, health maintenance organizations (HMOs), or government sponsored health plans like Medicare and Medicaid.
  • Business associates include persons or businesses that perform certain functions on behalf of a covered entity, or provide services to a covered entity that involves the use or disclosure of a patient’s PHI. Business associates may include third party claims processors, attorneys for a healthcare provider, or consultants.

While HIPAA and a patchwork of other laws seek to safeguard the privacy of personal health information, they only protect data collected by healthcare providers, healthcare plans, and healthcare clearinghouses. As a result they are not well designed to handle the many other kinds of health data produced and collected today including data collected by fitness trackers, genetic analyses, or other commercial processes and devices.

Depending on the entity, HIPAA may not cover:

  • Genomic Data: The rapid rise of genomic data in personalized healthcare decision-making has been enabled by companies like 23andme, Ancestry.com, and MyHeritage. More widespread clinical genomics testing has also increased the availability of genetic data and the NIH now allows for researchers to share de-identified clinical genomic data through secure databases and carefully regulates that data. However, privately held genetic data remains an issue. The largest four genomics companies alone had received DNA samples from more than 26 million consumers as of January 2019. Much of this data falls outside of the purview of HIPAA and is not regulated by research-driven data use arrangements that place limits on how clinical data is used and disclosed. The NIH has advanced several new measures to protect the privacy of patients in research instances, such as Certificates of Confidentiality. Despite that, there are specific risks with disclosure and confusion over the value of genomic data use and value.
  • Consumer-Generated Data: Consumer-generated data is health-related data collected from products and devices used by consumers, including data from the Internet of Things, and social media data. Consumer-generated data may fall outside of the purview of HIPAA if it is collected by technology companies that are not covered entities, are not “business associates” of covered entities, and are not subject to clear guidelines from the FTC. Consumer-Generated data often lacks data minimization, may include location data, and may be managed by technology companies that are not HIPAA-certified.
  • Social Determinants of Health Data: The social determinants of health (SDOH), including income, education, and housing, are a promising area of population data attracting increased interest from researchers, providers, and patients. For example, some research suggests that a person’s ZIP code is actually more predictive of adverse health outcomes than that person’s genetic code. Despite their value, the social determinants of health represent data points that are indirectly related to a person’s health and therefore fall outside of HIPAA. For example, while a person’s access to credit may be a major indicator of their ability to receive healthcare, this piece of information does not contain PII as defined by HIPAA. SDOH data may be used to redline or profile communities that are high risk.

See the “Data in Need of Special Protection” section of this website for more information about the specific risks posed by specific types of data. 

On January 31, 2020, HHS Secretary Alex Azar declared a public health emergency under Section 319 of the Public Health Service Act which granted him permissions to adjust select HIPAA requirements. Although HIPAA’s Privacy Rule cannot be suspended during this public health emergency, certain provisions within HIPAA may be temporarily waived. This is part of the Project Bioshield Act of 2004, which establishes HHS authority during public health threats, and section 1135(b)(7) of the Social Security Act, which allows for provisions, like program preapproval or participation requirements, to be waived. In a March 2020 memo, HHS Secretary Azar waived the following provisions:

  • Families Can Now Make Decisions About Loved Ones. HHS has granted a patient’s family members the option of reviewing that patient’s PHI or other relevant healthcare information from a physician or caregiver directly without that patient’s explicit consent.
  • Hospital Patient Directories.In order to improve data sharing and information about patients who may have COVID-19, patients may no longer exclude themselves from hospital directories. This ensures that all hospitals are reporting up to date directories of patient data to the authorities.
  • Suspending the Right to Notice of Privacy Practices. HHS has temporarily suspended  individual’s Right to Notice of Privacy Practices that requires patients to receive “adequate notice of the uses and disclosures of protected health information that may be made by the covered entity” according to HIPAA’s 45 CFR 164.520. Covered entities no longer have the legal obligation to inform the patient of these practices.
  • Patient Right to Request Privacy Restrictions. Provisions exist that allow patients to restrict the “uses or disclosures of protected health information about the individual to carry out treatment, payment, or health care operations”, among other restrictions. This waiver enables covered entities to use patient data for purposes granted in HIPAA.
  • Patient Right to Request Confidential Communications. Under HIPAA, patients are able to make requests to receive communications of their PHI in alternative locations or through alternative means. This waiver restricts that option so patients may not make special requests of their PHI.

HIPAA outlines strategies to manage de-identification of sensitive PHI and sets technical requirements for covered entities that manage PHI. To ensure proper de-identification of data, HIPAA mandates that all entities that share PHI either utilize “Safe Harbor” guidelines or follow “expert determination” to remove Personally Identifiable Information (PII) from a patient’s PHI. HIPAA’s Safe Harbor outlines a comprehensive list of variables that must be removed from a person’s PHI including address, medical record numbers, email addresses, and other PII. Expert determination involves convening a panel of experts with statistical and scientific knowledge to evaluate the risks of re-identification from a person’s PHI. Moreover, HIPAA’s technical requirements ensure that covered entities institute protective measures and safeguards for their data management systems to prevent security breaches and other possible threats.

What can be improved?

  • High Costs and Challenges with HITECH Compliance. The Health Information Technology for Economic and Clinical Health Act (HITECH), passed in 2009, enforces the HIPAA Privacy Rule by mandating compliance audits of covered healthcare providers, clearinghouses, and plans. These audits evaluate a covered entity’s compliance with HIPAA, focusing on security risks, assets and devices, physical environment, and policies and practices that ensure patients can access their own data safely. These organizational-focused policies can cost thousands of dollars to implement and create barriers to entry for small companies working to manage sensitive PHI.
  • Lack of Oversight for Non-Covered Entities. The lack of oversight for non-HIPAA entities leaves many organizations and companies that manage and use health data outside of the rules for de-identification and technical protections. For example, many workplace wellness programs (on-site employee focused fitness and nutrition programs) offered outside of health plans may not fall into the covered entities category for HIPAA. For more information on how HIPAA governs workplace wellness programs, visit the HIPAA website.

HIPAA’s Right of Access ensures that patients may access their PHI from covered entities at any time. The Right of Access specifically states that a patient has the right to inspect or obtain a copy of their PHI in a designated record set. A designated record set is a group of health records that includes the medical and billing records about a patient, the enrollment, payment, claims adjudication, case or medical management record systems maintained by or for a health plan, and a set of records used to make decisions about a patient. The Right of Access is critical to patient advocacy groups and healthcare companies that rely on the right of access to ensure effective treatment plans for patients and members of healthcare plans.

What can be improved?

  • Patients Can’t Always Access Their Data from Covered Entities. Although the Right of Access provides legal access to a patient’s PHI, this rule is not always followed by covered entities. A 2018 assessment of US Hospital compliance with regulations for patients’ access to their PHI found that nearly half of the 83 hospitals in the study did not comply with the patient’s request to obtain their medical records.
  • Patients lack access to data created through their smartphone and other devices. Health data is increasingly generated from an individual’s smartphone, wearable, or voice assistant. These devices are manufactured by companies that do not fall under FDA or HIPAA guidelines. Patients may face difficulties in accessing this data since company privacy policies do not need to comply with HIPAA’s Right of Access.
  • Researchers and patients alike face challenges with merging data. As the volume and variety of health data increases, consumers, companies, and providers are increasingly seeking to merge and aggregate data from different sources. This data may come from HIPAA-covered entities in the form of EHRs or claims data as well as from entities that are not covered by HIPAA in the form of social determinants or genomics data from home kits. The Security Rule dictates that data outside of HIPAA, such as housing or nutrition data, becomes subject to HIPAA rules when a HIPAA covered entity obtains it. But this rule is often unclear to patients, especially when social determinant data is gathered at the population rather than clinical level. This same issue applies to researchers that gather data from companies like Facebook or Google.

Covered entities are allowed to release data for routine reasons like treatment, payment, and healthcare operations. Under the Right to an Accounting of Disclosures section of HIPAA, patients are entitled to request information about when and why their healthcare records were shared for permitted purposes. Patients have more control over how their data is used for marketing communications, research, and other purposes. In these cases, covered entities must  receive written consent from patients before sharing data. Additionally, HIPAA aims to ensure that research subjects must grant informed consent for use of their data and be aware of how their health data will be used. Programs like the HHS All of Us Research program and the Million Veteran Program of the Department of Veterans Affairs are precision medicine initiatives that rely strongly on a patient’s willingness to provide their data for research purposes.

What can be improved?

  • Patients are limited in what they can disclose. The HITECH requirement to include Treatment, Payment, and Healthcare Operations (TPO) in the Accounting of Disclosures section of HIPAA has not been implemented yet by the OCR. As a result, patients are not able to see when covered entities may have used sensitive patient PHI for one of these specific uses.
  • Current definitions of Research are unclear. HIPAA defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.” Federal regulation 45 CFR Part 46 provides the framework for informed consent as an ethical principle of human subjects research. However, research is being increasingly carried out in settings that generate data outside the rules required of HIPAA-covered entities. Pharmaceutical clinical trials data, for example, falls outside of HIPAA and may not be appropriately regulated.
  • Lack of consistent opt-in rules for patients. Varying types of sensitive health data, such as mental health or drug addiction information, has created a fragmented approach to what data is shareable and what data is protected. Moreover, patient opt-in and opt-out rules vary widely by state and across healthcare providers for health information exchange. For example, Florida, Nevada, California, New York, Vermont, Rhode Island, and Massachusetts maintain opt-in policies that require patient consent to share data with a qualified Health Information Exchange, but many other states have no such policies.
  • Patients can be confused by Terms of Service Agreements. Health-related data that is managed by an entity not covered by HIPAA is often subject to that company’s privacy policy and terms of service agreements. These agreements can be overly complex or obscure how the company plans to use a patient’s data. Many companies continue to use complex or misleading provisions in their End User License Agreements (EULAs) such as changing the terms of conditions without notification or failing to describe how their product will monitor individuals

As written and implemented, HIPAA aims to reduce discrimination where possible and minimize the amount of data collected by covered entities. This “Privacy by Design” approach encourages organizations to think about the possible adverse effects of using sensitive data during the initial design phases of a health-related application or program. HIPAA has effective non-discrimination measures, minimizes the amount of patient data gathered, and requires regular privacy impact assessments. These three measures are critical to encouraging the appropriate use of data.

What can be improved?

  • HIPAA should regulate how de-identified data can be used and disclosed.There is the growing possibility that deidentified data, when combined with other big data (such as retail purchases or location information), could be employed by insurance companies to restrict coverage or raise premiums for certain communities. Additionally, the risk of re-identification suggests that de-identified data shared with third parties could be used to discriminate against individuals.
  • HIPAA does not govern entities that gather and share consumer-generated data. An exercise tracker handed out by your doctor or health insurance company is governed by HIPAA, but when you buy it in a department store, HIPAA does not apply. The FTC has taken a more active role in safeguarding consumer-generated health data through its health breach notification rule. Despite this advancement, the rule applies only during breaches and primarily to vendors of personal health records or related entities rather than companies that manage health-related mobile applications and wearables.
  • HIPAA has unclear definitions of incidental and secondary use. HIPAA permits certain incidental uses and disclosures that may occur as a by-product of another, permissible use of data. They are allowed as long as the covered entity has instituted a reasonable set of technical, administrative, and physical safeguards. However, poor definitions of incidental and secondary use can create confusion and hinder accountability for inappropriate uses of health data.