How does HIPAA currently govern telemedicine?

The U.S. Department of Health and Human Services defines telehealth as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, public health and health administration.” Telehealth technologies can include videoconferencing services such as Skype and Zoom, internet and chat-related applications, *store-and-forward imaging*, streaming media, and other communications. Telehealth is an increasingly important area for patients, especially in the wake of the COVID-19 pandemic. 

Telehealth is currently governed by the HIPAA Security rule, which states that only authorized users may have access to a patient’s ePHI through a system of secure communication. When medical information created by a medical professional or a specific organization is stored by a third party, that third party must have a *Business Associate Agreement* (BAA) with that organization. *Business associates* that are specifically responsible for storing *ePHI* must comply with HIPAA standards that allow for external auditing and secure communications. For example, if a patient were to communicate with a healthcare provider through a Skype Call, barring a formal agreement with Skype, that information falls outside of the purview of HIPAA. In the case that any third party company, like Google or Skype, experiences a security breach, that company and the healthcare provider may be liable for the breach. 

Several companies, like Microsoft, have certified select portions of their business, like Skype for Business, as proper telehealth vendors. Moreover, many healthcare providers have incorporated virtual messaging applications into their workflows and into AI chatbots that can quickly communicate with patients. 

What changes have been implemented to HIPAA’s oversight of telehealth in light of COVID-19?

The Coronavirus Preparedness and Response Supplemental Appropriations Act (CARES) has allowed the Centers for Medicare and Medicaid Services (CMS) to change their interim rules to ensure that members can receive the services they need. The “Telehealth Services During Certain Emergency Periods Act of 2020” grants the HHS Secretary authority to waive or modify certain provisions of telehealth requirements during the COVID-19 pandemic. 

To help guide the implementation of specific actions, the HHS Office of Civil Rights (OCR) recently issued a set of frequently asked questions that seek to address the major changes in Telehealth during this period. As the HIPAA-enforcement arm of the HHS, OCR announced that it will exercise “enforcement discretion” and would not impose penalties for noncompliance with regulatory requirements during the “good faith provision of telehealth” services during the COVID-19 national public health emergency. 

As a result, HHS is allowing health providers and their associated BAAs to use HIPAA-compliant platforms such as Zoom, Skype for Business, Google G Suite, Cisco Webex, and GoToMeeting. All communications platforms must be non-public facing which means that they employ end-to-end encryption that allows the individual and the party with whom the individual is communicating to see that communication. As a result, public-facing communications platforms like Tik Tok, Facebook, and Twitch are not acceptable websites for communication. The FAQ sheet points out that if PHI is intercepted during transmission of a telehealth appointment, the OCR will not impose a penalty on the provider as it normally does through the HIPAA Security Rule. 

How has Medicare adjusted its telehealth policy?

Prior to COVID-19, there were five key components that governed telehealth visits under Medicare. Those included geographic restraint, location of a specific site, eligible providers, the modality of the visit, and a restricted list of eligible services. Based on COVID-19, Medicare has relaxed those policies substantially with the following updates:

  • All locations allowed: CMS has waived the rural geographic restraint, which originally restricted most telehealth visits to patients located in rural areas. With Stay at Home orders across the United States, Medicare is now allowing patients from a variety of geographic contexts to use telehealth services. 
  • More Site Locations Permitted: Medicare has expanded the available range of sites that patients and providers can be located in during telehealth appointments.
  • Expanded Eligible Providers: CMS has waived restrictions for federally qualified health centers (FQHCs) and rural health clinics (RHCs) which can now serve as fully qualified telehealth providers. 
  • Modalities Are the Same: CMS has maintained that modalities of audio-visual capabilities as dictated by the CMS Interim Final Rule for COVID-19 planning.
  • Expanded List of Services: CMS has increased the volume of services that it now permits and allows for additional services ranging from virtual home visits to emergency consultations under the new final rule. 

CMS has also expanded the range of telehealth services provided during the pandemic through the 1135 waiver and currently offers three types of services:

  • Medicare Telehealth Visits: Medicare patients may use telecommunication technology for office, hospital visits and other services that generally occur in-person.
  • Virtual Check-ins: Medicare patients may have the opportunity to check-in with their provider through a standard communication service or by sending images or videos to a provider. These forms of communication are typically initiated by the patient and are paid for by Medicare so patients can avoid the doctor’s office except for necessary visits.
  • E-Visits: These are established non-face to face communications with doctors through an online patient portal.

Specific Use Case: The AMA Guide to Telemedicine in Practice

This helpful resource from the American Medical Association provides a range of tools and resources for helping practices arrange their telemedicine protocols with patients. “The AMA Digital Health Implementation Playbook series offers comprehensive step-by-step guides to implementing digital health solutions, specifically telemedicine, in practice based on insights from across the medical community. Each Playbook offers key steps, best practices and resources to support an efficient and clear path to implementation and scale.” These playbooks include the Implementation of Telehealth toolkit, Telehealth Workflow Best Practices, examples of workflows, and other key materials. 

For Health Providers, the AMA recommends the following steps:

  • Scope Out Your Telehealth Practice: Create a team that can help guide you through the telehealth practice and ensure that you’re meeting HIPAA guidelines.
  • Evaluate Possible Vendors and Contracts: After confirming that you can streamline telehealth practice through your EHR vendor, ensure that your practice comprehends the parameters of HIPAA compliance and data ownership. 
  • Build Your Workflow: Create a space in your practice for telehealth and train providers and physicians on how to best implement these practices. 
  • Inform Patients: Let patients know that your practice is now accommodating telehealth visits and explain the consent procedures to patients. This will ensure they’re aware of how these visits work and how their health data is protected.

Policymakers should consult the AMA’s latest updates on telehealth policies and procedures, especially for Medicare providers. 

Key resources to use for telehealth research:

https://www.hipaajournal.com/hipaa-guidelines-on-telemedicine/

https://itsecurity.org/telehealth-and-coronavirus-privacy-security-concerns/