OCR Enforcement Discretion
Due to the nature of the COVID-19 National Public Health Crisis, the Office for Civil Rights (OCR), within the HHS, released a statement regarding their enforcement of HIPAA penalties during this national emergency. The nature of this health crisis has pushed many healthcare operations to be conducted through remote telehealth communication software platforms, most of which are not entirely HIPAA compliant. This decision and statement was made in order to allow providers to use these types of technology to offer the highest quality of service to patients during this time.
In order to slow the spread of COVID-19, there have been stay-at-home orders and recommendations to only leave the house when absolutely necessary. Even when openings have occurred, people with preexisting conditions and caretakers are exercising extreme in limiting their interactions. In order to assist with this, covered entities are looking to meet with their patients virtually which means needing to use remote communication technologies that are not guaranteed to be HIPAA compliant.
Although these exceptions are being made by the OCR, it is recommended that healthcare providers still alert their patients to the potential risks to protected health information (PHI) that are introduced by these applications. Providers must decide whether the possibility of harm is worth the risk for their organization and for their patient’s trust in them.
Although the OCR has made steps to allow more telehealth platforms to be able to be used, they have placed one clear restriction on the type of telehealth software that can be used: it must be a non-public facing product. This means that the communication product must default to only allowing the invited parties into the meeting, meaning they most likely use end-to-end encryption. These services allow the meeting owner to have control over settings like meeting recording and muting the sound or video at any point. Non-public facing products include Apple FaceTime, Google Hangouts Chat, Whatsapp Video Chat and more.
Although this waiver allows for the chance to utilize services that may not be HIPAA compliant, covered entities may still seek to use communication products that are compliant and they are able to sign business associate agreements with. There are vendors who meet these two requirements and are available for telehealth usage: Zoom for Healthcare, Doxy.me, GoToMeeting, Skype for Business and more. Especially with the length of this public health crisis, healthcare providers may be looking for more secure, HIPAA compliant options moving forward.
Post-COVID Future of Telehealth Usage
An unexpected outcome of the COVID-19 public health crisis has been the quick transition to a broad usage of a variety of telehealth communication platforms. In the past five months, an adoption of these forms of remote meeting has developed in a way that hasn’t happened in the last five years combined. This widespread usage of telehealth medicine will not disappear as quickly as it was introduced. If patients and providers both realize that high quality healthcare can be delivered through digital communication platforms, then the convenience will require telehealth to stay at the forefront of the industry.
The OCR’s waiver of HIPAA violations for using telehealth communication options is just a temporary solution during this crisis, and is bound to end eventually. Although even once this waiver is no longer in effect, the impact of telehealth communication on the healthcare industry will still be seen for years down the road. It is likely that we will continue to see the impacts of this public health crisis on telehealth technologies for a long time to come.