On March 6, 2020, the CDC released guidance for Healthcare Providers to prepare for the Coronavirus Disease 2019 (COVID-19). One of the steps listed was to leverage telemedicine technologies.
In February, the Office of Civil Rights released a reminder about HIPAA privacy obligations during the Novel Coronavirus outbreak. Privacy regulations are not set aside during an emergency. HIPPA obligations still apply to healthcare providers while treating patients remotely. Providers may wish to use remote encounters to reduce exposure to their staff and susceptible patients.
How HIPAA May Apply During a Health Emergency
There are three provisions that the Office of Civil Rights highlighted in their February notice that are worth reviewing. The first two require authorization by state law, but the third relies on the discretion of the provider.
In general, reporting about an identifiable patient to the media or to people not involved in the patient’s care may not be done without the patient’s written authorization.
PUBLIC HEALTH AUTHORITIES
HIPAA permits covered entities to provide PHI to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.
PERSONS AT RISK OF CONTRACTING OR SPREADING DISEASE
HIPAA permits disclosure to persons at risk of contracting or spreading a disease if authorized by state law or if authorized by a public health emergency.
DISCLOSURES TO PREVENT A SERIOUS AND IMMINENT THREAT
Healthcare providers may share patient information with anybody as necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or to the public, and consistent with state law and applicable codes of ethical conduct. Thus, providers may disclose a patient’s health information to anyone who is in a position to prevent or lesson the serious and imminent threat, including family, friends, caregivers, and law enforcement without a patient’s permission. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health and safety.
Communicating Protected Health Information Through Email or Text is Likely a HIPAA Violation
The HIPAA Conduit Exception allows transmission of PHI if the conduit does not have access PHI nor do they store copies of the data. They simply act as a path which the PHI flows. The Post Office is an example of a conduit with which a Provider would not have to have a Business Associate Agreement.
If a provider sends electronic Protected Health Information (ePHI) to a patient through text or email, the ePHI is not simply transmitted to the patient, it is held by the service provider. The mobile carrier or the email provider is not simply a conduit for the transmission of the data as the ePHI will continue to reside with the provider. For example, the email would reside on the Google inbox or the text message on the Verizon server.
Unless you have the provider of such service under a Business Associate Agreement, communication of PHI using these methods could be interpreted as a violation.
Does HIPAA Allow Video Telemedicine?
The same requirement for patient privacy and confidentiality that apply for a face to face doctor visit apply to visits conducted remotely over video, and the provider’s responsibilities to protect PHI are the same.
Any video software that a provider uses must provide two-way, end to end encryption. Additionally, the software should not record, save or store video unless the provider is (1) under a Business Associate Agreement and (2) the patient has provided consent for the recording of the session.
To qualify under the Conduit Exception, a vendor cannot store, even transiently, the video passed between the provider and the patient. In contrast, a vendor that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.
Some video services now provide automatic transcription services along with the video. If the audio or transcription service is utilized, it may be stored on the vendor’s server in more than a transient fashion and could affect the determination of HIPAA compliance.
Are Additional Consents Required When Utilizing Telemedicine?
It is a mistake to assume that remote communication of PHI is the same as when the communication is between doctor and patient over a video system. The communication is different than the doctor and patient were face to face in a private treatment room. The provider should ensure that the patient is in a private area or has consented to the people around them who may be able to see or hear the examination.
As stated above, any recording of a telemedicine session must have patient consent (and would likely require the vendor to be under a BAA). Furthermore, the provider should take sufficient steps to confirm the identity of the patient before starting any telemedicine consultation. Finally, informed consent for telemedicine could be a legal requirement in your state or could be a prerequisite or condition of getting payment from the payer. Some states require verbal consent and some require written consent, so be sure to check your local requirements.
Ensure That the Video Provider Qualifies as a Conduit or the Relationship is HIPAA Approved
If you are using a video program with a vendor that you do not have a BAA with, you are using it at risk of a HIPAA violation.
There have been significant penalties levied against providers who have mischaracterized a vendor as a conduit rather than a Business Associate. These violations can arise when the vendor stores PHI on their cloud environment and doesn’t simply provide the end to end communication.
There is debate as to whether applications such as Skype or Facetime are HIPAA complaint, and providers use them at their own risk.
Some providers have HIPAA complaint versions of their service that providers can sign up for, such as Zoom and Microsoft offers a telehealth program on its Azure platform and on March 9, 2020 announced a telehealth program based on its Teams platform.
There are several other commercial options that are specifically designed to be HIPAA compliant with vendors that are willing to enter into a BAA.