The coronavirus has led to relaxed privacy and security regulations regarding HIPAA waivers and tele-health
Despite making headlines since the end of 2019, the coronavirus remains an unpredictable clinical condition that continues to impact every facet of the healthcare industry around the globe to a frightening extent. Stay-at-home orders and societal shutdowns have only mitigated the spread of the pandemic to a degree and have not been successful in preventing hospitals and other care settings from running low on protective equipment such as masks and gloves or live-saving equipment such as ventilators. As more providers seek the use of tele-health services as a more convenient and safe way to reach patients at this time, they are also facing a lack of secured digital devices that can be utilized for this type of care because access to employer-supported devices are that much more scarce—a reality that is calling into question the ability to remain HIPAA compliant.
After declaring the virus a public health emergency on Jan. 31, the Department of Health and Human Services (HHS) has issued a set of waivers associated with HIPAA regulations effective March 15 that “relax” certain standards and reduce the likelihood of hospitals and providers being penalized for falling short on certain standards. But the waivers do not represent carte blanche, and they may be causing some confusion across the industry, especially as it relates to the practice of tele-health — where HIPAA law has been known to be a sticky point, all pandemics aside.
“The HIPAA waivers issued this week are extremely narrow, and not likely to be of much help to the main issue of how to reach patients and colleagues remotely using unsecured personal devices and computers,” said Alissa Smith, a partner at the international law firm Dorsey & Whitney and co-chair of its Health Transactions and Regulations Practice Group. One who represents health systems, hospitals, pharmacies, long-term care providers, medical vendors, practices, individual providers, and other organizations in the industry, Smith says that providers must be careful before they assume that their care delivery will be protected through the new waivers and not have any negative baring on their licensure and/or their finances.
HIPAA Waiver Scope
Specifically, the waivers will allow hospitals, for 72 hours during the declared disaster,
- to not hand out the Notice of Privacy Practices to patients;
- to not need patient authorization to speak with family and friends involved in the patient’s care;
- to not be required to give patients an opportunity to opt out of the hospital directory;
- to not need to offer a patient the right to request privacy restrictions, or presumably, to honor a requested restriction; and
- to not have to offer a patient to request confidential communications from the hospital.
The waivers only apply to providers located in the emergency area identified in the public health emergency declaration, as well as hospitals that implemented disaster protocols and up to 72 hours from the time a hospital makes that declaration. Hospitals must comply with all requirements of the HIPAA Privacy Rule for all patients under their care, even if 72 hours have not elapsed since implementation of its disaster protocol, when the emergency declaration ends, according to the HHS. Although Smith acknowledges that providers she has been in contact with since the waivers were announced have expressed a sense of relief for the relaxed measures that are being offered, she said that the issue of tele-health brings with it more questions than it does universal answers.
“The main thing I am hearing from my healthcare provider clients is that they are seeking HIPAA related guidance and waivers on how to provide tele-health services to patients using personal devices or other unsecure devices, or for the use of personal devices for provider-to-provider communications for rapid differential diagnosis communication with colleagues outside a particular system,” Smith said.
Generally speaking, HIPAA requires appropriately secured devices to be used, and the use of personal computers and other devices that are not employer issued to access patient information from an electronic health record or to communicate with patients is typically not permitted due to security risks. The waivers do not necessarily change any of this, Smith said. “There are legal risks in general with using unsecured devices, and those risks are that the Office of Civil Rights (OCR) could take action for violations of the HIPAA requirements for the use of secure devices,” Smith said. “The OCR has said that they will not pursue penalties during this emergency declaration period, so that legal risk is off the table – but that doesn’t mean that using unsecured devices is without risk.” Those providers who will resort to use of personal devices to conduct tele-health services for the foreseeable future should consider following certain safeguards to attempt avoiding litigation.
Addressing Risks Beyond HIPAA Waivers
First and foremost, one significant risk prominently stands out just as it would absent of any pandemic existing: Using unsecure technology and devices is ripe for being hacked. In fact, Smith believes that the current circumstances created by the pandemic only escalate this specific risk.
“Certainly, hackers have seen the same news about the relaxing of enforcement that everyone in the healthcare industry has, and they could see that as an opportunity to hack into unsecure tele-health sessions and be able to use that information for bad purposes, such as stealing someone’s identity,” she said. “That is a significant risk to patients, and so the OCR is advising that any providers who decide to use their everyday communication technologies, if they don’t have access to an employer-owned secured device in their homes, to first have a conversation with their patients about that risk.” Beyond communication of risk, Smith said that providers would bear a certain burden of proof, if they did face litigation in connection to a patient privacy or security issue, in needing to have taken reasonable security measures for their personal devices. Ensuring that personal devices are as secure as possible is a bit of a slippery slope, however. Smith suggests having a virtual private network, an encrypted connection over the internet from a device to a network, as a starting point because encrypted connections can safely transmit data and prevent unauthorized people from “eavesdropping.”
“But if you’re using an unsecured network, you probably want to make sure that you’re not on a public network and that you’re not around other members of the public,” she said. “Due to the state of the pandemic, staying away from the public is easy enough, but whenever possible the provider should speak with an information technology professional about the potential ways to enhance security on a personal device.” Smith also suggests avoiding having tele-health interactions with patients where someone else can overhear the conversation and receiving patient consent to use that specific device. “The patient needs to know [that a personal device was used] because that’s something that the OCR emphasizes – informed consent about the increased risk to privacy. In any case, the provider is going to have to weigh whether it is an urgent enough need for the patient to have the tele-health session, or if the risk for privacy outweighs the need for care. That is a case-by-case decision where consent is going to be key.”
State Law Holds Precedent
Smith also urges providers to consult their respective state’s laws when it comes to considering the HIPAA waivers and conducting tele-health, because professional licensure can be jeopardized if, for instance, one’s state does not allow for out-of-state care to occur virtually.
“There may be some state laws out there that have more restrictions than HIPAA does,” she said. “Simply waiving HIPAA enforcement currently does not impact those state laws. Those state laws would still be in place, unless a particular state government also implemented a waiver.”
Smith said that recent announcements by the Centers for Medicare & Medicaid Services (CMS) about waiving cross-border licensure requirements during the national emergency have contributed to provider confusion. “We’ve received questions about the most recent guidance from CMS stating that it would waive Medicare and Medicaid requirements for cross-state licensure, but that only speaks from a payer perspective, which does not control state licensure or professional licensure bodies and those obligations under state law,” she said. “And those two payers may not even make up the vast majority of payers in the provider’s payer mix. Any provider who is currently providing tele-health services would still need to make sure they comply with state licensure laws in the state where they would be delivering the care – in other words, where the patient is located. Unless state law provides otherwise – and there are some states that will waive those provisions.”
Expanded Tele-Health Use & Focus
As tele-health becomes a more widely used mode of delivering healthcare, Smith anticipates that the pandemic will only more rapidly increase that utilization. This necessitates providers to be especially careful with how they implement tele-health and associated technologies. But competently attempting to safeguard devices and offering upfront communication with patients before following through with tele-health can go a long way in establishing inherent defenses for litigation, as can the following of guidelines related to the pandemic.
“Fast-forward to the courtroom, and we are going to want to see that a private room was used, that the patient was informed about any risks and gave informed consent, that the patient understood those risks, and that the conversation was documented when it comes to tele-health,” Smith said. “Anyone can sue for anything, and they do. Following the pandemic guidelines would absolutely be a defense that a provider would use, and it would be a very relevant defense.”