Laura Ng
Associate Editor
Loyola University Chicago School of Law, JD 2021
The Health Insurance Portability and Accountability Act – enacted in 1996 by the U.S. Congress and signed by then-President Bill Clinton – has long served to maintain the standards of electronic health records and patient privacy, among many other provisions. Violating HIPAA can result in both criminal prosecution as well as steep civil penalties. As the healthcare industry transitioned from the use of paper records to storing patient data on electronic health records over the last two decades, health organizations have learned to adapt to HIPAA compliance, with many increasing their compliance programs by hiring full-time compliance officers, designating an individual as the compliance manager, and/or appointing a compliance committee within the organization.
Telehealth before COVID-19
Until recently, telehealth services have not been exceedingly popular in the United States. A primary reason for this is due to the stringent rules for reimbursement of telehealth services. For example, Medicare typically does not pay for teleservices at all (unless one lives in a remote area). While many states do require private insurance companies to pay for telehealth services, the laws and reimbursement models vary from state to state, creating a lack of uniformity in the nation. Some states may pay the healthcare provider the same rate as they would for an in-person visit while others may pay the telehealth provide at a lower rate. Thus, financially, it has often not been feasible or advantageous for healthcare providers to offer their services remotely.
A sudden change
In March of 2020, the landscape of U.S. health offices changed dramatically. Despite being long-viewed as an “essential” industry, the virus shut down healthcare offices and hospitals around the country, resulting in layoffs, closure of practices, and a significant decrease in revenue for healthcare organizations. Many states actually banned hospitals from performing “elective” surgeries completely, which are not necessarily cosmetic in nature, but categorized as anything that is not an emergency. Despite the closures, people continued to need medical services throughout the pandemic, and cash-strapped practices needed revenue. Thus, some healthcare organizations have turned to telehealth visits to bring in revenue and serve their patients in need.
Transitioning to telehealth services
For practices that have never utilized telehealth services in the past, the first step the organization would need to do is to select a telehealth platform. When selecting a platform, cybersecurity and patient privacy ought to be a top concern.
The Office of Civil Rights will not impose penalties for noncompliance with HIPAA as long as they are attempting to comply in “good faith.” Nevertheless, it is still critical for the practice to protect patient privacy. Even without governmental penalties, however, failure to protect patient privacy can cause a loss in reputation and/or patients leaving the practice, which would ultimately be detrimental to the practice. In addition, loss of sensitive data such as social security numbers would cause significant financial risk (in the form of identity theft or medical identity theft) for the patients. According to the HHS website:
“Covered healthcare providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
Thus, it is not necessary to find a health information technology vendor to host telehealth services, per se, though such vendors may be more readily HIPAA-compliant.
Keeping staff compliant
Aside from the technical considerations of telehealth, it is important to remind staff and providers to respect patient privacy the same as they would in an office. This means not storing the patient data in any format that could result in an unauthorized individual gaining access, and transferring information between employees in a secure manner. This can be done via encryption, or delivering information via secured, HIPAA-compliant patient health portals (usually available through the organization’s EHR company). Healthcare providers should be in a private room by themselves when conducting the patient visit, so that his/her family members are not walking in and listening to the visit. Finally, should the practice have turnover, it is important to keep up with all the HIPAA and compliance training that normally occurs during new employee on-boarding.