Insights into HHS COVID-19 HIPAA Waivers and Lasting Implications
HHS and OCR have issued several COVID-19 HIPAA waivers around telehealth and data sharing amid the pandemic. But it’s crucial providers keep privacy and security in focus.
The nationwide public health emergency brought on by the COVID-19 outbreak has led to several Good Faith HIPAA waivers from the Department of Health and Human Services and the Office for Civil Rights. The waivers aim to fuel data sharing and telehealth in support of safe, remote care with fewer physician burdens.
While these efforts are designed to support an increase in telehealth, reduce the number of in-person appointments, and promote data sharing, these waivers come with a host of specifications to ensure privacy and security is paramount.
But more importantly, industry stakeholders have stressed that these waivers could be a sign of a greater shift in how healthcare will be delivered in the US long after the pandemic has ended.
Not only that, but a waiver of HIPAA penalties does not imply lax privacy and security practices. It’s imperative providers understand what these rules mean during the pandemic, as well as measures that need to be put into place when considering taking advantage of these new rules.
AN OVERVIEW OF HHS, OCR COVID-19 HIPAA WAIVERS, CLARIFICATIONS
OCR’s enforcement discretion for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule was lauded across the healthcare sector, as it relaxed key elements that would fuel remote care during a time when providers should limit person-to-person contact.
The waiver allows covered providers to potentially use any non-public facing remote, audio, or video communication platforms available to provide telehealth and communicate with patients during the pandemic. OCR will not penalize those providers for using potentially non-HIPAA-compliant tools, regardless of whether or not the service is used to diagnose or treat COVID-19-related conditions.
The notice explained:
“OCR will not impose penalties against covered healthcare providers for the lack of a business associate agreement with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
As a result, providers are permitted to use a host of popular applications to reach patients that would typically not be allowed by HIPAA without a BAA, including Apple FaceTime, Facebook Messenger video chat, or Google Hangouts video, among others.
OCR later clarified its decision, stressing providers must use non-public facing remote communication, as well as the need for end-to-end encryption when using video, audio, or texting applications, regardless of the waiver.
All visits are expected to be conducted in private locations, while providers are also encouraged to first seek platforms with familiarity with HIPAA, when possible. And OCR stressed health insurance companies that pay for telehealth services are not covered by the enforcement discretion.
Following its waiver of telehealth penalties, OCR also lifted penalties for HIPAA noncompliance against providers or business associates over the Good Faith use and disclosures of protected health information during the pandemic.
The move allows business associates to share COVID-19-related data with federal public health authorities and health oversight agencies without first notifying the covered entity. However, the covered entity must be notified within ten days of that data sharing.
“The CDC, CMS, and state and local health departments need quick access to COVID-19 related health data to fight this pandemic,” said OCR Director Roger Severino, at the time. “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”
OCR has also lifted penalties for COVID-19 Community-Based Testing Sites (CBTS), allowing certain covered healthcare providers, such as large pharmacy chains, and business associates to operate a CBTS amid the pandemic.
However, these providers must meet certain specifications, including only using and disclosing the minimum necessary protected health information when needed to disclose PHI for treatment and leveraging secure technologies to record and transmit ePHI.
The last OCR notice clarified how PHI on patients exposed or infected with COVID-19 can be shared with first responders, like law enforcement, public health authorities, and paramedics, while complying with HIPAA.
Under HIPAA, providers are allowed to share of information about patients infected or exposed to the coronavirus with law enforcement, paramedics, and other first responders without an individual’s authorization in certain circumstances. The OCR insights are designed to help providers understand the circumstance in which this type of data sharing is allowed.
Specifically, the OCR stated:
“A covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch (even if it is a covered entity) would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use personal protective equipment (PPE).”
LEVERAGING LENIENCY WITH PRIVACY IN FOCUS
As noted, the telehealth waivers have – and will continue to have – perhaps the largest impact on the healthcare sector. However, providers still need to consider other state and federal privacy requirements that can dictate permissible technology and security requirements regarding privacy practices for new patients, especially if they’re meeting for the first time over the phone, explained Alex Dworkowitz, an attorney and partner at Manatt Health.
For example, at the state level, there may be the need for either written or vocal consent.
“It can be hard to get patients to consent over the phone when you’re meeting for the first time, or on paper,” Dworkowitz said. “Some states and OCR have provided some flexibility in terms of telehealth, and where we’re shifting in terms of healthcare, which may last through the pandemic.”
“Outside of the waivers, it’s important to sort out those federal and state regulations on their own,” he continued. “Just because the federal government is providing discretion, there are still other laws applicable to providers.”
For example, OCR may say it’s alright to use an app that doesn’t comply with HIPAA when communicating with patients. But if there’s a breach and patient information is exposed, the waiver does not prevent the state entity or person impacted from suing the covered entity over privacy and security violations, Dworkowitz explained.
For Robert D. Belfort, attorney and partner a Manatt Health, the enforcement action is about providers acting in good faith, only shirking secure measures when absolutely necessary. It does not mean the covered entity should “throw security out the window.”
Instead, providers should employ policies for when less secure methods are appropriate and be able to show there’s a procedure in place. Belfort stressed that clinicians should be trained on where the appropriate trade-off can occur, which can help prevent some of those potential legal risks outside of federal regulations.
Fortunately, OCR has provided guidance to decrease some potential privacy and security risks posed by these waivers, explained Patricia Calhoun, an attorney with Carlton Fields. Covered entities have been instructed to enable all available privacy and security options for the type of telehealth platform they chose for use during the crisis.
“The guidance encouraged providers to notify patients that the platform being utilized had an increased risk,” Calhoun said. “Following the OCR guidance, even when it is not required, is best practice. And, as always, providers should keep their communications with patients private.”
“For example, providers should not hold telehealth conversations in the hearing of others who are not involved in the care of that patient,” she added. “Providers should notify patients that the platform being utilized has an increased risk. And, providers should continue to exercise routine HIPAA protections including keeping their communications with patients private.”
Belfort added that if a health system has a telehealth portal in place that can be easily accessed by providers, and a provider can access that portal at home, there’s no obstacle to using a secure platform. The gist of the waivers is that if the conditions permit, a secure platform should be used.
But if a doctor is in a hospital, they only have access to their phone, the patient is not in front of a computer, and they only have their phone, it makes the case to use a mobile application. Belfort explained the rule also applies to healthcare providers struggling financially during the pandemic that need remote access, but it’s not reasonable to invest in the tech.
Providers will need to ask: “Are you in a position, on a case-by-case basis, to use a more secure mechanism?”
SECURITY NEEDS FOR RAPID TELEHEALTH DEPLOYMENTS
While the OCR waivers have a key privacy focus, much of the provided guidance stresses the need for appropriate and effective security measures. For Brian Dean, principal security consultant for Secureworks, one key concern is the speed and scale of these deployments for providers who did not leverage telehealth in full before the public emergency.
While these rapid deployments are crucial for safely addressing patient needs during the pandemic, it can inadvertently introduce new risks.
“As they expand or launch new remote healthcare solutions, providers can take advantage of the leniency while also keeping patient privacy and security measures in focus by formally documenting their risk-based, prioritized approach to protecting electronic protected health information,” Dean explained.
“For example, when expediting deployment of remote health solutions, limited testing could result in privacy, security, and operational deficiencies,” he continued. “Providers should identify and introduce controls to manage vulnerabilities and align to HIPAA guidelines in good faith, and then document that good faith effort, as well as have a formal plan for quickly remediating deficiencies.”
To balance the need for increased data sharing, simple best practice cybersecurity measures should be employed. Dean explained that to protect ePHI while practicing distanced healthcare and launching telehealth deployments, providers must formally document the business process flow and the supporting IT or information security infrastructure.
Covered entities should then review the new business model through a privacy, security, and compliance lens, focusing on the risks posed by these new implementations, including an assessment of vulnerabilities being introduce by new remote healthcare solutions, said Dean.
Further, a risk assessment must then be updated to include those new threats, vulnerabilities, and controls to manage that risk.
“For example, if you are implementing a telehealth solution in a retail location, it’s important to consider how ePHI is encrypted during transmission and what physical security protections are in place for devices that are storing, processing and transmitting ePHI,” Dean said.
It’s also imperative to fully grasp what additional protections might be needed for clinicians providing telemedicine in a work from home environment, he explained. “The business process flow documents where ePHI may manifest itself, so the protections also deployed can be holistically documented.”
Lastly, organizations cannot fail to vet any new business associates or third-party service vendors introduced by new remote care tech. Dean explained this will entail reviewing and documenting their security practices through a formal risk assessment, vulnerability tests, and training for supporting staff on how to effectively protect ePHI.
“Waiving the enforcement of the privacy sanctions along with the expansion of the services approved for reimbursement allowed for the rapid adoption of telehealth by providers,” Calhoun said. “Unfortunately, as the number of telehealth transactions grows, so does the attractiveness of the telehealth provider as a target.”
“Telehealth will almost certainly begin to attract more sophisticated cyberattacks,” she added. “That fact makes selecting a secure telehealth platform and putting into place all the recommended cyber and privacy safeguards even more critical.”
PREPARING TO RETURN TO NORMAL OPERATIONS
Predictions aside, HHS and OCR have stressed these waivers will only remain in place during the pandemic. As a result, providers must consider any potential privacy, security, or compliance liabilities and obligations to prevent massive complications in the future.
For Calhoun, providers should work to move into compliance as soon as they’re able. One way to accomplish this is for providers to leverage non-HIPAA compliant vendors for the telehealth visit, only temporarily. As soon as they’re able, covered entities should work to choose a vendor that promises HIPAA compliance and is willing to enter into a business associate agreement with the provider.
“OCR suggested that as one option when it announced that it would waive sanctions for providers who opted to begin telehealth before they had the time to do appropriate due diligence when selecting a vendor,” Calhoun said.
“Now that the initial urgency to start practicing telehealth on a large-scale basis is over, providers should take the necessary steps to bring their practice into compliance,” she added.
Further, given healthcare organizations have been and continue to be a top cyberattack target, Dean explained the leniency given by OCR could have dire security and credibility consequences for an organization and patients, when quickly introducing new remote technology.
As these solutions will likely remain after the pandemic, providers should update compliance and security programs to address the “incremental challenges posed by remote health solutions.” Dean stressed that providers with existing, healthy compliance programs and effective PHI security will merely need to expand the scope of their current programs.
“[However], if your compliance program is weak, expanding healthcare solutions will exacerbate those weaknesses,” said Dean. “Strengthen those compliance programs while introducing the remote health technologies and consider sourcing third-party expertise to shorten the learning curve and provide valuable insight on current threats, vulnerabilities, and mitigation strategies.”
“Building a program to ensure HIPAA compliance is not a one-time project,” he continued. “Programs must adapt as organizational models change, and the expansion of remote health technologies is one of those examples.”
Providers should review available and often free resources to bolster their security and quickly identify gaps in security controls, Dean explained. Federal agencies, OCR, AMA and the American Hospital Association, and Microsoft have all provided free guidance on common vulnerabilities to the healthcare sector amid the crisis.
LASTING IMPLICATIONS
HHS and the Trump administration have stressed that these HIPAA waivers are only in place during the pandemic. However, given the breadth of the impact the measures are having on telehealth, industry stakeholders have noted there’s hope this expansion could fuel a more permanent remote care landscape.
“Whereas before the pandemic, conventional wisdom held that any proposed changes to reimbursement policy would inevitably become mired in bureaucracy, this crisis has already demonstrated that does not have to be the case. Once the scope and severity of the crisis became apparent at the federal level, lawmakers in Congress demonstrated their ability to coalesce around policies that enjoy broad support and, when implemented, should have a dramatic effect on individuals’ ability to obtain needed treatment from their homes via telemedicine.”
Calhoun made similar observations, stressing the pandemic and waivers have increased the acceptance of telehealth for everyday medical care, including support from the providers using the platforms. Indeed, the pandemic has, in essence, spurred a “large-scale trial.”
“Now that the providers have demonstrated the benefits and efficiencies of telehealth… there will be a push to make these changes permanent,” Calhoun said. “However, I do not expect the OCR to change the actual privacy and security requirements. I expect the non-enforcement of sanctions to be fairly time limited.”
The waivers may also permanently alter how patient consent is obtained, Dworkowitz noted. Under HIPAA, a provider typically must provide a written notice of privacy practices to a new patient prior to treatment, even if meeting the patient for the first time via telehealth.
The enforcement discretion will likely launch a deeper discussion into long-term requirements.
Belfort added that the privacy piece for telehealth was fueled by Medicare and Medicaid steadily expanding coverage for telehealth, as well as states. The tech is critical to home care, which will remain a large piece of attempts to save money for Medicaid patients going forward.
These efforts were incredibly active before the crisis began and coupled with the recent push to bring care to patients at home, Belfort noted there could be lasting implications.
“Primary care access for patients is not great, and telehealth is viewed as a big part of solution for the problem,” he added. “I don’t believe we’re going backward on telehealth in general…. this is a one-way directional thing.”
Providers should at least plan for these solutions to remain after the pandemic, as Dean predicts that remote technologies may become the norm for some patient care, which will “likely continue to be used long after the pandemic.”
But not everyone is convinced that these waivers will last beyond the outlined timeframe, as it’s uncertain what the long-term impact of the pandemic will have on privacy. Belfort explained these unknowns include not just waivers, but also the systems that get deployed for contact tracing that may interact with the traditional healthcare system – yet outside of it, in many ways.
Further, the waivers deal more with the administrative sections of the privacy rule and privacy notices, but “don’t really get to the heart of what matters to patients or providers in regulatory scheme.”
As a result, the biggest impact will be on the enforcement of telehealth security. If the plan is for individuals to download apps to trace contact and locations andbe notified of positive tests, Belfort stressed that it will be a huge shift in the landscape and accelerate the need for an update to HIPAA.
“When HIPAA launched, it was more for the EHR vendors and what is regulated by HIPAA,” Belfort said. “With the explosion of healthcare of data over last 20 years, most of that data falls outside of HIPAA. And there’s a growing body of data penetrating through the pandemic outside of HIPAA.”
“It remains to be seen whether states or federal government will [develop a] new regulatory scheme or regulate how that data is used or disclosed,” he added. “If we get to a point where there is more robust data collection, maybe states will step in with absence of federal action.”