Every HIPAA Waiver Has Its Thorn

Tuesday, June 30, 2020

On March 17, 2020, the Office for Civil Rights’ (“OCR”) announced that—for the duration of the COVID-19 emergency—it would exercise enforcement discretion and waive any potential penalties for HIPAA violations relating to health care providers’ use of “everyday communications technologies” in the provision of services via telehealth (the “HIPAA Waiver”). This move has resulted in a drastic increase in the number of telehealth encounters. The HIPAA Waiver has enabled many providers to immediately leverage these technologies to render services via telehealth for the first time, without the need to expend significant resources to quickly ramp up a HIPAA-compliant telehealth platform. A summary of the HIPAA Waiver can be found in a recent blog post. While the HIPAA Waiver applies only temporarily, it is likely that the increased reliance on telehealth evidenced over the past three months is here to stay.

The COVID-19 pandemic’s impact on the regulatory landscape of telehealth was the topic of a June 17, 2020 hearing before the Senate Health, Education, Labor & Pensions Committee.  As Chairman Lamar Alexander acknowledged during his opening statement, the health care sector and government “have been forced to cram 10 years’ worth of telehealth experience into just the past three months.” Indeed, this “cramming” has resulted in thirty-one temporary changes to telehealth policy at the federal level. Of these temporary changes, Chairman Alexander included the OCR enforcement discretion / HIPAA waiver as one of the three changes he considers most important. However, of the three changes the Chairman views as most important, he declined to include the enforcement discretion in the temporary changes he believes should be made permanent, and instead called upon his colleagues to consider whether to extend the HIPAA waiver.[1]

While some providers may be eager to see the extension of current the waiver, and even welcome a permanent change to HIPAA, providers should be cognizant of the double standard imposed when seeing patients in-person versus using a virtual platform. For example, providers seeing patients in person will be expected to remain in full compliance with HIPAA, despite being afforded flexibility if using a non-secure telehealth platform. If providers elect to utilize “everyday communications technologies” when rendering services via telehealth, providers must rely on any contractual obligation of the technology vendor to enforce any privacy violations. Consequently, private and potentially sensitive information may be intercepted during transmission. Even if the third parties are not malicious, they may use information they intercept to create products, such as advertisements for consumers. For example, a patient or provider could share information about a diagnosis such as a calcium deficiency, and then for the next few days, all of the internet advertisements the patient is presented with concern calcium supplements (you can imagine how this could grow more concerning in the event of a more serious or private issue, such as mental health, SUDS, sexual health, fertility, ESRD and other sensitive diagnoses and treatments). Although OCR may decide not to impose penalties for violations that occur during good faith provision of telehealth services, a patient whose information was the subject of a HIPAA violation may view a provider as less credible or reputable. Providers must weigh the benefit of providing low cost telehealth services to patients against the potential harm of not working with a HIPAA-compliant telehealth platform and/or losing a patient’s trust.

Another consideration of which providers should be acutely aware is that many state laws regarding privacy, security, and breach notification have not been waived, or will not continue to be waived, during or after the COVID-19 emergency. While some EHR and other provider software platforms may integrate telehealth into their software to allow easy recordkeeping during virtual appointments, providers using a non-integrated telehealth platform should be aware that the same or similar rules apply regarding recordkeeping and data retention for patients. Up-to-date and accurate recordkeeping will ensure a continuity of care and compliance with law, and may have the ancillary effect of promoting accurate billing.

As we (hopefully) transition to a post-pandemic world, providers should be aware of the potential double standard for patient privacy. For many providers, it may be easiest and less costly overall to confront this double regulatory standard by ensuring full “standard” HIPAA compliance across all health care delivery methods. Providers may consider using this time of OCR enforcement discretion to prepare for investment in better technology and to research and vet vendors representing as traditionally HIPAA-compliant. Additional best practices for providers leveraging telehealth technologies during the pandemic include the following:

  • Using vendors that represent that they are HIPAA compliant and that they will enter into a business associate agreement. OCR has prepared a list of such vendors.
  • Asking patients to confirm they are in a private setting.
  • Documenting patient consent to use of non-compliant technology and clearly noting that such use was not inappropriate because of COVID-19.