HIPAA

With the national emergency of COVID-19, many health providers are turning to alternative methods of providing health care to their patients. These include phone calls, video conferencing, internet sites, store-and-forward imaging, and streaming media to name just a few specific technologies. All of these technologies can broadly be considered Telehealth, as they are working to promote long-distance clinical health care.

In this middle of this national emergency, many providers sought to provide excellent clinical healthcare while maintaining social distancing. New technologies emerged, and many new and innovative ideas came to life. Now many providers are wondering whether these new innovations are compliant under HIPAA and HiTech certifications.

During the national crisis, you can place your concerns aside. The U.S. Department of Health and Human Services has stated that covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, or Breach Notifications rules that occur in the good faith provision of Telehealth during the crisis. Bad Faith actions would include using Telehealth services to conduct a criminal act, disclosing patient data beyond the Telehealth environment in violation of the Privacy Rule, violations of state licensing laws or professional ethics standards, and the use of public-facing remote communications products such as TikTok, Facebook Live, Twitch, or similar products.

When working with a Telehealth product, you should keep in mind these guidelines:

• Generally, health care providers should conduct Telehealth in private settings.  Providers should always use private settings, and patients should not receive Telehealth services in public or semi-public locations (absent patient consent or exigent circumstances)
• When choosing a Telehealth internet-based platform, be sure that the platform supports both individual user accounts, and the ability to encrypt the services from end to end. Most internet-based platforms offer these options in their services, but validating they are enabled and in use is a best practice for all Telehealth services.
• You should have a Business Associate Agreement (BAA) signed with your Telehealth provider, especially those providing internet-based services.
• Once Telehealth services are enabled, you are required to update your HIPAA Risk Assessment to include the Telehealth services within your overall practice risk assessment.

If you have further questions regarding HIPAA and Telehealth related services, Black Cat Security Partners is available to help answer them. We can also do many parts of the HIPAA Risk Assessment remotely. Please contact us to arrange for your free HIPAA Gap Assessment or to ask your cybersecurity questions.