Originally published to MedCity News on April 27, 2020 by ARUNDHATI PARMAR


Doctors, lawyers, data privacy and security experts weigh in on the future of HIPAA after rules have been relaxed to better tackle the public health crisis that Covid-19 represents.

Dr. Ratul Chatterjee, an independent primary care physician in Huntington Beach, California, would like to banish HIPAA in its current form although he readily admits that his is a radical, politically incorrect, position. He charges that health IT companies, lawyers and lobbyists have made millions from HIPAA while blaming the 1995 law for a variety of ills, including physician burnout and lack of efficiency.

“HIPAA is a big part of EHRs,” he declared in a recent phone interview. “They are very interconnected and EHRs without HIPAA would be way simpler. Whatever you could do in a straightforward manner, HIPAA makes it much more tortuous. So it has made workflow more complicated. Whatever you could do in one click, because of HIPAA it takes 10 clicks.”

Not surprisingly, the sudden loosening of HIPAA rules — where the Office of Civil Rights (OCR) announced it will not enforce HIPAA violations should providers seek to use certain non-public telecommunications platforms to care for patients during Covid-19 that do not comply with the law among other changes — is like manna from heaven to Chatterjee.

Recently, an 87-year-old patient of his suffering from difficulty breathing was saved a trip to the ER because he was able to talk to her briefly on the phone, diagnose her with bronchitis and then have the pharmacist deliver the medication directly to her home.

“An 87-year-old woman who had no ride and three days later would be in the ICU because of lack of timely medication start, now with HIPAA [relaxed], she can get treatment within an hour in [her] house,” he marveled. “And so disease progression is halted and that equals better health and lesser healthcare costs.”

Chatterjee is using a mix of phone calls and video calls through Zoom or FaceTime to keep in touch with more than 1,000 patients — roughly 200 of whom are concierge patients. But despite his aversion toward the law enacted in 1996, Chatterjee knows that Covid-19 will not be a death-knell to HIPAA. Nor does he believe that the switch that has been turned off in the throes of a public health calamity will simply be switched on again to bring back the glare of HIPAA. Rather what he hopes the pandemic forces is a reevaluation of the law.

“Look for the 10 worst violations of HIPAA and then find matched rules for those types of cases and not a blanket rule for everybody,” Chatterjee proposes to regulators. “Similar to the Covid-19 [economic] reopening, it’s not a blanker reopening but study it first, and then see the risks and then open it.”

Here’s how Roger Severino, director of the Office for Civil Rights at the U.S. Department of Health and Human Services responded when asked whether providers can continue to use FaceTime, Zoom and Skype after the public health emergency subsides.

“Telehealth likely will continue to be a valuable tool for providing health care, particularly for patients who, for example, may not have reliable transportation to a doctor’s office for appointments. However, the use of remote communication technologies for telehealth poses
privacy and security risks to patients’ health information that can be minimized through compliance with the HIPAA Rules,” Severino wrote in an email forwarded by an OCR spokeswoman. “That is why, when this public health emergency abates, covered health care providers, like all covered entities, should execute business associate agreements (BAA) with non-public remote communication app vendors that will have access to protected health information.”

In other words, it’s all kosher provided BAA agreements are signed with Apple, Zoom and Microsoft and whatever other platform providers would like to use. But don’t even think of using Facebook Live, Twitch or TikTok because the HIPAA-loosening does not extend to platforms like Tiktok and Facebook Live. An Apple spokeswoman didn’t respond to questions on whether the company has noticed an uptick on providers using their platform to deliver care.

Data experts believe that privacy concerns while tempered at this national moment of crisis will return to the fore once the virus comes under greater control.

I would see there would still be some oversight — even if a tipping point has occurred with respect to adoption of technology and we don’t go fully back to the old ways — I would still see the OCR and the others that are still enforcing HIPAA … would still require certain assurances that the technology is reasonably secure,” said Chris Bowen, founder and chief privacy & security officer at ClearDATA, which produces secure cloud computing for healthcare, in a phone interview.

But Bowen also believes that the crisis will lead to greater care being delivered closer to home and HIPAA will need to accommodate that shift.

“You have regulators in the European Union, you have FTC, you’ve got others saying, ‘Hey if this is designed appropriately for confidential conversations between a mom and her child talking about whatever, then it’s not unreasonable for mom to have a conversation with her doctor about a specific thing, is not a big, huge leap,’ ” Bowen said. “Now when you get that data from that device, then, of course, you have to make sure that it is protected, it’s hardened it’s adherent to the rules. It’s gotta be focused on that compliance and that security.  But we can start that closer to the patient than we have done in the past and I think that time has come”.

The real challenge will be in data security. As telemedicine adoption has increased manifold during Covid-19, so has the different ways a cyber attack can be lodged said Greg Garcia, executive director for the Cybersecurity working group, part of the Healthcare Sector Coordinating Council, a public-private partnership created by executive order in 1998.

“Everybody who populates this working group, including clinicians and cybersecurity people who work at hospitals recognize that relaxations of telemedicine controls can result in more vulnerabilities,” Garcia said in a recent phone interview. “The more you open up your lines to communication, the bigger your attack surface.”

Still, he believes that it’s a necessary move to keep the “worried well from running to the hospital.”

And once people become used to using tech platforms to reach their doctors, what happens to the balance that HIPAA tries to straddle between privacy, data security and convenience?.

“When you look at the last few years, there has been a general interest and trend of CMS and HHS looking for ways to expand telehealth more broadly,” said Steve Pine, partner in the healthcare practice at K&L Gates, a law firm. “With a lot of the alternative payment models that have been generated in the last few years, you see things like when providers participate in those models, CMS tried to build in additional flexibilities for telehealth where otherwise it wouldn’t have been permitted under CMS rules.”

And it’s not just Chatterjee, the Southern California doctor who has a mix of concierge, Medicare and PPO patients who is tapping into the flexibility afforded by the move toward telehealth. On the flip side, a high-touch primary care physician group that has 80,000 Medicare, Medicare dual-eligible and Medicare Advantage patients, has also seen its telemedicine adoption climb.

“At this point it’s been mostly telephone — we work with an older population, some of whom aren’t as tech-savvy as the younger generation, but we’ve also started working with Doxy.Me,” said Dr. Oloaluwa Fayanju, senior medical director, Oak Street Health, based in Chicago.

Doxy.Me is one of the few tech vendors that was named in the Office of Civil Rights notice as a HIPAA-compliant platform though OCR took pains to note that listing vendor names is not an endorsement.

Fayanju, though not an expert in the intricacies of HIPAA, believes that communications tools and third-party apps have privacy risks but providers should use all the available encryption and security features available to deliver care and convenience while ensuring data safety. 

“HIPAA is a law that preceded our wide adoption of cell phone technology. It certainly did not include any significant amount of video technologies — like Facetime, Facebook messenger, Google Skype, Zoom — none of these things existed when HIPAA was enacted,” Fayanju said. “I think there is a saying, ‘Never waste a crisis’ and I think this is an opportunity for us to reinvigorate HIPAA to ensure that it is now a law that reflects a new age and this [pandemic] is forcing that and I think that is a boon for our patients and our overall healthcare system.”