TeleHealth, Remote Communications, and HIPAA
by Chris Bowen
Chief Privacy & Security Officer and Founder
Last week, the Department of Human Health Services (HHS) made an important announcement stating potential penalties for HIPAA violations against healthcare providers that serve patients through everyday communication technologies during the COVID-19 nationwide public health emergency are waived. These “everyday communications” include iPads, apps like zoom or FaceTime, and other mobile communication methodologies.
As someone who has spent a career, and founded a company championing HIPAA to protect patient privacy, how do I feel about this?
Why? Thinking about the coronavirus pandemic, the Notification of Enforcement Discretion on telehealth remote communications opens the floodgates for patients who cannot get to a doctor’s office to seek care. It also allows doctors to immediately expand their ability to treat patients using the tools patients already have in their homes. For emergencies like this, it’s definitely the right move. The OCR has enabled doctors to treat patients where the patient is, without the fear of penalty.
This is not the OCR saying we have a problem that is too big to address within compliance frameworks. This is them saying if a doctor needs to speak directly to a patient in a nursing home to assess if she likely has COVID-19, they can talk in real time, right now, when every second matters via whatever means they have to do so. That’s the right decision.
The OCR has enabled doctors to treat patients where the patient is, without the fear of penalty because FaceTime may not be wrapped in a BAA or certified for use with medical care. Right now, time is the enemy. Anything we can do to provide care more effectively to those who need it, the better.
This does not, however, mean safety and compliance are the most recent victims of this sweeping virus. HIPAA has in no way been weakened by this decision, and still applies to everything that provider does with the information they get from that patient. What that doctor learns about that patient will be entered in the electronic medical record, with security and compliance requirements in place. ClearDATA will still protect that provider’s data in the public cloud with the same vigilance and scrutiny as always. We will be running the same 24/7 safeguards and will advise that provider if anything is amiss or out of compliance, and we will remediate.
And when this COVID-19 crisis has passed, the HHS may lift this waiver and return to the more stringent requirements, which incidentally, might also be the right decision.
Does this mean it’s impossible to use emerging technologies in telehealth scenarios via in-home and mobile technologies? Not at all. In fact, many ClearDATA customers are already in compliance with these, innovating on the cloud securely and within compliance frameworks from HIPAA to GDPR.
We have multiple payer organizations that are using in home devices or portals on mobile devices to better communicate with patients from wherever that patient is as these organizations strive to make care and services more timely and personal.
Together we can all work for better outcomes that use the tools and technologies at our fingertips, and save lives. And, increasingly, we can prepare our organizations to do so with best in class privacy, security, and compliance.
Find this topic interesting? Learn how Synzi uses ClearDATA on AWS to Ensure Compliance for their Virtual Care Platform - read the case study.