Home Health & Hospice Week

Get the facts on ‘good faith’ principles.

With medical review roaring back next month, it’s time to double-check your telehealth compliance — including on the HIPAA front.

Many healthcare providers are confused by the endless policy revisions and fuzzy timelines to address the COVID-19 Public Health Emergency. Under COVID-19, the Centers for Medicare & Medicaid Services has expanded telehealth benefits for many types of providers and their patients. Due to a myriad of 1135 waivers, home health and hospice agencies can furnish telehealth visits to their patients as part of the plan of care (see Eli’s HCW, Vol. XXIX, No. 12-13), although HHAs can’t “count” such visits toward payment.

Home health and hospice agencies also may use physicians’ telehealth visits for face-to-face encounter purposes for certification (see Eli’s, HCW, Vol. XXIX, No. 15). Changes to physician payment and regulation allow practitioners to offer telehealth visits to patients anywhere, not just in rural areas, and in their homes rather than at a healthcare facility.

Site locations used to be a major limiting factor for doc visits, and that’s why the COVID-19-inspired changes are so important. “Traditionally, under the Medicare program, profes­sional telehealth services are restricted by statute to originating site locations, defined generally as healthcare facilities and physician offices, that are located in rural areas or outside of Metropolitan Statistical Areas (MSAs),” explain attorneys Jacob J. Harper, Eric J. Knickrehm, and Scott A. Memmott with law firm Morgan, Lewis & Bockius in the Health Law Scan blog. “Medicare beneficiaries generally would not be allowed to receive telehealth services in their home[s].”

See How HIPAA Fits Into the Picture

In coordination with the Medicare telehealth expansion, the HHS Office for Civil Rights issued a HIPAA notifi­cation of enforcement discretion. The agency announced it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said.

Under these eased standards, providers are allowed to utilize non-public-facing technologies like FaceTime and Skype in “good faith” for telehealth visits; however, public-facing technologies like TikTok and Facebook Live, which are not private and can lead easily to the loss of protected health information, are not permitted.

“OCR [also] noted in its FAQs that many platforms employ end-to-end encryption and limit access to authorized participants,” explain attorneys Audrey Davis and Andrew Kuder with national law firm Epstein, Becker & Green. “In other words, OCR seems to be comfortable enough with the protections offered by these technologies for the time being.”

Davis and Kuder add, “However, it’s unclear if OCR will remain comfortable in the long term, as it’s too soon to determine the waiver’s risk to patient privacy and security.”

Marketing Use Of PHI Is A No-No

Though OCR doesn’t go into great detail on what it considers a “good faith” effort under the notification, it does offer direction on using telehealth in “bad faith.” Using telehealth for nefarious purposes, usurping patients’ PHI for marketing and without authorization, or implementing public-facing apps would all be considered “bad faith” practices and a violation of HIPAA.

The enforcement discretion only works for covered providers if they’re abiding in “good faith” by the OCR’s guidelines. Practitioners should try to keep in line with these provisions.

Davis and Kuder advise covered providers to take the following actions:

Utilize clinical expertise: Exercise professional judgment on a case-by-case basis as to whether telehealth is appropriate for the specific patient under their specific circum­stances.

Manage apps: If use of HIPAA-compliant technology is not possible, use a technology platform included in OCR’s list of “non-public facing” remote communication products in its published FAQs (and, similarly, avoid those technologies OCR identifies as unacceptable).

Explain the risks: At the beginning of the service, inform the patient of the privacy risks associated with use of the relevant technology.

Implement IT: If the technology offers any encryption or enhanced privacy settings, ensure those settings are enabled.

Find a private place: Render telehealth services from private locations and ask that patients locate themselves in a private setting if possible. If the patient cannot be in a completely private location, the provider should speak in a lowered voice and ask that the patient do the same (or ask if the patient would rather reschedule).

Know states’ laws upfront: Ensure that you are not violating any state licensing laws if rendering services to a patient located in another state. While some of these laws may currently be waived, it is important to check for updated information from the relevant state licensing board prior to rendering services to someone located in another state.

Bottom line: With the pandemic expected to stretch through next year, providers should continue to update both their telehealth and HIPAA policies accordingly. It’s a good idea to check HHS, OCR, and Centers for Medicare & Medicaid Services updates frequently with more revisions and changes expected in the coming months. As always, utilize all of your resources and make HIPAA compliance a priority — even with the enforcement discretion in place. v

Note: Review the OCR FAQs on telehealth and HIPAA at www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.