MDS Alert

Health Information Security:

Continue to Prioritize Resident PHI During Pandemic

While telehealth is a boon for safety and convenience, it can be problematic, too.

The many changes enacted by the Centers for Medicare & Medicaid Services (CMS) to help minimize transmission during the COVID-19 pandemic may feel like a lot to navigate. Some changes, like the expansion of the rules surrounding acceptable and appropriate uses of telehealth for Medicare beneficiaries, are quite handy for elderly folks and those with compromised immune systems.

However, the revisions have been frequent and sometimes vague. Keep reading to get a handle on some important things to keep in mind when helping residents utilize telehealth services from your facility.

Understand Location Changes

In response to the pandemic, CMS has announced myriad 1135 waivers, which have allowed practitioners to offer telehealth visits to patients anywhere, not just in rural areas, and in their homes rather than at a healthcare facility. Nursing facility residents have also had expanded access to these services.

Site locations used to be a major limiting factor, and that’s why the COVID-19-inspired changes are so important. “Traditionally, under the Medicare program, professional telehealth services are restricted by statute to originating site locations, defined generally as healthcare facilities and physician offices, that are located in rural areas or outside of Metropolitan Statistical Areas (MSAs),” explain attorneys Jacob J. Harper, Eric J. Knickrehm, and Scott A. Memmott with international law firm Morgan, Lewis & Bockius LLP in the Health Law Scan blog. “Medicare beneficiaries generally would not be allowed to receive telehealth services in their home[s].”

Consequently, the popularity and the benefits of the temporary telehealth flexibilities have caused many to argue that parts of the expansion should be made permanent.

Tracey Moorhead, president and CEO of the American Association of Post-Acute Care Nursing (AAPACN) in Denver, notes, in a letter to the Coronavirus Commission for Safety and Quality in Nursing Homes, that supporting “continued, permanent access to telehealth” would be a best practice for improved care delivery for residents before, during, and after an emergency like the COVID-19 pandemic.

Don’t Forget HIPAA Responsibilities

In coordination with the Medicare telehealth expansion, HHS Office for Civil Rights (OCR) issued a HIPAA notification of enforcement discretion. The agency announced it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said.

Under these eased standards, providers are allowed to utilize non-public-facing technologies like FaceTime and Skype in “good faith” for telehealth visits; however, public-facing technologies like TikTok and Facebook Live, which are not private and can lead easily to the loss of protected health information (PHI), are not permitted.

Note These Parameters

Details: In an FAQ set, OCR includes the following essential principles of the notification:

  • It applies to all covered healthcare providers who provide telehealth services.
  • Covered providers can use “professional judgment” to determine the services they offer through telehealth, and those services will be covered under the enforcement discretion.
  • It pertains to all patients without limitations, including those that do not have Medicare or Medicaid benefits.
  • When covered providers utilize telehealth in “good faith” during the PHE, they will not be subject to HIPAA Privacy, Security, or Breach Rule violations.
  • It only concerns telehealth during the PHE; therefore, HIPAA compliance should still be utilized in other care situations.
  • There is no expiration, and OCR will issue a notice to end the enforcement discretion.

“OCR [also] noted in its FAQs that many platforms employ end-to-end encryption and limit access to authorized participants,” explain attorneys Audrey Davis and Andrew Kuder with national law firm Epstein, Becker & Green PC. “In other words, OCR seems to be comfortable enough with the protections offered by these technologies for the time being.”

Davis and Kuder add, “However, it’s unclear if OCR will remain comfortable in the long-term, as it’s too soon to determine the waiver’s risk to patient privacy and security.”

Get a Handle on What ‘Good Faith’ Entails

Though OCR doesn’t go into great detail on what it considers a “good faith” effort under the notification, it does offer direction on using telehealth in “bad faith.” Using telehealth for nefarious purposes, usurping residents’ PHI for marketing and without authorization, or implementing public-facing apps would all be considered “bad faith” practices and a violation of HIPAA.

The enforcement discretion only works for covered providers if they’re abiding in “good faith” by the OCR’s guidelines. Practitioners, including nursing facilities helping their residents utilize telehealth tools, should try to keep in line with these provisions.

Davis and Kuder advise covered providers take the following actions:

  • Utilize clinical expertise: Exercise professional judgment on a case-by-case basis as to whether telehealth is appropriate for the specific individual under their specific circumstances.
  • Manage apps: If use of HIPAA-compliant technology is not possible, use a technology platform included in OCR’s list of “non-public facing” remote communication products in its published FAQs (and, similarly, avoid those technologies OCR identifies as unacceptable).
  • Explain the risks: At the beginning of the service, inform the resident of the privacy risks associated with use of the relevant technology.
  • Implement IT: If the technology offers any encryption or enhanced privacy settings, ensure those settings are enabled.
  • Find a private place: Render telehealth services from private locations, making sure residents are in a private setting, if possible. If the resident cannot be in a completely private location, the provider should speak in a lowered voice and ask that the resident do the same (or ask whether the resident would rather reschedule).
  • Know states’ laws upfront: Ensure that you are not violating any state licensing laws if the resident in question is seeing a provider located in another state, though this is a responsibility of the provider. While some of these laws may currently be waived, it is important to check for updated information from the relevant state licensing board prior to rendering services to someone located in another state.

Bottom line: With the pandemic expected to stretch through next year, organizations should continue to update both their telehealth and HIPAA policies accordingly. It’s a good idea to check HHS, OCR, and CMS updates frequently, because more revisions and changes are expected in the coming months. As always, utilize all your resources and make HIPAA compliance a priority — even with the enforcement discretion in place.

Resource: Review the OCR FAQs on telehealth and HIPAA at www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.

Disclaimer: Information related to COVID-19 is changing rapidly. This information was accurate at the time of writing. Be sure to stay tuned to future issues of MDS Alert for more information.