Reminder: Enforcement discretions are not forever. Among the feds’ top COVID-19-inspired changes is the HIPAA notification of enforcement discretion that relates to the Medicare telehealth expansion. If you’re wondering how to address these relaxed measures in your protocols while maintaining compliance on other fronts, you’re not alone. Reminder: Over the last few months, the Centers for Medicare & Medicaid Services (CMS) announced an expansion of telehealth benefits for providers and their patients. Due to a myriad of 1135 waivers, the changes have allowed practitioners to offer telehealth visits to patients anywhere, not just in rural areas, and in their homes rather than at a healthcare facility. Site locations used to be a major limiting factor, and that’s why the coronavirus updates are so important. “Traditionally, under the Medicare program, professional telehealth services are restricted by statute to originating site locations, defined generally as healthcare facilities and physician offices, that are located in rural areas or outside of Metropolitan Statistical Areas (MSAs),” explain attorneys Jacob J. Harper, Eric J. Knickrehm, and Scott A. Memmott with international law firm Morgan, Lewis & Bockius LLP in the Health Law Scan blog. “Medicare beneficiaries generally would not be allowed to receive telehealth services in their home[s].” Consequently, the popularity and benefits of the temporary telehealth flexibilities have caused many to argue that parts of the expansion should be made permanent . See How HIPAA Fits Into the Picture In coordination with the Medicare telehealth expansion, the HHS Office for Civil Rights (OCR) issued a HIPAA notification of enforcement discretion. The agency announced it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency,” OCR said. Under these eased standards, providers are allowed to utilize non-public-facing technologies like FaceTime and Skype in “good faith” for telehealth visits; however, public-facing technologies like TikTok and Facebook Live, which are not private and can lead easily to the loss of protected health information (PHI), are not permitted.
Why Does This Matter? These unprecedented times have created many unusual policy changes, and the HIPAA notice is no exception. OCR’s alignment with CMS to help bridge the gap for providers and their patients speaks to the dire predicament the healthcare industry is in. Both the telehealth flexibilities and the enforcement discretion offer much needed relief on all fronts. Details: In an FAQ set, OCR includes the following essential principles of the notification: “OCR [also] noted in its FAQs that many platforms employ end-to-end encryption and limit access to authorized participants,” explain attorneys Audrey Davis and Andrew Kuder with national law firm Epstein, Becker & Green PC. “In other words, OCR seems to be comfortable enough with the protections offered by these technologies for the time being.” Davis and Kuder add, “However, it’s unclear if OCR will remain comfortable in the long-term, as it’s too soon to determine the waiver’s risk to patient privacy and security.” Know the Basics on ‘Good Faith’ Provisions Though OCR doesn’t go into great detail on what it considers a “good faith” effort under the notification, it does offer direction on using telehealth in “bad faith.” Using telehealth for nefarious purposes, usurping patients’ PHI for marketing and without authorization, or implementing public-facing apps would all be considered “bad faith” practices and a violation of HIPAA. The enforcement discretion only works for covered providers if they’re abiding in “good faith” by the OCR’s guidelines. Practitioners should try to keep in line with these provisions. Davis and Kuder advise covered providers to take the following actions: Bottom line: With the pandemic expected to stretch through next year, organizations should continue to update both their telehealth and HIPAA policies accordingly. It’s a good idea to check HHS, OCR, and CMS updates frequently with more revisions and changes expected in the coming months. As always, utilize all of your resources and make HIPAA compliance a priority — even with the enforcement discretion in place. Resource: Review the OCR FAQs on telehealth and HIPAA at www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf. Disclaimer: Information related to COVID-19 is changing rapidly. This information was accurate at the time of writing. Be sure to stay tuned to future issues of Medicare Compliance & Reimbursement for more information.