Privacy and Security Considerations for Telehealth Use During COVID-19 Public Health Emergency
Health & Life Sciences 03/31/20 Meghan C. O'Connor, Katea M. Ravega
Regulators are responding to the COVID-19 public health emergency by increasing flexibility for patients and providers wanting to use telehealth as a mode of providing or accessing health care. The expanded use of telehealth and other virtual care services during the COVID-19 pandemic offers opportunities to protect patients and providers. However, increased reliance on telehealth is not without data privacy and security considerations. We outline some of those considerations in this client alert.
Use of Technologies That Do Not Fully Comply With HIPAA. In general, telehealth visits or any other telehealth services cannot be conducted using technology that does not meet all applicable data privacy and security requirements. For example, business associate agreements are usually required with IT vendors, and the communication from end-to-end must be private, secure, and comply with applicable state and federal laws. Because of the requirements that apply to technologies that transmit and receive protected health information, and the relationships between the providers and the technologies, if the technology cannot meet the requirements, then that service cannot be used as a telehealth technology vendor.
On March 17, the US Department of Health and Human Services Office for Civil Rights (OCR), the agency responsible for enforcement of HIPAA and other federal civil rights law, announced implementation of waivers that ease data privacy and security requirements to allow telehealth visits to occur using technologies that were previously prohibited. OCR followed this up with a March 20 notification with frequently asked questions addressing the planned use of enforcement discretion. While the regulatory flexibility is limited to primarily direct-to-consumer ("DTC") scenarios and privacy and security considerations remain, the notification and FAQ provide important flexibility for DTC telehealth services during the COVID-19 public health emergency.
OCR Enforcement Discretion. OCR has exercised its enforcement discretion and will waive potential penalties for HIPAA violations against health care providers that serve patients through several everyday communications technologies during the COVID-19 public health emergency. This does not mean that any technology is allowed and it does not mean that other requirements are waived. Rather, the waiver means that the types of barriers listed above will not apply during this public health emergency to specific technologies that are normally prohibited from being used for telehealth visits with patients.
The notification provides additional guidance that HIPAA covered entity providers may use technology to provide “good faith” telehealth services to patients (including federal beneficiaries) in a manner that complies with the Notification—but otherwise does not comply with HIPAA—during the public health emergency. The notification does not apply to payers or to telehealth services that are not direct-to-consumer. The notification has no expiration date at this time.
This exercise of discretion applies nationwide to widely available non-public-facing remote communications technology. Examples of the newly eligible technologies include:
- Facebook Messenger
- Google Hangouts
These and similar technologies may be used in good faith for any telehealth treatment or diagnostic purpose that a provider believes, in his or her professional judgment, can be provided using telehealth under the circumstances. The telehealth service does not have to be directly related to COVID-19.
However, the public-facing versions of these services, such as Facebook Live, or different public-facing services like TikTok, still cannot be used for telehealth services.
While OCR enforcement discretion allows some much-needed flexibility during this public health emergency, it does not waive state law or other federal law that defines telehealth privacy and security obligations (outlined below). It also does not waive any technical requirements necessary for providers to obtain reimbursement for the provision of telehealth serveries through such technology. We have seen CMS and some states take action to waive or relax certain requirements, and it is possible that we may see additional action on the state or federal level (or payers) to ease privacy and security telehealth requirements.
Business Associate Agreement Not Required. Business associate agreements with these vendors are not required, and providers will not be penalized by OCR for using less secure products in their effort to provide the most timely and accessible care possible to patient during the public health emergency.
However, providers may still seek assurances from vendors regarding safeguarding of patient and provider confidential information, including any obligations imposed on providers under state health information privacy or security law, PCI DSS, CCPA, or 42 C.F.R. Part 2. Providers engaging new vendors should carefully review contracts, as vendors new to the health care telehealth space may not be accustomed to limitations and standards in the health and life sciences industry (e.g., monetization and offshoring of data).
Privacy Laws Still Apply. The enforcement discretion does not waive all state and federal privacy law obligations, but providers do have some flexibility related to HIPAA Privacy Rule, Security Rule, and Breach Notification Rule compliance. While OCR will assess each situation with a facts and circumstances analysis, the notice gives examples of when OCR will not pursue otherwise acceptable penalties (e.g., breaches involving interception of PHI during transmission or hacking that exposing telehealth session PHI) when such incidents resulted from good faith provision of telehealth services during this emergency.
Providers should consider applicable state law (e.g., obligations for encryption, consent, breach notification), as liability may exist under state law for insufficient security safeguards or inappropriate access or interception of personal information. In addition, OCR’s enforcement discretion applies to HIPAA, but it does not apply to violations of 42 C.F.R. Part 2 (e.g., no waiver of SAMHSA enforcement discretion related to interception of Part 2 data via an unsecure platform). For more information on SAMHSA’s guidance related to COVID-19 and Part 2, click here.
Recordkeeping obligations are not waived under the enforcement discretion, and providers should plan for maintaining records despite the use of more technologies. Prior to implementing new technologies, providers should consider how the provider and vendor will store telehealth visit information, including any video, audio, or text from the encounter. Providers should be prepared to adapt to different functionality and options with the various technology vendors. It may be helpful to document the specific technology used to communicate with each patient so patient visits can continue while privacy team members assess specific technology functionality and relative effect on the backend of the privacy process.
Remote Connectivity, IT Infrastructure, and Vendors. Many providers and physician practices are not equipped to support large-scale use of telehealth, and implementation comes with required hardware, a learning curve, training, and patient engagement. Once implemented, providers should consider whether existing telehealth policies and procedures adequately address current public health emergency needs and existing recordkeeping and patient care needs.
Providers should consider additional implications of increased reliance on telehealth technology, including whether remote connectivity capacity and IT infrastructure can support increased volumes. Consider sufficiency of concurrent licenses and subscriptions as well as bandwidth capabilities to substantially increase telehealth services (particularly video). Acute hospital settings built to life safety code standards do not offer ideal Wi-Fi connectivity for quality connections. In addition to new patient encounters, also consider continuing remote patient monitoring needs and security obligations. For more information, see the National Cybersecurity Center of Excellence Security Telehealth Remote Patient Monitoring Ecosystem Project.
Now is an appropriate time to consider whether their existing telehealth vendors can support increased services, including any necessary support and maintenance services. Existing arrangements may need to address changed uptime needs and SLAs (see vendor discussion above).
Prepare for Cyber Threats. Providers should review security safeguards deployed on telehealth technology, as these technologies will almost certainly see an increase in security incidents. Providers and telehealth technology vendors should be prepared to detect threats, respond to cybersecurity events, and recover from detected cybersecurity events, particularly in acute care settings. This increased cyber risk can be addressed with some of the steps outlined here. For example, take advantage of good security hygiene, strong access controls, bandwidth, security of connection and transmission, and physical safeguards to address the space surrounding the provider.
For more information, including types of service, applicable HCPCS/CPT codes, required patient-provider relationships, and selecting a vendor, please see the US Department of Health and Human Services Centers for Medicare and Medicaid Services’ March 23 telehealth toolkits for providers—general practitioners and ESRD providers —and the Quarles & Brady COVID-19 telehealth alerts.
The Quarles & Brady Health Information Technology, Privacy & Security Team is closely monitoring privacy and cybersecurity developments related to expanded use of telehealth during the COVID-19 pandemic, and can offer guidance on privacy and security issues to clients seeking to expand current telehealth resources or implement new resources during the public health emergency.
For additional questions, contact your Quarles & Brady health law attorney or: