Providing thought-provoking leadership, workplace and community insights.

We understand how time constraints conflict with your need to follow industry trends. Please
subscribe here and we’ll notify you when we periodically post articles and news briefs.

    COVID-19 Reshaping Telehealth Privacy Landscape

    COVID 19 telehealth
    • Published
    • 14 April 2020
    • Category
    • General

    By Brittany Busse MD

    The Office for Civil Rights (OCR) in the U.S. Department of Health and Human Services is waiving penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA) by health care providers in connection with good faith efforts to use telehealth communication technologies to reach patients during the COVID-19 emergency.

    OCR guidance on telehealth remote communications allows providers to use applications such as FaceTime and Skype, as well as WhatsApp, Google Hangouts, Facebook Messenger and a variety of other platforms to provide COVID-19-related encounters.

    In a press release, OCR Director Roger Severino explains why enforcement has been relaxed: “We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

    As a physician who uses telehealth and telemedicine applications to care for injured workers, I believe there are many positive aspects to this development, including increased comfort with the technology. However, some unintended consequences may be overlooked in the excitement to take advantage of this unprecedented opportunity to reach the masses.

    One of my concerns is that personal privacy could be eroded if we move forward with unproven or poorly secured technology. Given the intense demand for solutions to help stop the spread of COVID-19, there are likely to be vendors who offer quick fixes without sufficient regulatory oversight or privacy-and-security controls.

    HIPAA Intent

    HIPAA was enacted in 1996. The primary intent was to help people maintain their insurance coverage. However, HIPAA has become synonymous with protecting patient privacy and ensuring medical record security. Several regulations were added to the act in 2005 to limit access to electronic records and prevent unauthorized access to protected health information (PHI) that identifies and links individuals with their medical status. Safeguards include:

    • Limiting users and user groups
    • Controlling user access by role
    • Using audits to track access to PHI

    Health care providers and vendors who supply electronic services for storing and transmitting PHI must comply with these standards to prevent misuse and abuse of information.

    COVID-19 Response

    Under the OCR guidance, health care providers using everyday communication mechanisms to reach patients during the pandemic may do so without fear of HIPAA penalties if they act in good faith when caring for all patients – whatever their medical condition may be. “In good faith” means they believe they are doing what is right, honest or legal, and of potential benefit to another person.

    When medical professionals use telehealth platforms to connect with patients, they are primarily focused on the value of the encounter. They may be less concerned about potential security breaches and the risk of PHI falling into the hands of those who should not have access to it.

    Takeaway: Act in Your Own Best Interest

    Health care providers and consumers who educate themselves about vendor track records on privacy and security are protecting themselves until HIPAA enforcement resumes – and most likely far beyond that time. Without such precautions, it probably won’t take long for messages pertaining to personal health conditions to pop up along with ads connected to sports, fashion or travel preferences. And that is only one relatively innocuous indicator of how PHI may be used. Others who gain access may have more malicious interests.

    As a physician who embraces technology to provide compassionate care, I believe it’s in the best interest of my patients to use platforms with proven security and privacy safeguards. It’s even more important in times of crisis to look out for the privacy of those most at risk to be taken advantage of in the long run.

    Brittany Busse, M.D., is Associate Medical Director-Telemedicine, at WorkCare. Click here to access her recent presentation on Protecting Employee Mental Health During a Crisis.

    Let’s Talk Business.

    Please submit this form to contact our team! We look forward to learning about your occupational health needs.