The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services has announced relaxation in HIPAA rules for covered entities and business associates who participate in good faith in the COVID-19 testing site operation.
It doesn’t stop there, but HIPAA penalties won’t apply to covered healthcare providers for practicing telehealth medicine using third-party applications such as Skype or Facebook Messenger. OCR exercises its power to stall some of the HIPAA provisions, momentarily, in connection with the good faith provision of telehealth during the state of a national health emergency.
Provided we stand in the middle of an epidemic and our country is under attack, rightly so, such steps seem to be the only way out. Governor, Andrew Cuomo, of New York State, was a constant media personality during this crisis briefing us on developing stories every day. He was relentless in front of an unseen enemy.
The fact is, OCR holds the right to exercise enforcement discretion, and they did so on April 9 in an immediate press release. It goes to show their determination to eradicate the novel coronavirus from the US. Also, it speaks of their active role in the recovery process.
Director OCR, Roger Severino, narrates and I am paraphrasing it; It is time to empower medical practitioners to serve patients across the United States during this public health emergency period. We are concerned about the health of the vulnerable the most, including older Americans and persons with disabilities.
Why the Relaxation in HIPAA Rules?
First, the HIPAA rules were relaxed to provide immediate assistance to healthcare providers, including some large pharmaceuticals and their business associates that would like to participate in community-wide testing site operation. Second, it is officially called the Community Based-Testing Site (CBTS) operation. In short, it involves mobile, drive-through, and walk-up sites where they would conduct COVID-19 specimen collection or testing in abundance.
Before COVID, telehealth products had to follow the HIPAA Privacy and Security Guidelines. Now that this virus has spread all over the country, to stop it, the exception of extreme circumstances comes into play and brings flexibility to those guidelines.
In a time, when doctors are overburdened with the surge of patients, the administrative burden can only add to their worries. Therefore, CMS and OCR on their behalf have given breakthrough in strict conditions.
However, it doesn’t mean that HIPAA has been totally swept under the carpet. The importance of HIPAA cannot be undermined, and risking data is not compensable. It’s just that the strictest rules are made flexible for guanine reasons.
What Products Are Safe for Telehealth Communication?
Providers don’t have to worry about which products to use as long as they are not public-facing software applications. Products like Facebook Messenger, Skype, Apple FaceTime, Google Hangouts, or Zoom are good to go for care audio & video chats.
While you can use the above applications, some applications such as TikTok, Twitch, and Facebook Live come under the public-facing criterion. It means they are not permissible.
Therefore, before dispensing care, use applications in the allowed category.
As the nation is in dire need of healthcare workers, OCR exercises enforcement discretion for care to reach the farthest areas of the country in connection with the good faith provision of telehealth services. It means providers won’t face penalties in case of non-compliance with HIPAA regulatory requirements.
HIPAA Compliant Technology Vendors
Since malpractices in desperate times have their odd way to creep in, it is best to choose technology vendors who are HIPAA compliant. In addition, they should be willing to enter into a business associate agreement (BAA) with the provider. As a result, any audio or video communication that occurs through such vendors will not result in an intrusion or put PHI at risk.
The following list of vendors provide a haven for secure telehealth services; moreover, they are HIPAA compliant and willing to enter into a BAA with covered entities.
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings/Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
Now, that is the list of software for safe and complaint-friendly audio and video communication.
A word by OCR
OCR doesn’t endorse, recommend, or certify the above applications but simply suggests their use for guidance. It has not reviewed the BAAs that they have come up with. In reality, there may be other vendors out there who are HIPAA compliant and willing to enter into a BAA with a covered entity. The names above do not suggest any kind of affiliation with the above-mentioned products.
P3 as a business associate comes under the obligation of HIPAA too. We are, in fact, trying to help our healthcare heroes as best as we can by the use of HIPAA rules. One of our services, security risk analysis, uses HIPAA to conduct a risk assessment of practices. In addition to that, HIPAA medical billing, our principal service, follows the provisions of HIPAA accordingly. As providers make their way out of the pandemic, we are here to support them on every twist.
Please hit the follow button on Instagram for more insights: @p3healthcaresolutions