Telehealth Services Expanded and HIPAA Enforcement Relaxed During Coronavirus Public Health Emergency
In an effort to prevent the spread of the 2019 novel coronavirus, patients suspected of being exposed to the virus and individuals with symptoms of COVID-19 have been told to self-isolate at home. It is essential for contact to be maintained with people at risk, especially seniors and people with disabilities.
Telehealth services, including video calls, can help healthcare professionals assess and treat patients remotely to reduce the risk of transmission of the coronavirus. Telehealth services can also be used to maintain contact with patients who choose not to visit medical facilities due to the risk of exposure to the virus.
On Monday, March 16, 2020, the Trump Administration announced that telehealth services for Medicare beneficiaries have been expanded. Prior to the announcement, doctors were only able to claim payment for telehealth services provided to people living in rural areas and no access to local medical facilities and for patients with established relationships with billing providers.
“We are doing a dramatic expansion of what’s known as telehealth for our 62 million Medicare beneficiaries, who are amongst the most vulnerable to the coronavirus,” explained Seema Verma, administrator of the Centers for Medicare and Medicaid Services (CMS). “Medicare beneficiaries across the nation—no matter where they live—will now be able to receive a wide range of services via telehealth without ever having to leave home. These services can also be provided in a variety of settings, including nursing homes, hospital outpatient departments, and more.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Effective March 6, 2020, Medicare will reimburse a wide range of healthcare providers for office and telehealth visits, including nurse practitioners, social workers, and clinical psychologists. Reimbursement will be at the same rate as face-to-face visits.
Relaxation of Enforcement of Noncompliance with HIPAA in Relation to Good Faith Provision of Telehealth Services
Telehealth services are subject to HIPAA regulations. The technology used, such as smartphones and communications platforms, must comply with HIPAA rules and have safeguards in place to ensure the confidentiality, integrity, and availability of ePHI. During a public health emergency such as a disease outbreak, the HIPAA Security Rule still applies. Healthcare professionals that provide telehealth services would, under normal circumstances, not be permitted to use certain video conferencing technology such as Facetime or Skype, as the services are not fully compliant with HIPAA.
The HHS’ Office for Civil Rights announced on March 17, 2020, that it is taking a more relaxed position on HIPAA enforcement of noncompliance with certain HIPAA provisions related to telehealth services. “OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately,” explained OCR in its Notification of Enforcement Discretion for telehealth.
OCR confirmed that during the coronavirus public health emergency, healthcare providers are permitted to use “any non-public facing remote communication product that is available to communicate with patients,” in connection with the good faith provision of telehealth. That enforcement discretion also applies to telehealth services related to the diagnosis and treatment of health conditions unrelated to COVID-19. While enforcement has been relaxed, Verma said “it is still important for covered entities must continue to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.”
While OCR does not endorse the use of certain products, it has been suggested that healthcare providers could use Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. Public-facing chat and communications platforms such as Facebook Live, Twitch, and TikTok would not be permitted for telehealth purposes.
OCR reminded covered entities that they can obtain greater privacy protections by using HIPAA-compliant video communications solutions and should obtain a signed business associate agreement. Provides of platforms that do sign BAAs and provide a HIPAA-compliant service include TigerConnect, Skype for Business, Zoom for Healthcare, Updox, and VSee.
“OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relate to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency,” explained OCR in its notice. When the public health emergency ends, penalties would apply if a BAA is not in place and communications platforms are used that are not HIPAA compliant.
The COVID-19 Public Health Emergency has been extended on multiple occasions, however, no further extensions will be announced. The Notice of Enforcement Discretion will end on May 11, 2023, at 11:59 pm. There will be a transition period of 90 days to help healthcare providers become compliant. The transition period will end at 11:59 pm on August 11, 2023.
