The coronavirus has changed a lot of things in a very short period of time: how we work, shop, and connect with friends, for starters. It’s also caused a surge in telemedicine visits as patients and healthcare providers alike work to stop the spread of the disease.
The increase in telemedicine due to the coronavirus has also raised questions about how the Health Insurance Portability and Accountability Act (HIPAA) applies to visits conducted over video conferencing platforms and how data is transmitted between patients and clinicians.
HIPAA enforcement relaxed due to the coronavirus
What’s the biggest effect the coronavirus has had on HIPAA? The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), which is responsible for enforcing HIPAA, has relaxed HIPAA enforcement. The OCR issued a statement that, if a healthcare organization isn’t complying with HIPAA, they’ll use their discretion regarding penalties.
What that means is that if a healthcare provider uses a video conferencing platform during this time, and they are acting in good faith, the OCR won’t come after them for noncompliance. For example, if a provider is using a video chat to assess any condition, not just those related to the coronavirus, and there isn’t a business associates agreement (BAA) in place, the provider won’t be fined. (A BAA protects the provider in case the partner accidentally or purposely discloses PHI.)
However, the OCR does recommend that providers notify their patients of the privacy risks that come with using a chat application like FaceTime or Skype, particularly if there is no BAA. Additionally, Facebook Live, Twitch, TikTok, and other public-facing applications can’t be used for telehealth services.
What hasn’t changed due to the coronavirus
One thing many patients may not know about HIPAA is that healthcare providers can share protected health information (PHI) without authorization if doing so can help treat that patient or a different patient. For example, a provider can discuss a patient’s case with another physician to receive guidance.
Healthcare providers can also share PHI during a public health emergency, like the coronavirus, without violating HIPAA, if they’re sharing it with a public health authority like the Centers for Disease Control (CDC) or a state or local health department.
In addition, PHI can be shared with family, friends, and others involved in a patient’s care, as necessary, to provide them with status updates. Providers are encouraged to obtain verbal permission from patients before doing so, if at all possible. They can also share this information with organizations like the American Red Cross to coordinate with family members.
Finally, providers can confirm with the media if an identifiable figure, like a politician, has contracted the coronavirus.
Data sharing may raise HIPAA concerns
Of note right now is the amount of data that’s being collected and how much of it may include PHI. For example, Google, Microsoft, and Facebook have all created tools to help track the spread of the coronavirus, including chatbots to assess those with symptoms and data on population movements.
Google Cloud and HCA Healthcare have created a national patient registry to share information on coronavirus test results and how many healthy patients are discharged from hospitals. This may or may not include PHI. Amazon has also opened up its coronavirus “data lake” to hospitals to help them review the data associated with the spread of the coronavirus.
The data being made available could potentially raise HIPAA concerns, particularly with regards to cloud security. But as long as these providers are taking the appropriate measures to secure patient data, this use likely falls under HIPAA’s exemptions for treating other patients or public health emergencies.
How providers can protect patient information
Even though HIPAA enforcement has been relaxed during this pandemic, that doesn’t mean healthcare providers shouldn’t protect patient information and privacy. Telemedicine visits will likely be popular even after stay-at-home orders are lifted, and it’s prudent to get the framework in place now to accommodate patients.
The OCR recommends that healthcare providers continue to protect PHI. While providers can use tools that may not be fully vetted to communicate with patients, they still need to take steps to make sure their patients’ information isn’t compromised.
That means searching for providers that can provide a BAA, whether it’s a telemedicine-specific video conferencing provider like Doxy.me or an online form provider. JotForm can provide HIPAA-compliant forms and a BAA, which will let your healthcare organization safely and securely collect patient data. This is useful not only for intake but also for patients to self-report data like weight or blood pressure readings.
HIPAA protections are still in place for patients, but enforcement has been relaxed during the coronavirus pandemic. Nevertheless, healthcare organizations should still protect patient data and look for partners that can provide BAAs and offer secure transmission and storage of patient data so that they’ll be prepared when the OCR resumes strict enforcement.