In March 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced that it would relax enforcement of Health Insurance Portability and Accountability Act (HIPAA) regulations during the COVID-19 epidemic, specifically relating to telemedicine. This allows healthcare providers to conduct appointments using video conferencing services like FaceTime, Facebook Messenger, Google Hangouts, and Skype.
The OCR won’t punish you for using these services, even if they’re not fully HIPAA compliant, as long as you inform your patients about the potential privacy risks. The goal is to make it as easy as possible for you to provide care during the coronavirus epidemic.
However, that doesn’t mean you can rely on popular consumer applications as a long-term solution. As soon as possible, you need to set up a HIPAA-compliant telemedicine service.
Why you need HIPAA-compliant telemedicine
The market for telehealth services was already growing steadily, but the coronavirus pandemic might be the catalyst for widespread adoption of telemedicine. Now is the time to start using HIPAA-compliant telemedicine systems so that you can focus on providing care, not searching for systems once the OCR resumes enforcing HIPAA for telemedicine.
Without a system that can demonstrate compliance, you could face steep fines. The penalties for a HIPAA violation range from $100 for a true accident to $1.5 million for willfully and knowingly violating the law. Using a noncompliant video conferencing, or other, system for telemedicine could be considered a Tier 2 offense in a best-case scenario, with a minimum fine of $1,000 per violation.
What you need to provide HIPAA-compliant telemedicine services
With the threat of heavy fines once the coronavirus epidemic is over, healthcare organizations that have seen the value of telemedicine are wondering how to set up a HIPAA-compliant telemedicine service.
To make sure that your technology providers are HIPAA compliant, work with vendors qualified to enter into a HIPAA business associate agreement (BAA). This is a contract between you and the provider that holds you both to the same standards for keeping protected health information (PHI) safe.
You’ll likely have to pay for video conferencing services if you want a BAA. However, this is necessary if you plan to continue using telemedicine to serve patients.
Without a BAA, if your technology provider violates HIPAA, you could find yourself in trouble with the OCR. For example, the Raleigh Orthopaedic Clinic was hit with a $750,000 fine for hiring an outside company to convert x-ray films to digital without a signed BAA in place.
The importance of information security
Information security can trip up healthcare organizations.
One downside of OCR’s temporarily relaxed enforcement is that you can theoretically use any video conferencing system that isn’t public to provide telemedicine services. For example, you could conduct a visit using Facebook Messenger but not Facebook Live, which would allow someone who isn’t the patient to join in.
However, many services familiar to patients don’t have the necessary controls to protect their PHI. For instance, Facebook Messenger conversations are not encrypted by default, meaning that these messages are vulnerable to hackers. While the OCR isn’t enforcing HIPAA violations during the coronavirus pandemic, exposing PHI is a breach of patient trust that can’t be repaired easily.
Common video conferencing providers like Skype for Business/Microsoft Teams, Zoom for Healthcare, Google G Suite Hangouts, Cisco WebEx, Amazon Chime, and GoToMeeting will sign a BAA. If you decide to use one of these providers, review their security practices to make sure your patients’ data is protected.
Get BAAs for all other technology
Your video conferencing platform likely won’t be the only technology tool you use when setting up telemedicine services. To stay HIPAA compliant, get a signed BAA with every technology provider that stores, sends, or otherwise handles your patients’ PHI, including payment gateways and patient intake forms.
JotForm provides HIPAA-compliant forms and a BAA so that you can collect information from patients. Patients can submit their completed medical forms, with e-signatures, from their mobile devices. The forms automatically encrypt patient information to protect it from data breaches.
The key to setting up a HIPAA-compliant telemedicine service, now and in the future, is to make sure your patients’ information is secure, whether it’s a video chat or an intake form. Investigate the information security practices of any technology provider you plan to use, and make sure that you have a signed BAA in place.