One of the many changes brought by the COVID-19 pandemic may be the permanent expansion of telehealth. According to a recent study, the US telehealth market is expected to witness an 80% year-over-year growth in 2020. Numerous video communications services exist, not all provide sufficient privacy and security to facilitate the provision of health care (and HIPAA compliance). While the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS), the division charged with enforcing HIPAA, has provided some flexibility during the pandemic, at some point, it is reasonable to assume that OCR will again raise standards.

HIPAA Compliance during the COVID-19 Crisis

In March 2020, the US Department of Health and Human Services issued guidance on telehealth remote communications during the COVID-19 crisis. This new guidance temporarily makes telemedicine more accessible by removing penalties for HIPAA violations that occur when a provider is operating “in good faith.”

Still, it’s essential to make sure you’re exercising caution to keep your clients’ PHI confidential.

What is a “non-public facing” remote communication product?

A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would commonly include texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. Furthermore, participants can assert some degree of control over particular capabilities, such as choosing to record the communication or to mute or turn off the video or audio signal at any point.

In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a public chat room are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the conversation. For example, a provider that uses Facebook Live to stream a presentation made available to all its patients about the risks of COVID-19 would not be considered a reasonably private provision of telehealth services. A provider that chooses to host such a public-facing presentation would not be covered by the Notification and should not identify patients or offer individualized patient advice in such a live stream.

Which video platforms are safe to use?

Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) connected with the provision of their video communication products. The list below from the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) includes some vendors that represent that they provide HIPAA-compliant video communication products and enter into a HIPAA BAA.

• Skype for Business / Microsoft Teams
• Updox
• VSee
• Doxy.me
• Google Meet
• Cisco Webex Meetings / Webex Teams
• Amazon Chime
• GoToMeeting
• Spruce Health Care Messenger

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996, which was signed into law by President Bill Clinton. The HITECH Act, which was signed by President Obama in 2009, updated HIPAA by outlining rules and penalties regarding breaches of private health information (PHI).

Among other provisions, HIPAA mandates that security measures be taken to protect PHI. HIPAA is split into five sections, or titles. HIPAA Title II, which is known as the Administrative Simplification provisions, is what most information technology (IT) professionals are referring to when they speak of “HIPAA compliance.”

What does HIPAA compliance entail?

The Administrative Simplification provisions in HIPAA Title II are split into five rules, including the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule establishes national standards to protect PHI. It applies to all forms of records – electronic, oral, and written – and requires employers to implement PHI security procedures and ensure that all employees are trained on them. The HIPAA Security Rule applies to electronically protected health information (ePHI). It establishes national standards to protect ePHI and requires entities to implement administrative, physical, and technical safeguards of ePHI.

What can I do to ensure that my organization is HIPAA compliant?

Continuum GRC believes that the best defense against a PHI breach is a good offense – and HIPAA requires that covered entities and business associates take a proactive approach to protecting patient data. In light of the financial penalties and potential PR nightmare associated with breaches of sensitive personal medical information, HIPAA compliance is serious business.

HIPAA is a voluminous, complex law, and many organizations are baffled regarding where, to begin with, their HIPAA compliance. Thankfully, the HIPAA compliance experts at Continuum GRC are here to help. We offer comprehensive HIPAA compliance software that includes HIPAA Audit, HITECH, NIST 800-66, and Meaningful Use Audit services to help you evaluate your existing HIPAA protocols and establish new ones. Continuum GRC’s proprietary IT Audit Machine (ITAM IT audit software), which is fully HIPAA compliant; it helps eliminate 96% of cybercrime and nearly 100% of the headaches associated with compliance audits.

Not sure where to start with HIPAA Compliance?  

We created a free HIPAA Awareness & Compliance Survey to determine your office’s degree of HIPAA compliance and awareness.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Want to learn more?