Telehealth & HIPPA Compliancy in the Age of Coronavirus

Electronic protected health information (ePHI) is protected health information (PHI) that is produced, saved, transferred or received in an electronic form. In the United States, ePHI management is covered under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule.

The HIPAA guidelines on telemedicine are contained within the HIPAA Security Rule and stipulate:

  1. Only authorized users should have access to ePHI.
  2. A system of secure communication should be implemented to protect the integrity of ePHI.
  3. A system of monitoring communications containing ePHI should be implemented to prevent accidental or malicious breaches.

In other words, health care professionals must use “reasonable and appropriate safeguards” to prevent ePHI from being disclosed to any unauthorized parties. However, the second bullet point means that unsecure channels of communication such as SMS, Skype, and email should not be used for communicating ePHI at a distance. Finally, according to the HIPAA guidelines on telemedicine, any system of communicating ePHI must have mechanisms in place so communications can be monitored and remotely deleted if necessary, have automatic log-off capabilities and have storage with a third party, requiring a Business Associate Agreement (BAA).

However, with the COVID-19 Coronavirus pandemic, things have changed. There has never been a disease outbreak on this scale since in the age of HIPAA. Therefore, the Secretary of Health and Human Services, Alex Azar, announced a limited HIPAA waiver, effective March 15, 2020 with the following provisions of the HIPAA Privacy Rule:

  • The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care – 45 CFR 164.510(b)
  • The requirement to honor a request to opt out of the facility directory – 45 CFR 164.510(a);
  • The requirement to distribute a notice of privacy practices – 45 CFR 164.520
  • The patient’s right to request privacy restrictions – 45 CFR 164.522(a)
  • The patient’s right to request confidential communications – 45 CFR 164.522(b)

The preferred method for remote healthcare services at BlueIvy client Therapeutic Oasis has always been Zoom because it’s easy to download and is 100% HIPPA compliant. However, these loosened requirements mean that using FaceTime, SMS, or even just making a simple telephone call, is now acceptable. Although, since more and more companies are using Zoom to continue with company meetings and interpersonal communications and tutorials for using Zoom are very straightforward, it may be time to hop on the socially distant bandwagon.