Last week, the Trump Administration extended Medicare telehealth services as the COVID-19 crisis deepened. “Medicare beneficiaries across the nation, no matter where they live, will now be able to receive a wide range of services via telehealth without ever having to leave home,” explained CMS Administrator, Seema Verma, in a March 17 press briefing.
Following on from the announcement, the HHS’ Office for Civil Rights issued a notification of HIPAA enforcement discretion for telehealth remote communications, stating that sanctions and penalties will not be imposed on healthcare providers for noncompliance “in relation to the good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.”
Telehealth is the use of telecommunications technologies to provide long-distance clinical health care, health-related education, and the administration of public health and health administration. These healthcare services can be provided using videoconferencing solutions, store-and-forward imaging, streaming services, and landline and wireless communications. When the country is on lockdown and patients are self-isolating or self-quarantining, telehealth services are vital for maintaining contact with patients, monitoring their health condition, and for remotely examining and diagnosing patients.
Following on from the notification of enforcement discretion, on March 21, 2020 the Office for Civil Rights issued guidance on telehealth remote communications for covered entities. The guidance document details frequently asked questions and answers to support the good faith provision of telehealth services during the COVID-19 pandemic.
OCR explained that while the use of text, audio, and video communication services are covered by the notification of enforcement discretion, some payors may impose restrictions on the types of communication technologies that can be used. Healthcare providers will only be reimbursed if they use the authorized services, so it is therefore important to check to make sure that services are provided in line with the requirements of payors such as Medicare and Medicaid.
In the guidance, OCR confirms that the notification of enforcement discretion applies to HIPAA-covered healthcare providers, not to other HIPAA-covered entities that are not engaged in the provision of healthcare. There are no limitations on the patients that can be treated using telehealth services and it is not limited to COVID-19 or suspected COVID-19 cases. However, the notification of enforcement discretion only applies to telehealth, not to any aspects of HIPAA Rules not related to telehealth services.
Since the COVID-19 crisis is likely to be a long-term problem, OCR has not issued an expiration date for its notification of enforcement discretion. A public notice will be issued when its enforcement discretion no longer applies.
Even during a public health emergency, it is important to ensure that patient privacy is protected. Telehealth services can be provided from healthcare facilities, at other clinics or from the home, but they should be provided in a private setting to limit the possibility of incidental uses and disclosures of ePHI.
OCR has also provided clarification of the good faith and bad faith provision of telehealth services. Aside from criminal uses of PHI and further uses of PHI outside of the provision of telehealth services, OCR warns that bad faith includes any violations of state laws or ethical standards that would normally result in disciplinary action and also the use of public-facing remote communications solutions such as Twitch, Facebook Live, Slack, and chatrooms. Only non-public facing platforms must be used, which include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, WhatsApp video chat, or Skype.