Hello everyone! The White House just announced that the COVID-19 Public Health Emergency (PHE) will end on May 11, 2023. This directly affects how telehealth services can be delivered.
If you haven’t blocked out all memories of Spring 2020, you may recall that the Office for Civil Rights issued a Notice of Enforcement Discretion on March 17, 2020. This Notice was around the use of telehealth services by covered entities during the PHE. During the PHE period, the OCR clarified that it would allow the use of non-public facing communication products to provide patients with telehealth services, and subsequently, disregard many parts of the HIPAA Privacy and Security Rule requirements in order to facilitate safe and timely patient care.
The PHE ends in May. OCR reminded us of this last year when they provided information about what it expects covered entities to take into account if you plan to continue to use telehealth after the period of enforcement discretion ends.
Beginning May 12, 2023, the OCR wants you to remember the following about telehealth services:
Telehealth presents privacy concerns:
- CEs are responsible to assess and ensure the privacy of the location(s) of telehealth service delivery.
- CEs are responsible to implement patient identity verification protocols.
Telehealth presents security concerns:
- The HIPAA Security Rule applies unless the CE delivers telehealth via a landline.
- Telehealth should be an identified asset in your security risk analysis and vetted accordingly.
Telehealth presents contractual concerns:
- Do you need a Business Associate Agreement (BAA) with the telehealth vendor? The OCR says maybe.
- No, if the CE falls under the Telehealth by Landline category.
- No, if the telehealth vendor falls under the conduit exception.
- Otherwise, yes you do.
Our response? Well, first, telehealth services by landline? And, secondly, as a longtime privacy and information security compliance consulting organization, we have yet to meet a telehealth vendor that is truly, simply, a conduit (although we have met plenty that will tell you they are). Our best advice for steps to take now – send a BAA to your vendor for signature.
As you know, telehealth services are essential to many who live rurally or have trouble getting themselves to a healthcare provider. When you are on top of what it means to provide HIPAA-compliant telehealth care, your patients can continue to get the care they need, and you can avoid any conflict with OCR.
Julia Huddleston, Principal Consultant, holds the designation of Certified Information Privacy Manager, Certified Information Privacy Professional, and Certified (HITRUST) CSF Practitioner. Contact her or Kevin Haralson, MBA, CCSFP, CHP and Senior Compliance Analyst, for a full compliance program review, security risk analysis, or to prep for certification via the HITRUST or SOC process. Apgar and Associates, LLC is an authorized HITRUST Readiness Licensee.
