No-Nonsense Guide to Basic Telehealth Services for Professionals
Providers wondering if which technologies to choose for telehealth services now have a confusing list of options. Fundamental to making those choices is a) understanding the law and b) understand a practice’s needs. This article will briefly review both aspects and point to other resources to help the practitioner make optimally-informed choices.
The Law (HIPAA, PIPEDA and Other Privacy Laws)
While most countries have a technology-related healthcare privacy law, the law referenced in this article is primary HIPAA, the US law. (although similar laws exist in other countries, such as Canada’s PIPEDA.)
In the United States then, many clinicians seem to have misunderstood the COVID-related changes related to privacy and technology. In particular, many US providers believe that rules related to HIPAA have been relaxed for telehealth Services during COVID-19, but they have not. The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has made it very clear that COVID-19 has led to the temporary relaxing of enforcement discretion, and NOT a relaxing of HIPAA rules themselves. OCR is the federal office responsible for enforcing HIPAA.
HIPAA laws were not changed in response to COVID-19. Even a quick read of the title to the March 17, 2020, OCR’s COVID-related announcement regarding HIPAA shows that the OCR will not impose penalties for HIPAA violations, but the law itself is not changed. The announcement is entitled, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. In sum, the rules never went away. Rather, OCR has announced that it will in effect, look the other way during COVID-19 if professionals use commonly available video-conferencing platforms, except for a few that are public-facing, such as Facebook Live, TikTok. Post-COVID-19. professionals can expect that enforcement of HIPAA will return. (To see current enforcement actions by OCR, see the HIPAA Wall of Shame.)
Krista Drobac, the Executive Director for the Alliance for Connected Care, a leading organization of healthcare and technology companies from across the health care spectrum, representing insurers, health systems and technology innovators, stated, “OCR is unlikely to extend HIPAA exceptions. When the emergency is over, you will no longer be able to use Facetime, Skype and you must use a HIPAA compliant platform.”
When considering which technology to choose for a telehealth practice then, the OCR’s wording is pivotal. Making an informed technology choice is advised to minimize needless disruption in one’s practice. Three of the most important factors related to technology choice and HIPAA are detailed below. Other crucial factors will be discussed in future TBHI blogs.
Understanding One’s Practice Needs for Telehealth Services
The OCR announcement makes it clear that HIPAA enforcement is currently relaxed for health care providers who provide telehealth in good faith. The OCR statement further outlines issues of good faith actions. These are detailed next.
“Good Faith” in Delivering Telehealth Services
The OCR statement about a relaxation of enforcement related to a practitioners’ choice of technology during COVID-19 describes several ways that practitioners can operate in good faith. First, it outlines the need for providing as many privacy precautions as possible, including the:
- Release of the minimum necessary amount of information
- Use of as many security features as available with the clinician’s chosen technology
- Have a discussion with the client or patient about the specific risks to their privacy and security as related to the clinician’s chosen technology
The issue of good faith may have repercussions regarding a practitioner’s choices related to technology. To operate in food faith in this context requires the clinician to have a basic awareness of HIPAA rules, how those rules are being compromised during COVID, and the offering of a clear explanation to the client or patient in a dynamic informed consent process. Clinical decisions related to making these choices are particularly important during the current pandemic transition phase, where the incidence of reported behavioral health issues is increasing, particularly in areas related to post-traumatic stress disorder (PTSD), complicated bereavement, addictions, suicide and others. 1,2
With these good faith clarifications in mind, providers making technology choices may want to keep these basic issues in mind.
Does the Telehealth Service Use End-to-End Encryption?
Many telecommuting platforms pose a security risk when used in conjunction with sensitive information. While some telecommunication platforms are available for free, added costs are levied for customer service and additional security services. But paying for a service doesn’t assure security. For instance, it was recently discovered that ZOOM misled users into believing that the service used end-to-end encryption (E2EE). E2EE ensures that only authorized users have access to sensitive data. However, Zoom was using its own definition of E2EE, which led to the company being investigated by the New York Attorney General. While the service prevented outside access to meeting information, the company itself was still able to access patient data, putting sensitive data at risk. For true E2EE, a company should not be able to access user data.
The zoom settlement reflected Zoom’s quick response with changed default settings, additional features to bolster user privacy, and removing questionable features that could impact privacy. The latest Zoom 5.0 platform reportedly addresses many outstanding issues, including implementing a 256-bit GCM encryption standard. As with many companies that were caught off guard by the COVID epidemic, standards have been improved and are now much safer. In fact, due to the recent investigation, there are chances that Zoom may now be safer than some other video systems.
While many clinicians may feel a sense of security by knowing that they use a video company that is not in the mainstream news, they may be surprised to learn that many video systems use Zoom, Vidyo or VSEE at core, and develop a “wrapper” to re-sell one or more of these services to healthcare and other professionals seeking video services. That is because some of these larger companies have offered reliable services in the past, and have the types of funding that will keep their systems operational when needed.
Where do such issues leave the provider trying to make responsible technology choices? As HIPAA covered entities, telehealth service providers have an obligation to secure protected health information (PHI). Therefore, asking about end-to-end encryption is important when choosing technology for one’s telehealth services.
Does the Telehealth Service Enable Access Controls?
Access controls enable providers to control who, within their organization, has access to Protected Health Information (PHI). HIPAA requires only the minimum necessary PHI to be used or disclosed, for a specific purpose. As such, each employee must have unique login credentials to access the telecommunication platform. This ensures that employees only have access to the PHI they need to perform all essential job functions.
Does the Telehealth Service Provide Audit Logs?
An audit log tracks access to PHI to ensure adherence to the minimum necessary standard. Audit logs provide information on what PHI was accessed, how long it was accessed for, and who accessed it. Keeping an audit log prevents insider breaches – unauthorized use or disclosure of PHI by an authorized employee – as normal access patterns are established for each employee. Providers may want to also ask about audit logs, and how they can be accessed.
Will the Telehealth Service Sign a Business Associate Agreement?
Even if a telecommunications platform has all of the necessary protections in place to secure PHI, if they are unwilling to sign a business associate agreement (BAA), the provider is HIPAA-compliant if they have chosen technology without obtaining a BAA. The provider’s obligation is to use technology from companies that supply a BAA, which assures the provider that necessary security and privacy measures are in place. It also limits the liability for each signing party, as each party is responsible for monitoring and maintaining their respective HIPAA compliance.
Telehealth Service Resources
TBHI HIPAA-Related Resources
TBHI has created a number of reports that are of particular interest to the telehealth community. A knee-jerk technology purchase can involve hours of set up time, only to find that the chosen system does not meet practical workflows and other practice-specific needs. A TBHI community favorite report is the 30 Questions to Ask your Video Vendor. It is a checklist of questions to help providers conduct their own needs analysis before submitting themselves to vendor sales efforts.
For professionals who are still scratching their heads about HIPAA and how it related to telehealth services, TBHI offers two online courses of relevance, both with 3-hours of CME or CE credit:
- Rules, Regulations & Risk Management. A clear discussion of legal and ethical issues related to telehealth, this online training simplifies the basics of telehealth privacy and security, explains telehealth-related HIPAA rules, and provides a clear path for moving forward. (This training counts toward ethical training requirements for licensure renewal.)
- Essential Telehealth Technologies – overview of HIPAA-compliant technologies, their different features, and how they assist with delivering telehealth services.
Resources for COVID Telehealth Services
Below are a number of COVID-related telehealth service resources to further assist with decisions about how to handle PHI:
OCR guidance in the form of frequently asked questions in support of the good faith rendering of telehealth services:
OCR guidance related to covered entity disclosures related to the PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s authorization.
For guidance in making decisions for hospitals, clinics, agencies, small group practice sor other entities, TBHI’s affiliate, the Compliancy Group may be able to help. They support HIPAA compliance with Compliance Coaches®. Learn more about HIPAA compliance.
TBHI COVID Telehealth Resources
- TBHI has developed a number of COVID-related blog posts of interest to the telehealth professional community, ranging in topics from telephone reimbursement, group therapy procedures and reimbursement to an overall primer to help you find the right information without hunting on your own.
- A regularly-updated COVID-19 Telehealth Primer is available to help you navigate the many changes brought about by COVID-19 – all in one spot.
- TBHI specializes in offering you a step-by-step learning path of online telehealth training that helps you be legally and ethically compliant and clinically proficient.
- Telehealth Clinical Best Practices Workshop — Live, interactive webinar, w/ 4 CME or CE hours to discuss preventing and handling complex clinical issues. These hours COUNT TOWARD ETHICAL TRAINING REQUIREMENTS.
- Course Catalog
- Micro Certifications to give you a broader range of legal and ethical grounding, and allow you to distinguish yourself as a TBHI-credentialed professional on your websites, in social media, directories and other arenas
1 Stockler A. Coronavirus pandemic and surging gun sales may increase suicide risk in US, researchers say. Newsweek. April 30, 2020.
2 Clay, R. COVID-19 and suicide. APA, May 18, 2020.
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individual.