Over the course of the past couple of months, telehealth has expanded exponentially, but questions still loom about secure COVID telehealth services. A recent study found that in the next five years, it is expected that the telehealth market will grow by 38.2%. In 2020 alone, telehealth will likely grow by 64.3%.
“The critical need for social distancing among physicians and patients will drive unprecedented demand for telehealth, which involves the use of communication systems and networks to enable either a synchronous or asynchronous session between the patient and provider,” said Victor Camlek, Healthcare Principal Analyst at Frost & Sullivan. If you haven’t yet begun to deliver secure COVID telehealth services, the tips below will help you think about your options. If you have started, it will help you work legally and ethically with best practices related to HIPAA.
Is HIPAA Gone? Offering Maximally Secure COVID Telehealth Services
With the COVID-19 pandemic, many providers are quickly adapting to the changing environment and relying on technology which they do not adequately understand. Many practitioners also don’t understand HIPAA’s recent shift in relaxing enforcement so as to provide maximally secure COVID telehealth services.
The Department of Health and Human Services (HHS) continues to release new guidance on the use of telehealth services and HIPAA, to ease the transition for these providers. Some of the guidance has been misconstrued; there is a common misconception that telehealth services no longer need to be HIPAA compliant. However, this is simply untrue; the guidance applies to temporarily lessen enforcement of sanctions again errant clinicians. The changes, however, have not changed the law. In essence, the Office for Civil Rights (OCR) will not enforce rules currently on the books. They have agreed to look the other way – not remove the rules. The actual wording of their shift relates to the use of video conferencing platforms that are normally deemed unsuitable, as long as the treatment is provided in “good faith.” This means that clinicians must:
Offer services in maximally protected environments, in other words, choose technology that will offer the highest level of privacy and security possible and be able to explain
- Release the least amount of information possible
- Inform clients and patients of the risks associated with the clinician’s choice to use of any technology (which means the clinician must understand and explain these risks).
- Risks associated with unsecure environments such as Facetime and Skype, then, should be explained to the client and patient.
- When platforms such as Skype, the clinician should be aware of features such as typing words while communicating, which can render the exchange visible to onlookers months later. It is best then, to avoid leaving any trace of clinical care that can be seen by other parties when opening Skype months later. Only using the video portion is suggested. Video exchanges on Skype are not recorded and therefore cannot be as easily traced months later.
- Avoid all recording features allowed by platforms. Clinicians rarely record behavioral sessions when working in-person. Such cautions are even more appropriate online, where protecting a client or patient’s security is paramount. Although HIPAA sets standards for technology platforms to meet, hacking occurs regularly.
- Proper release forms outlining those particular risks should be signed by the client/patient.
- The informed clinician then keeps the client or patient’s welfare at the forefront of their decision-making at all times, mitigating risks, using HIPAA-complaint technology whenever possible. For a list of platforms claiming HIPAA-compliance, see TBHI’s Telehealth Buyer’s Guide.
- Document their rationales fully
Although the HHS is lessening HIPAA enforcement surrounding the use of videoconferencing platforms, telehealth providers are still restricted from using public-facing platforms such as Facebook Messenger and TikTok. Telehealth providers must also continue to adhere to the standards set forth by HIPAA (i.e. implementing safeguards, business associate management, policies and procedures, training, etc.).