The Notification of Enforcement Discretion
On March 30, 2020, the Department of Health and Human Services (HHS) issued a Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 Nationwide Public Health Emergency.(1) In the notice, HHS stated it “will not impose penalties for noncompliance… in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” Specifically, then-Secretary Azar waived sanctions and penalties for the following provisions of the HIPAA Privacy Rule:
The requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care (45 CFR 164.510(b));
The requirement to honor a request to opt out of the facility directory (45 CFR 164.510(a));
The requirement to distribute a notice of privacy practices (NPP) (45 CFR 164.520);
The patient’s right to request privacy restrictions (45 CFR 164.522(a)); and
The patient’s right to request confidential communications (45 CFR 164.522(b)).
HHS also published a series of guidance and Frequently Asked Questions on its website.(2)
Steps to Ensure Your Telehealth Is HIPAA Compliant
Now that the public health emergency expired on May 11, 2023, healthcare providers should review these five areas and compare them to their current practices. Specifically, providers should revisit any new technology implemented to provide telehealth services.
Surveying the different providers and compiling a list of all telehealth platforms in use would be a good place to start. There could be platforms being used that did not go through the typical vendor vetting process. According to the notice of discretion, Facebook Live, Twitch, TikTok, and other similar public-facing video communication platforms should not be used. If you identify the use of any system expressly prohibited by HHS, you should evaluate if a breach has occurred and stop using that platform as soon as possible.
Compiling a list of all telehealth platforms in use would be a good place to start.
The next step will be to review the coordinating contracts or subscription agreements to determine what terms may have already been agreed upon. Some contracts and subscription agreements often contain Business Associate Agreement (BAA) language. If you identify the lack of a BAA for any platform you will be keeping, you should work with the vendor to resolve this as soon as possible. HHS has sample language on its website if you do not have a BAA template or need to review a vendor’s agreement.(3) The preference should be to have vendors sign your agreement. The sample BAA should help you negotiate terms if you need to negotiate an agreement. Many terms in a BAA can be negotiated, and understanding what is negotiable and not negotiable is essential.
Suppose the vendor refuses to sign a BAA. In that case, you should identify how to terminate any signed agreements, negotiate the return or destruction of electronic Protected Health Information (ePHI), and communicate decisions to providers. You should also consider the potential effects of contract termination on patients and patient care.
HIPAA requires that patients are provided a copy of the notices of privacy practices (NPP) no later than the date of the first service delivery, including service delivered electronically. This requirement was one of the five privacy provisions in the notice of discretion. It is likely that this process, overall, has fallen out of compliance. Conduct an audit to ensure your patients are being provided a copy of your NPP and that you are obtaining an acknowledgment.
Lastly, the telehealth application should be added to your subsequent security risk analysis (SRA). In accordance with the security rule, providers must accurately and thoroughly analyze any threats to the confidentiality, availability, and integrity of electronically protected health (45 CFR 164.308(a)(1)(ii)(A)). One of the first steps to conducting an SRA is identifying all applications that store, receive, or transmit ePHI.
Many healthcare providers rushed to implement telehealth in the wake of the pandemic. When HHS issued its notice of enforcement discretion, providers could move more quickly without worrying about facing financial penalties for failing to comply with HIPAA. However, now is the time to prepare for the enforcement discretion to end.
References
U.S. Department of Health & Human Services. Notification of Enforcement Discretion for Telehealth. http Remote Communications During the COVID-19 Nationwide Public Health Emergency. www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html . Accessed March 21, 2023.
U.S. Department of Health & Human Services. Guidance: How the HIPAA Rules Permit Covered Healthcare Providers and Health Plans To Use Remote Communication Technologies for Audio-Only Telehealth. www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html . Accessed March 22, 2023.
U.S. Department of Health & Human Services. Business Associate Contracts. www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html . Accessed March 22, 2023.