Your COVID-19 HIPAA Guide: Navigating Telehealth, Compliance Changes, and a Remote Workforce

Under the HIPAA Privacy Rule, during an outbreak of an infectious disease or other emergency situation, covered entities may disclose, without a patient’s authorization PHI for the following purposes including treatment, public health activities, friends and family involved in an individuals care, and to prevent a serious and imminent threat. For most disclosures, you must make reasonable efforts to limit the information disclosed to what is the “minimum necessary”. For more information please see the sharing section of HHS HIPAA and Novel Coronavirus bulletin.

During this national public health emergency, the Office for Civil Rights (OCR) has created a good faith provision in the HITECH law to allow health providers to use technologies that may not fully comply with the requirements of the HIPAA rules. The OCR will exercise its enforcement discretion and will not impose penalties for noncompliance. For example, you may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype without a Business Associates Agreement (BAA). However, the only restriction is the video applications cannot be public-facing such as Facebook Live, Twitch, and TikTok. Health providers are encouraged to seek additional privacy protections for telehealth through technology vendors that are HIPAA compliant such as GoToMeeting, Skype for Business, and Zoom for Healthcare.

Due to the very nature of the healthcare industry, most workers find the idea of working from home foreign and this can be a challenge for both the organization and the employee. First and foremost it’s important to make sure that there is a signed employee confidentiality agreement. In addition, we recommend drafting a work-from-home agreement to set the expectations of productivity, physical workspace, and security hygiene to establish a HIPAA compliant environment.

• Keep a record of any property the employee takes home including type, make, model, serial number, and condition.
• Outline a list of duties and productivity expectations, for an employee that has never worked from home, especially during these times, it’s easy to lose track of what tasks they should be completing while working from home.
• We recommend that employees establish a workspace in a distraction-free area of their home. This is also important for patient privacy whether it be during telehealth visits, phone calls, or recording notes on a patient’s chart.
• As they would in the workplace, it’s important for employees to face their computer screen away from high trafficked areas and keep their devices locked when not in use. If physical documents were taken out of the workplace keep them locked in a secure location when not in use.
• It’s important that employees don’t feel isolated. Therefore, we recommend establishing team calls or implementing a collaboration tool such as Slack which will allow employees to keep in touch in real-time.

There are lots of options when it comes to remote access. Our recommendation would be Splashtop or LogMeIn Pro. Both solutions are affordable and can be quickly deployed. The setup process is fairly simple, after signing up for the service you install a lightweight application on your work computer. Once installed you can connect securely to your work computer via any supported device such as a laptop, desktop, tablet, or mobile phone. The remote connection will allow you to access all of your work applications and files just like you were sitting at your desk.

We always recommend that work applications should only be accessed from company-owned and managed devices for both compliance and security reasons. However, under the current circumstances, we acknowledge this may not be possible. In the interim, if needed it is acceptable for an employee to use their personal device to connect to a cloud-hosted application. However, we do not recommend using VPN from a personal device as it can create unnecessary security risks. For the long term, we recommend using a remote access solution or looking for hosted solutions to securely store your servers, desktops, and data in the cloud which can be accessed securely from a personal device.

While we are not insurance experts we have done our best to compile a few resources that you may find helpful.

• What is Teledentistry? Teledentistry is a means of delivering patient care and oral health education to people at a remote location or coordinating care providers in the service of patient care. Learn more about D9995 & D9996 coding for Teledentistry...
• What is Telehealth? Telehealth is a collection of means or methods for enhancing health care, public health, and health education delivery and support using telecommunications technologies. Learn more about CPT 99201 & 99215 coding for Telehealth...

In light of various bugs being announced with the video-teleconference (VTC), provider Zoom we recommend businesses including health care companies seek more secure solutions such as GoToMeeting, Skype for Business and Google Meet.

The FBI has released a notice outlining various steps that should be taken to make sure that your telehealth session is protected no matter what VTC platform you use.

• Ensure meetings are private, either by requiring a password for entry or controlling guest access from a waiting room.
• Consider security requirements when selecting vendors. For example, if end-to-end encryption is necessary, does the vendor offer it?
• Ensure VTC software is up to date. See Understanding Patches and Software Updates.

Recommended Resources

• https://www.us-cert.gov/ncas/current-activity/2020/04/02/fbi-releases-guidance-defending-against-vtc-hijacking-and-zoom
• https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic