The COVID-19 Telehealth Boom Might be Here to Stay, but HIPAA Flexibility Might Not
One of the many changes brought by the COVID-19 pandemic may be the permanent expansion of telehealth. According to a recent study, the US telehealth market is expected to witness 80% year-over-year growth in 2020. Although numerous video communications services exist, not all were designed to provide sufficient privacy and security to facilitate the provision of health care (and HIPAA compliance). While the Office for Civil Rights (OCR) of the United States Department of Health and Human Services (HHS), the division charged with enforcing HIPAA, has provided some flexibility during the pandemic, at some point it is reasonable to assume that OCR will again raise standards.
Apple Facetime, WhatsApp, Facebook Live, and Google Hangouts, just to name a few, were designed to facilitate virtual birthday parties and family hangouts. These platforms were not designed with an eye towards the strict security measures that are required to guard Protected Health Information (PHI) from prying eyes or cyberattack. Indeed, some of the platforms are designed, as Facebook Live is, to permit anyone to join a video communication. On the other hand, with in-person doctor visits becoming challenging almost instantly in the pandemic environment, OCR clearly felt compelled to help providers find ready-made, affordable tools to continue interfacing with patients.
Responding to the above concerns, OCR announced that it would utilize its “enforcement discretion” to avoid imposing penalties on medical providers who failed to fully comply with HIPAA rules while delivering telehealth services to patients during the public health emergency. OCR would do so, however, only if the medical provider used a non-public facing video communications platform (thereby nixing platforms such as Facebook Live or Twitch). According to OCR, by means of example, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype would all be acceptable during the public health emergency, but simultaneously cautioned that medical providers should alert their patients to the possibility of security or privacy risks when using these platforms. OCR later cautioned that providers would continue to be required to ensure HIPAA-compliance with respect to vendors outside of telehealth.
OCR also indicated that it was aware, without having confirmed the same, that several platforms claimed to be able to provide HIPAA-compliant security and were willing to enter into the typically required HIPAA Business Associate Agreement (BAA). According to OCR, these were:
- Skype for Business;
- Microsoft Teams;
- Zoom for Healthcare;
- Google G Suite Hangouts Meet;
- Cisco Webex Meetings or Webex Teams;
- Amazon Chime;
- GoToMeeting; and
- Spruce Health Care Messenger.
Although it has yet to say precisely when, it is reasonable to assume that OCR will start enforcing HIPAA-compliance with respect to telehealth communications platforms again. At that time, health care providers will be expected to fulfill their responsibility to ensure that the telehealth platforms they are using comply with all applicable HIPAA regulations. Accordingly, now is the time for providers who may have taken advantage of this early flexibility to start formalizing HIPAA compliance (including through an appropriate HIPAA BAA).
Pullman & Comley’s own review has shown that the following platforms used for general communications claim to satisfy HIPAA compliance:
- Google G Suite Hangouts Meet according to Google’s G Suite and Cloud Identity HIPAA Implementation Guide;
- GoToMeeting according to its HIPAA Compliance webpage;
- Microsoft Teams according to this White Paper published by HIPAAOne;
- Zoom for Healthcare according to its own HIPAA Compliance Guide.
In some instances, transitioning from general service to the HIPAA-compliant version of a service may be as simple as a question of contract – for example, moving from Zoom to Zoom for Healthcare. In other instances, a new provider may need to be found. Our team has experience reviewing not only the materials linked to HIPAA compliance, such as BAAs, but also the license and service agreements with these providers to help our clients understand and lessen business risks associated with these relationships. In the coming weeks, we will be issuing a further blog on the common areas that health care providers should be paying attention to when entering into such agreements.