Relaxing HIPAA Under COVID-19

Travis Good
May 8, 2020

With COVID, it feels like just about everything has been flipped on its head. What was not possible just a few months ago is now suddenly the new normal. Healthcare, for one, has been at the front lines of these changes. While frontline healthcare workers in places like New York and Louisiana struggle heroically to manage acute COVID patients, the rest of healthcare has had to adapt to a new normal where remote care, or telehealth, is a new viable form of care delivery.

For the last 10+ years, there’s been much debate in healthcare about the viability of telehealth. For a very long time, the challenges blocking widespread adoption of telehealth had been framed around technology and safety:

  • video and images were not good enough;
  • patients didn’t know how to use technology;
  • it didn’t fit into the technology providers use all day; and
  • It is dangerous to treat a person remotely.

It turns out the problem was not safety or technology, it was reimbursement. Many people in healthcare knew this but COVID has proved it for all. During this crisis, provides can bill for telehealth services. And, low and behold, the technology works and patients, for the vast majority of cases, are safe to treat remotely.

With barriers removed, telehealth is exploding. Services like those offered by companies like Zipnosis are being used by thousands of patients every day. With this explosion, comes questions and scrutiny around privacy and security of the platforms that are being used. Telehealth platforms like Zipnosis are secure as they have been operating in healthcare for years. But, other services like FaceTime and Google Hangouts are new and are not always covered under a business associate agreement (BAA).

One thing HHS and The Office of Civil Rights (OCR) did early on in COVID was to relax HIPAA rules around the delivery of remote medical care and the sharing of protected health information (PHI). ONC is basically waiving enforcement and penalties for violations of HIPAA for care and public health services under COVID.

ONC published an FAQ a week later to clarify the announcement. Below are two of the clarifications.

The first clarification highlights the scope of the temporary HIPAA changes - Covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This covers pretty much all of HIPAA meaning HIPAA is not being enforced right now for telehealth services.

Under what is covered under the original HIPAA guidance, ONC listed out examples - Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage. That is an impressive list.

While some of the privacy implications during COVID are controversial, suspending HIPAA enforcement to ensure patients can continue to get the care they need is a good thing. And this is a temporary suspension, so HIPAA will be alive and well once we emerge from this acute stage of COVID. Hopefully, even as HIPAA enforcement returns, telehealth and other digital health tools will continue to be used by both patients and providers.