By Brian C. Evander and Michael R. Lowe
On March 17, 2020, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) issued an announcement that it would be exercising its enforcement discretion and would waive potential penalties for violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.
OCR specifically named Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, and Skype as examples of these everyday communications technologies which fall under the OCR’s waiver of penalties against providers for “good faith” telehealth use during the pandemic. Specifically, video apps such as those above can be used to communicate with and provide care to patients without first obtaining a business associate’s agreement, something that would typically be required under the HIPAA Privacy Rule.
However, the penalty waiver for good faith telehealth use during the COVID-19 emergency does not mean that health care providers can simply set aside HIPAA’s physical and technical safeguards intended to protect patient information. Those providers using video-conference technology should still use every security and privacy tool they have available in order to maintain patients’ trusts, according to the America Medical Association in a recent statement.
For instance, the HHS guidance for telehealth depends on videos not being broadcast or made available to the public. Some videoconference products such as Zoom appear to currently lack end-to-end encryption and would therefore not truly be HIPAA-compliant in normal circumstances. Zoom has stated that its product complies with HIPAA, and the OCR listed Zoom in its notice as one of the services which a health care provider may use without enforcement risk. However, a standard Zoom call has different settings than Zoom calls made specifically under a Zoom medical video conferencing account, and providers will need to ensure that their Zoom calls are made under settings which protect patient privacy and security. In calls made through a Zoom medical video conferencing account, for example, the call itself is locked by the host to only those participants the host allows to join, participant identities are not logged or reported, and cloud recording, file transfers, and in-meeting chat are all disabled.
While the OCR announcement of enforcement discretion may provide safety for health care providers using telehealth in good faith during the COVID-19 crisis, that announcement does not prevent patients from potentially filing lawsuits against health care providers whom those patients believe violated or failed to protect their personal data. Causes of action for those lawsuits can arise from a number of sources, not just HIPAA. Patients in Florida whose personal data is not properly protected by a health care provider may file claims under the Florida Information Protect Act of 2014 (FIPA).
To summarize, while OCR has indicated that it will waive penalties for HIPAA violations against health care providers serving patients through telehealth in good faith during the COVID-19 emergency, this is in no way a “free pass” for providers not to protect patient information through every security and privacy tool they have available. Regardless of whether a videoconferencing service claims to provide a HIPAA-compliant experience, in the absence of a business associate agreement between that service and a health care provider, the responsibility for protecting a patient’s information and data still ultimately falls to the health care provider.
Providers should take appropriate steps to ensure that their provision of telehealth services are as conforming as possible to the privacy and security standards set forth in HIPAA and similar state equivalents such as FIPA. Our firm is available to discuss HIPAA and FIPA compliance as well as advise clients and/or health care professionals seeking advice or representation on it.
Lowe & Evander, P.A., understands the hard work and sacrifices it takes to become a health care professional or provider, and we aggressively defend health professionals in protecting their license, practice, career, assets and reputation. Using our experience and expertise, we navigate the obstacles our clients face, serving not only as their attorneys but also as their legal strategists, trusted advisors and protectors of their rights and interest against government investigations and lawsuits when necessary. Lowe & Evander, P.A., helps chart a course for its clients through the maze of state and federal health care laws, rules and regulations.
Our best to all of you out there taking care of employees and patients and protecting us in these difficult and unsettling times. Stay safe!
Brian C. Evander, Esquire is a partner at Lowe & Evander, P.A., with Michael R. Lowe, Esquire, a Florida board-certified health law attorney. Mr. Evander and Mr. Lowe regularly represent providers, physicians and other licensed health care professionals, and facilities in a wide variety of health care law matters. For more information regarding those health care law and such matters please visit our website www.lowehealthlaw.com
|
The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information and content in this article are intended to convey general informational only and may not constitute the most up-to-date legal or other information. Readers of this article should contact their attorney to obtain advice with respect to any particular legal matter. No reader of this article should act or refrain from acting on the basis of information in this article without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.
|