David Holtzman, executive advisor at CynergisTek talks about OCR and its recent notification regarding its enforcement discretion in applying penalties for violations of the HIPAA rules for health care providers using telehealth during the current Coronavirus or COVID-19 health emergency.

Links to stories:

If you would like to view the slides while listening to this episode visit https://youtu.be/ngtN7NQoMX4.

Episode 1:

Lauren Frickle:

Welcome to CTEK Voices: The Risk Perspective. I’m your host, Lauren Frickle. Today, I’m joined by David Holtzman, Executive Advisor at CynergisTek. David is considered a subject matter expert in health information, privacy policy and compliance issues involving the HIPAA privacy, security and breach notification rules.

Hey, David, thanks for joining us today.

David Holtzman:

Thanks, Lauren. I’m happy to be here.

I’m really excited to talk about today’s topic, which is OCR’s recent announcement that it’s going to use its enforcement discretion to not apply HIPAA penalties against health care providers who use common texting and video apps for Telehealth services. But first, a word about CynergisTek health care leaders turn to CynergisTek for trustworthy and reliable support in cybersecurity, privacy compliance, and information management expertise.

Since 2004, CynergisTek has provided a holistic and pragmatic approach to help health care organizations meet their cybersecurity and information management goals. The company has been recognized in numerous third-party research reports as one of the top firms that provider organizations turn to for cybersecurity and privacy. And we have been recognized repeatedly by class for our cybersecurity advisory services, and we hope that you’ll turn to us as your trusted advisor.

So, let’s talk in more detail about OCR and its recent notification regarding its enforcement discretion in applying penalties for violations of the HIPAA rules for health care providers using Telehealth during the current Coronavirus or COVID-19 health emergency.

So, to summarize, what OCR has done is it’s opened up the pathway for all health care providers to use commonly available text messaging and video conferencing applications like Face Time, Google Hangout and WhatsApp and it applies to any treatment encounter is not limited to telehealth services for Coronavirus assessment or testing centers. The goal is to reduce the compliance burden on health care providers so that they can offer telehealth services to patients for any health care issue or any health care treatment service to keep patients and health care providers from having to have health face-to-face health care encounters in order to reduce the transmission of the COVID-19 virus.

While the OCR enforcement discretion applies to many commonly available telehealth in text messaging services, there are a class of telehealth or video apps that are not appropriate and not permitted to be used. And these are the types of technologies that do not allow for private communications that would be only between the health care provider and the patient. These are the types of applications that broadcast in a public mode. We’re going to talk about that in more detail later in the program.

It’s also important to know that we should be providing patients information, that they are using these commonly available technologies and that they do carry some increased risk of interception and they have a lower level of privacy and security than other apps that previously had been allowed to be used for telehealth services. It’s always good to be transparent with your patients. Keep that trust that even during this health care emergency, their health information is being kept private and secure. So, who’s covered by OCR is an announcement of the enforcement discretion?

So, any health care provider who’s covered by HIPAA is allowed to use these commonly available telehealth text messaging and video apps. The definition of who is a health care provider for purposes of the HIPAA rule is very broad. It’s essentially any health care provider who furnishes or bills for a health care service that is paid for by a third party. In this particular use of enforcement, discretion also encompasses contractors and vendors who are providing health care services to a HIPAA covered entity.

So, the enforcement discretion also allows for the use of any audio or video communication technology for telehealth that is nonpublic facing and we’re going to dive a little bit deeper into what is nonpublic facing later in this program. It’s important to note that health insurance companies that merely pay for telehealth services are not covered under this exclusion for the application of penalties for HIPAA violations. But there is a little bit confusing because there are some health insurance companies that provide telehealth consultations and some member benefit. Many of them have a registered nurse line.

Lauren Frickle:

So, what’s the advice to a health insurance company that does provide telehealth services as a member benefit?

We would recommend that our health insurance companies continue to make sure that the services that they’re providing fully comply with the HIPAA privacy and security requirements unless and until OCR provides clarification as to what how this would apply to a health insurance company or a group health plan. So, no HIPAA penalties will be applied for good faith, telehealth encounters in good faith is a very important term that is used to describe what is going to be permitted here in our following slides.

We’re going to dive of a little bit deeper into what is good faith.

The scope of the discretion that OCR supplying applies to violations not just of the HIPAA privacy or security rules, but also from breaches that may arise from the use of telehealth technology. And OCR has been upfront and transparent by saying that if a health care provider follows the terms that are set out in its notification in the FAA keys and a company that notification about the exercise of its enforcement discretion, that organization that those health care providers and their organizations will not face HIPAA penalties if it experiences a cybersecurity incident that exposes PHI from a telehealth session. So to put it another way, if an organization suffers a cybersecurity incident or a hack of a transmission of a telehealth session, while it’s using a commonly available video technology or messaging technology and is a non-public facing application, the organization or the health care provider will not face the risk of penalties or CMP levy as a result of the fact that the tool that they’re using doesn’t have the HIPAA security safeguards, or that there was new business associate agreement in place with the technology vendor or provider.

So, what is good faith use of telehealth? You know, the use of the term good faith is really a new application that we’re seeing in the HIPAA laws and it’s not really defined or it’s not at all defined in the HIPAA rules.

So, in the FAQ’s that accompanied the OCR notice, it provides a very good explanation of what the good faith is, the provision of health care treatment using a non-public facing remote communication product. And the way that it explains what is good faith is by going through a detailed explanation of what is bad faith in the provision of telehealth services by health care providers. And we’re going to dig down a little bit deeper into what is bad faith in accompanying slide. OCR is very transparent and saying that in making a determination of whether a health care providers use of telehealth services was in good faith, that OCR or would consider all facts and circumstances when it’s conducting a compliance review or complaint investigation before making a determination of whether to impose a penalty on the provider for violating the rules.

To put it another way, OCR will give the health care provider every opportunity to demonstrate how it had been providing the telehealth services in good faith in by using, by using the examples of what is bad faith to show that it had not been straying from it’s from the exercise of good faith in providing the services. So bad faith in the use of telehealth services is by using the opportunity for providing the treatment for some other purpose. So, for example, by using the telehealth service in the provision of service and any information about the patient for things that would be a criminal violation of the HIPAA act.

In other words, by using PHI maliciously or for diverting it or disclosing it for malicious gain. Or, by using the patient data transmitted during the telehealth communication for purposes that are prohibited by the HIPAA privacy rule and the examples that are provided by OCR are the sale of the data or use of the data for marketing purposes without authorization. Another purpose would be for exposing the information about an individual who’s in fear of domestic violence and is sharing that information with a third party to put that individual in risk of domestic violence or harm, or to allow another party to engage in snooping about the individual.

Another violation that would demonstrate bad faith would be if the health care provider was not licensed to provide the types of services that they’re providing through the telehealth service, or they were violating professional ethical standards through the advice that they were providing in the telehealth treatment. And then lastly and most importantly, is using a public facing remote communication product.

So, remember, the provision of good faith from a health care provider in telehealth services is providing in telehealth services is using technologies that are non-public, facing so public-facing remote communication products or the type of products that broadcast the session with third parties who are public. Examples that provided are Tic-Tok, Facebook Live, Twitch or using a chat room service like Slack in OCR has specifically called these out is unacceptable for telehealth because they’re designed to be open to the public. Examples of telehealth communications products that are covered under OCR FAQs and as accepted as per se good demonstration of good faith is any non-public facing audio or video communication product that by default allows only the intended parties to participate in the communication.

In other words, health care providers need to use technologies that create a private session so that the communication is limited between the health care provider and the patient or anybody who the patient wishes to attend in over here, the session.

So, OCR provides a pretty broad list of examples of non-public facing applications. And it’s important to note that this is not an exclusive list, but a list of the OCR has provided a video apps like Face Time. What’s app video, Facebook Messenger video, Google Hangouts video, and Skype as well as texting applications like Signal, Jabber, and Google Hangouts.

So, use of these communication products can be used in providing telehealth services or messaging patients to provide communication with them without risk that OCR may impose a penalty for failing to comply with HIPAA rules.

So, we’ve explored how OCR is going to use its enforcement discretion to allow health care providers and health care organizations to provide access to patients remotely without having person-to-person communications to avoid transmission of COVID-19. By doing so in a manner that respects privacy and provides a private session regardless of the brand name, the video technology, or the messaging technology in without having to check to learn if the technology vendor has done an assessment to determine the security of the technology. To learn if it meets the requirements of the hip security rule or by having to have a business associate agreement in place between the health care provider and the technology vendor. But, outside of OCR is a grant of a near-limitless use of its enforcement discretion to not levy fines or penalties there are other questions to consider.

So one of the issues that health care providers and organizations should be thinking about is the fact that state attorneys general have authority under the High Tech Act to enforce the HIPAA, the HIPAA privacy security in breach notification rules and have an independent authority to levy penalties for HIPAA violations and their authority is not pre-empted or scaled back by OCR is policy to use its enforcement discretion.

In addition, a number of states have strict data protection laws that may not permit using commonly available popular video and texting applications to transmit the personally identifiable information or HIPAA protected health information without having the appropriate safeguards in place.

So, it’s important to do an assessment of the state laws in which the localities in the states in which you’re doing business or providing treatment service to patients. Many states have enacted their own emergency declarations that are enforced during the COVID-19 health emergency.

It’s important to determine if state laws had been rolled back or are there using discretion in enforcing their state data protection or privacy requirements. In addition, many states have their own breach notification laws that are stronger than the HIPAA breach notification requirements, or they have a safe harbor that would ordinarily protect an organization that is complying with the HIPAA regulations Because OCR has essentially rolled back the requirements for complying with the HIPAA requirements when providing telehealth services. There are concerns and there is some unknown factors as to whether or not these state requirements will still be layered on top of any HIPAA requirements that are no longer in place.

So, it’s important to consider if there is a breach of security involving these telehealth services to assess whether or not the state breach notification requirements still need to be complied with. There are also important information security considerations. Organizations should assess what threats and vulnerabilities that commonly available video and texting applications that are going to be now brought into the healthcare infrastructure will be introduced in could expose new opportunities for cybersecurity risk to the enterprise information system. In addition, internet-facing personal communications devices that are going to be employed by health care providers to provide telehealth services outside of the normal office environment can expose the vulnerabilities to enterprise information systems, particularly by creating new cybersecurity threats when these consumer-level devices like smartphones and unsecured laptops use Wi-Fi connections that are not secure.

Also, it’s important to be proactive in working with your health care providers to identify the communication applications with the best safeguards and to also set Wi-Fi procedures that meet your organization’s security risk management standards. As health care providers are going to be eager to be providing services to their patients to assure that individual’s health care needs are being met during this period of health care emergency caused by the COVID-19 virus.

It’s also important to make sure that health care providers in patients know that their information is being kept safe and secure, even though they’re no longer having face to face communications with their health care providers.

So, I want to thank you for your time and attention today during this presentation and please feel free to reach out to me or any of my colleagues at CynergisTek if we can provide you with more information about the health information, privacy, and security through this challenging time.

Lauren Frickle:

Awesome David, thanks. Lots of great information there. Quick question, how might our approach privacy and data protection change as a result of our experience responding to this COVID-19 pandemic?

David Holtzman:

So, you know, that’s a really interesting question. Widespread proliferation of telehealth communication services has long been hoped to facilitate convenient health care provider-patient communications.

One of the challenges has been that the HIPAA’s security rules were developed at a time prior to the development of many of the commonly available nonpublic facing text messaging in video conferencing applications that are used today. It will be interesting to see if the regulators and consumers feel comfortable with the security that’s provided by these commonly available services in that how the vendors respect the privacy and security of consumers while they’re using these services during the COVID-19 emergency period.

So, I think only time will tell how this will impact us going forward. But it does provide us a very interesting experiment into how all of us in the health care industry and the information technology provider space react and respond to protecting consumer privacy during this period.

Lauren Frickle:

Okay great, thank you David, for the information on navigating COVID-19 and HIPAA. This has been CTEK Voices: The Risk Perspective.