The U.S. Department of Health and Human Services' Office for Civil Rights (OCR) has announced the expiration of the COVID-19 related HIPAA Enforcement Discretion measures on May 11, 2023.
The Telehealth HIPAA Enforcement Discretion, implemented during the COVID-19 pandemic, allowed healthcare providers to use non-public-facing remote communication products for telehealth purposes, even if they didn't fully comply with HIPAA regulations.
The OCR has provided a 90-day transition period for healthcare providers to make necessary changes to their operations to ensure privacy and security compliance with HIPAA Rules. During this time, OCR will not impose penalties on covered healthcare providers for noncompliance with the HIPAA Rules, as long as the noncompliance is in connection with the good faith provision of telehealth.
The transition period will begin on May 12, 2023, and end at 11:59 pm on August 9, 2023.
Here are some implications for telehealth services and suggestions for transitioning to HIPAA compliant solutions.
Impact: Healthcare providers may no longer use non-HIPAA compliant video chat platforms for telehealth consultations, mental health counseling, or virtual physical therapy sessions. Video and audio data transmitted or stored using these platforms could be at risk of unauthorized access or breaches.
Solution: Transition to HIPAA compliant video conferencing tools that offer end-to-end encryption, secure access controls, Business Associate Agreements (BAAs), and meet other privacy and security requirements outlined in the HIPAA Security Rule.
HIPAA compliant options:
Impact: Non-encrypted messaging services for medical advice or prescription information will no longer be permissible. Unsecured platforms could lead to unauthorized access to sensitive patient information or breaches.
Solution: Implement secure, encrypted HIPAA compliant email and text solutions that comply with HIPAA's privacy and security standards. Ensure that BAAs are in place with service providers and that patient consent is obtained when necessary.
HIPAA compliant options:
Impact: Storing telehealth session recordings on non-compliant cloud storage services or transmitting patient data without proper encryption will no longer be allowed. This increases the risk of breaches and unauthorized access to sensitive information.
Solution: Utilize HIPAA compliant cloud storage services with proper encryption, access controls, and BAAs. Ensure that patient data transmission is encrypted during transit, utilizing secure protocols like SSL/TLS or VPNs to protect sensitive information.
HIPAA compliant options:
Impact: Lax access controls and authentication measures for telehealth platforms will no longer be acceptable. Inadequate security measures could lead to unauthorized access or misuse of patient data.
Solution: Implement robust access controls, such as role-based access, unique user identification, and secure authentication procedures for both healthcare providers and patients during telehealth sessions. Employ multi-factor authentication (MFA) for added security and monitor system access logs to identify and address any unauthorized access attempts.
As the Telehealth HIPAA Enforcement Discretion expires, healthcare professionals must transition their telehealth services to fully compliant solutions. This involves evaluating current technologies, implementing necessary changes, and ensuring that patient privacy and data security are maintained according to federal regulations.
By making these adjustments, healthcare providers can continue offering valuable telehealth services while safeguarding sensitive patient information.