By Chloe Hillard
Use of telehealth has skyrocketed during the coronavirus pandemic. Telehealth claims for privately insured patients jumped 4,347% nationally from March 2019 to March 2020.[1] Telehealth utilization among Medicare patients also drastically increased during the pandemic.[2] The increase in telehealth utilization is facilitated by relaxed telehealth regulations. When the nation entered lockdown and access to care was restricted, the U.S. Department of Health and Human Services (HHS) and the Center for Medicare & Medicaid Services (CMS) took action.
In an effort to expand telehealth utilization, CMS used its waiver authority under section 1135 of the Social Security Act to waive certain restrictions on telehealth.[3] CMS removed restrictions around site of service, approved 135 additional services for telehealth, and increased the types of providers who could provide care via telehealth.[4] These changes paved the way for greater telehealth utilization, allowing more patients to receive care.
At the same time, the HHS Office for Civil Rights loosened patient privacy protections. The agency exercised its enforcement discretion and decided not to impose Health Insurance Portability and Accountability Act (HIPAA) penalties on covered health care providers for HIPAA violations in connection with the good faith delivery of telehealth during the pandemic.[5] Not only did the agency reduce the risk of penalty for a HIPAA violation, it also increased the number of video applications providers could use for telehealth visits.[6] The agency permitted use of video applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth.[7] However, the agency did prohibit use of public-facing video applications such as Facebook Live, Twitch, and TikTok.[8]
Relaxing telehealth regulations during the pandemic has served an important purpose. Telehealth provided access to care at a time when patients could not go see their doctor as they usually would. Relaxed regulations also provided protection to providers, who were doing their best to care for patients under stressful, unusual circumstances. There are certainly benefits of relaxed regulations, but it begs the question—at what cost?
HIPAA provides important protections of patient privacy, including restrictions around the use and disclosure of a patient’s protected health information (PHI).[9] PHI includes any information that could identify an individual, such as their name, Social Security Number, address, and a host of demographic data.[10] Although disclosure is allowed in some circumstances (e.g. to enable treatment, payment, and health care operations), HIPAA tries to limit disclosure of PHI to protect patient privacy.[11]
There are a number of concerns about patient privacy when conducting telehealth from home, including home network security and software-associated risks.[12] However, patients and health care entities should also be concerned about another patient privacy risk: a fly on the wall.
Patient appointments are typically conducted in the privacy of an exam room, where a passerby cannot overhear the conversation. The privacy of an exam rooms helps prevent impermissible disclosures of PHI. During quarantine, the typical exam room changed. Many care providers worked from home and saw patients virtually.[13] Not only were providers working from home, but so were their significant others, children, and roommates. With everyone working from home, finding a quiet spot to work is more difficult than ever. We’ve all been in Zoom calls where someone’s significant other or child inadvertently walks in on the call. Who’s to say the same isn’t happening during an appointment with your doctor? Suddenly it’s not just your doctor who knows that your overindulgence in dessert is a problem, but her husband too.
Telehealth use has drastically increased and HIPAA regulations have been relaxed, resulting in an unprecedented risk that someone will overhear your doctor’s appointment and your PHI will be disclosed. Health care entities should be mindful of this risk and institute policies to mitigate it. Providers should be given clear instructions on what constitutes a HIPAA breach, HIPAA-related concerns and suggestions while working from home, and how to report a suspected breach while working from home. There may be a fly on the wall, but health care entities can swat it.
[1] Telehealth Claim Lines Increase 4,347 Percent Nationally from March 2019 to March 2020, FAIR Health (June 2, 2020), https://www.fairhealth.org/press-release/telehealth-claim-lines-increase-4-347-percent-nationally-from-march-2019-to-march-2020
[2] HHS Issues New Report Highlighting Dramatic Trends in Medicare Beneficiary Telehealth Utilization amid COVID-19, U.S. Dep’t. Health & Human Serv. (Jul. 28, 2020), https://www.hhs.gov/about/news/2020/07/28/hhs-issues-new-report-highlighting-dramatic-trends-in-medicare-beneficiary-telehealth-utilization-amid-covid-19.html
[3] Id.
[4] Id.
[5] Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, U.S. Dep’t. Health & Human Serv., https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
[6] See id.
[7] Id.
[8] Id.
[9] See 45 C.F.R. § 160.103
[10] See id.
[11] See 45 C.F.R. § 164.506(c).
[12] Andrew Steger, How to Stay HIPAA Compliant from Home, HealthTech (May 22, 2020), https://healthtechmagazine.net/article/2020/05/how-stay-hipaa-compliant-home-perfcon
[13] Working from Home During COVID-19 Pandemic, Am. Med. Ass’n, https://www.ama-assn.org/system/files/2020-04/cybersecurity-work-from-home-covid-19.pdf
Image Source: https://search.creativecommons.org/photos/3a003cea-8953-423f-9169-6b3b39ae4969