Telehealth Providers Brace for End of HIPAA Waivers
Published: August 19, 2022
AUSTIN, Texas — Guidelines and restrictions related to the COVID-19 Pandemic, such as wearing masks and traveling, are slowly beginning to fade—which means some healthcare policies related to the Public Health Emergency (PHE) Declaration may soon disappear as well.
Last month, the Department of Health and Human Services (HHS) passed a 60-day deadline to notify states in the event that the department does not plan to extend the declaration.
The HHS put the declaration in place on January 31, 2020.
The Department recently extended the PHE Declaration for 90 days through July 15, 2022. It is now assumed that the PHE Declaration will extend through at least mid-October.
Thanks to the PHE Declaration, patients, providers and payers are enjoying several regulatory flexibilities—including waivers on HIPAA compliant telehealth services. The HIPAA Enforcement Discretion allowed for healthcare providers to use communication tools such as Zoom, FaceTime, and other video conferencing services which are not compliant with the HIPAA Privacy Rule while still receiving reimbursements from health insurance networks.
Telehealth undoubtedly proved to be extremely useful throughout the course of the pandemic and continues to open new doors in expanding patient care, especially for rural areas. At the same time, telehealth creates a unique challenge for HIPAA since the healthcare provider is no longer interacting with their patient behind closed doors.
Since information is transferred digitally during a telehealth appointment, there are different requirements for security precautions, especially when Protected Health Information (PHI) is involved. Due to the gravity of the COVID-19 Pandemic, security requirements were reduced with the Public Health Emergency Declaration and the HHS Office for Civil Rights placed a loose definition on which communication technologies could be used for telehealth.
If the PHE Declaration is lifted in mid-October as expected, it is likely that stricter PHI security requirements outlined under HIPAA will be reinstated. Healthcare facilities and providers need to begin preparing now for what will be a drastic shift in compliance standards from what the industry became accustomed to.
Many healthcare providers began using telehealth for the first time in their careers during the pandemic and may not be familiar with what requirements exist—which makes preparing now even more critical.
In addition to choosing the correct telehealth platform to communicate with patients, healthcare organizations need to ensure communication between their providers inside facility walls is HIPAA compliant.
Any violations could lead to a costly fine and OIG Exclusion from participating in federal reimbursement programs.