That you are a responsible covered entity under HIPAA and a fiduciary for the privacy of your patients’ PHI do not decrease with telemedicine. In fact, it is a setting in which you want to be very careful, particularly if working from home, where family will be present and habits may become lax. Your primary obligation is to make sure no unauthorized individual encounters PHI in any form.
However, the Office of Civil Rights (OCR) will waive penalties for HIPAA violations that would otherwise accrue due to this issue during the COVID-19 crisis. The intention is to open a telehealth option to practitioners who were not set up for such but who find themselves with patients in need of any telehealth diagnostic or treatment, even if not directly related to coronavirus.
The OCR extended permissible use to nonpublic- facing apps such as Skype, Google Hangouts video, and Zoom, that only allow intended parties to participate. A Business Associates Agreement is not required.
The standard during this waiver is one of good faith. If PHI is intercepted during transmission but the practitioner followed the OCR’s guidance, there will be no penalty. Note, however, that states often have stricter regulations, and the federal waiver does not affect these.
Increased access also carries the important responsibility of informed consent. Many states specifically require that it be done and documented before engaging in a telehealth visit. In most such states, verbal consent is allowed, but consent must be obtained in writing in some. Regardless, the more certain the proof of consent, the better.
You should first inform the patient that this method is limited as compared with an in-person evaluation and is also potentially not secure. You should then get an affirmative consent to continue. If possible, build the consent form into the software so that the patient is required to assent before the virtual visit. If that is not possible, create a standardized e-mail with the consent and have the patient return it before you start. A verbal consent, if permissible, should be carefully documented.
You must apply all encryption and privacy modes available from your end. Increasing usable systems to ones that are inherently less secure is predicated on you doing what you can to minimize the risk of a breach, and it is this that the OCR will look to in determining a “good faith” use of the waiver. If a relative or friend or caregiver will be involved to help the patient with the televisit, make certain that you have a release that allows them access to PHI. Remember that the waiver on non-HIPAA compliant systems will only last during the emergency. This article was written by Dr. Medlaw, a physician and medical malpractice attorney.