Updated: Apr 4, 2020
The Health Resources and Services Administration (HRSA) as part of HHS' COVID-19 response gave the green light to medical providers to see patients remotely.
This directive served three main purposes:
Provide medical providers greater flexibility on how they see and care for patients
Maintain critical lines of communication between patient and provider
Protect medical providers and other patients from inadvertent infection
Since then, other guidance has ensued, particularly around relaxing HIPAA's Security Rule which requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of (ePHI) electronic protected health information.
So along that vein, here are a few things we think you need to know.
WHAT IS TELEHEALTH?
Telehealth, as defined by HRSA is “the use of electronic information and telecommunications technologies to support and promote":
long-distance clinical health care
patient and professional health-related education
public health and health administration
In today's environment, these necessarily will include videoconferencing via internet, image forwarding, streaming media, and other forms of wireless-related communications.
HERE IS HOW IT WORKS
Below are HRSA’s main use cases in which you, the patient, participate in the telehealth process with your medical provider:
Live (synchronous) videoconferencing: a two-way audiovisual link between a patient and a care provider
Store-and-forward (asynchronous) videoconferencing: transmission of a recorded health history to a health practitioner, usually a specialist.
Remote patient monitoring (RPM): the use of connected electronic tools to record personal health and medical data in one location for review by a provider in another location, usually at a different time.
Mobile health (mHealth): health care and public health information provided through mobile devices. The information may include general educational information, targeted texts, and notifications about disease outbreaks.
MEDICAL PROVIDER GUIDANCE
During this nationwide public health emergency brought on by COVID-19, below is up-to-date guidance on how covered health care providers who normally are subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communication technology.
The OCR (Office of Civil Rights) has said that it will exercise “enforcement discretion” and not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules. Health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the "good faith" provision of telehealth during the COVID-19 nationwide public health emergency. The notification however does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
Here is what that looks like
A covered health care provider according to HRSA may exercise “professional judgement” and examine a patient who:
Exhibits COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer.
Assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions --both patients and providers may use telehealth services.
WHAT YOU AND YOUR MEDICAL PROVIDER SHOULD KNOW
Medical providers should notify their patients that these third-party applications may potentially introduce privacy risks, and that they (the patient) should enable all available encryption and privacy protections while using third-party applications.
The below list of applications usually employ end-to-end encryption, allows individual user accounts, logins, and pass-codes, limits access, and verifies participants. Additionally, participants (providers and patients) may assert some control over particular capabilities; i.e. opting to record or not record communication OR to mute, turn off the video or audio signal at any point in time.
Here is a HRSA approved short list of (non-public facing) platforms both patients and providers may use for telehealth services:
Apple - FaceTime
Facebook Messenger - video chat
Google Hangouts - video
WhatsApp - video chat
Commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, or iMessage are also acceptable.
WHAT NOT TO USE
These (public-facing) remote communication products should not be used.
If you are a medical provider of any kind who would like more telehealth-related guidance, or who needs to have a vulnerability assessment done in order to be sure that you're capable of providing secure telehealth services, send us an email at firstname.lastname@example.org for a free security consultation.
We're ALL in this together.