What You Need to Know:
– HHS issued some very limited HIPAA waivers to combat COVID-19999, but experts say it leaves out some very key guidance when it comes to telehealth.
– Alissa Smith, Partner at Dorsey & Whitney says the HHS is likely going to have to revisit this issue given the limited waivers issued this week.
The main thing I am hearing from my health care provider clients is that they are seeking HIPAA-related guidance and waivers on how to provide telehealth services to patients using personal devices or other unsecured devices (e.g., iPad) or for the use of personal devices for provider to provider communications for rapid differential diagnosis communication with colleagues outside a particular system.
The HIPAA-compliant approach requires secure devices which not everyone has access to. Many providers are asking to use personal computers/devices (not employer-issued) to access patient information from the electronic health record. This is typically not allowed due to security concerns.
The HIPAA waivers issued this week are extremely narrow, and not likely to be of much help to the main issue I am hearing about now, which is how to reach patients and colleagues remotely using unsecured personal devices/computers. For now, the answer is that this is not permitted under HIPAA, which means that providers will continue to be restricted to the use of company-issued and secured devices and communication channels.
These HIPAA waivers only apply to hospitals that have implemented a disaster recovery plan, and only for 72 hours after implementing the plan. The waivers do not address the primary concerns I am hearing about regarding the desire to more freely conduct telehealth patient visits and provider-to-provider consultations using personal devices. Instead, the waivers are geared only to hospitals and only to relieve some of the paperwork burden and typical confidentiality options in place for patients getting care in a hospital. Specifically, the waivers will allow hospitals, for 72 hours in a disaster,
– to not hand out the Notice of Privacy Practices to patients (those are the HIPAA documents patients always have to sign or refuse when they go to the doctor/hospital);
– to not have to get patient authorization to speak with family and friends involved in the patient’s care (this standard is already fairly relaxed under HIPAA, so I don’t think this “waiver” will be as significant).
– to not have to give patients an opportunity to opt-out of the hospital directory (this is the directory at each hospital with lists a patient’s name, location in the facility, general condition, and religious affiliation, and is available to people who ask for a patient by name).
– to not have to offer a patient the right to request privacy restrictions, or presumably, to honor a requested restriction (normally, patients can request privacy restrictions on the use or disclosure of their health information, but hospital’s do not have to honor the request- EXCEPT, if a patient pays in full for a service/item and requests that the information about the service/item not be submitted to a health plan, the hospital is not allowed to send it to the health plan).
– to not have to offer a patient to request confidential communications from the hospital (i.e., requests by the patient to receive information by alternative means or at alternative locations).
About Alissa Smith
Alissa Smith is a Partner at law firm Dorsey & Whitney and the co-chair of its Health Transactions and Regulations Practice Group. Alissa represents health systems, hospitals, pharmacies, specialty pharmacies, wholesale distributors, pharmacy benefit managers, long-term care providers, vendors in the healthcare industry, medical practices, individual providers, and other organizations in the healthcare industry.
Alissa’s practice involves health law transactional work, federal and state health law regulatory compliance advice, and administrative advocacy before state and federal agencies.