Most providers are delivering telehealth services more often now. Due to lots of advantages, a large population of patients has also adopted to telehealth environment. While delivering telehealth services, the provider needs to take some precautions to avoid HIPAA violations. Recently Office of Civil Rights (OCR) has published FAQs on telehealth and HIPAA during the COVID-19 nationwide public health emergency.
We shared some useful content that will help you in avoiding HIPAA violations while delivering telehealth services for your practice. We discussed some basic topics like defining telehealth, healthcare providers, good faith, place of service for telehealth, communication channels, and Protected Health Information (PHI).
Defining Telehealth Services
Defining Healthcare Provider
Under the Health Insurance Portability and Accountability Act (HIPAA), a ‘health care provider’ is a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.
Health care providers include, for example, physicians, nurses, clinics, hospitals, home health aides, therapists, other mental health professionals, dentists, pharmacists, laboratories, and any other person or entity that provides health care.
A ‘health care provider’ is a covered entity under HIPAA if it transmits any health information in electronic form in connection with a transaction for which the Secretary has adopted a standard
Place of Telehealth Service
Health care providers need to conduct telehealth in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or under exigent circumstances.
If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI).
Defining ‘Bad Faith’
OCR (Office of Civil Rights) considers all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith. Some examples of what OCR may consider a bad faith provision of telehealth services that are not covered by this Notice include: Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
Further uses or disclosures of patient data transmitted during a telehealth communication that is prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board); or
Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a public chat room, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
Communication Channels
A ‘non-public facing’ remote communication product is one that, as a default, allows only the intended parties to participate in the communication.
Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage.
Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted.
In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a public chat room are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
For example, a provider that uses Facebook Live to stream a presentation made available to all its patients about the risks of COVID-19 would not be considered a reasonably private provision of telehealth services. A provider that chooses to host such a public-facing presentation would not be covered by the Notification and should not identify patients or offer individualized patient advice in such a live stream.
Protected Health Information
OCR will not pursue applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services.
For example, if a provider follows the terms of the Notification and any applicable OCR guidance, it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.
Medical Billers and Coders (MBC) is a leading medical billing company providing complete revenue cycle services. We can assist you in Telehealth billing for receiving accurate reimbursements from private and government payers.
To learn more about our Telehealth billing services, contact us at info@medicalbillersandcoders.com/ 888-357-3226
Reference: FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency
FAQs
1. What is telehealth?
Telehealth uses electronic technologies like video conferencing and messaging to provide healthcare services remotely, ensuring long-distance care and education.
2. Who qualifies as a healthcare provider under HIPAA?
A healthcare provider is anyone who furnishes, bills, or is paid for healthcare services, such as physicians, clinics, nurses, and other medical professionals.
3. Where should telehealth services be provided?
Telehealth services should be conducted in private settings, such as clinics or at home, to protect patient privacy and comply with HIPAA guidelines.
4. What is considered ‘bad faith’ in telehealth?
‘Bad faith’ refers to activities like committing fraud, violating HIPAA privacy rules, using public-facing communication tools, or engaging in unethical conduct during telehealth services.
5. What is Protected Health Information (PHI) in telehealth?
PHI includes any personal health information shared during a telehealth session, and providers must protect it by following HIPAA regulations to avoid breaches.