HIPAA Survival Guide Newsletter, March 2021

COVID, Telemedicine, and HIPAA

I can personally attest that in 2020 Health care shifted to virtual telemedicine visits in the early stages of the COVID-19 pandemic to meet the needs of patients without compromising safety. I found a General Physician and Therapist who treated me with quality care for general medicine and physical therapy via telemedicine. Yet, telemedicine is not new, it has been around since the late 1950s and early 1960s first used during psychiatric consultations with patients at the Nebraska Psychiatric Institute and Norfolk State Hospital.[1]

We now experience healthcare devices on laptops, watches, and tablets that can be used in the home. Other devices can also be used for physiological monitoring. For example, wearable wireless devices can combine a stethoscope, electrocardiogram, and other functions to collect data and continuously monitor patient vitals. But what is the adoption rate for these newer technologies? Even though studies have shown that these technologies can improve access and provide a high quality of care, Covered Entities and Business Associates alike have a higher standard to reach for compliance with HIPAA, and specifically the Security Rule (i.e., CyberSecurity). HIPAA was enacted on August 21, 1996 but did not come into full effect until 2005. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy, and security of health information, but compliance efforts have increased with the introduction of new health technologies.

To ensure HIPAA compliance with patient information over Telemedicine communications, just like the patient information contained in an EHR, data should only be accessed by authorized users. Since telemedicine is virtual and “over the wires” communication security is essential for maintaining the integrity (and privacy) of physician-patient communications, data, and to prevent breaches.

When COVID arrived, the Office for Civil Rights (OCR) issued several bulletins, one of which provided guidance to covered entities and their business associates to ensure they were aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.

OCR reported that protecting the privacy of patients’ health information must be balanced to ensure appropriate uses and disclosures of the information that may be necessary to treat a patient, to protect the nation’s public health, and for other critical purposes. Records management invokes an image of "dusty cellars" with lonely people occupying them that never get visited by anyone unless there is an emergency in progress. Information governance and compliance is growing more important by the day because it touches on so much of what we do: (1) legal; (2) regulatory compliance; (3) contractual compliance; (4) data retention; (5) information technology; (6) privacy; (7) security; (8) big data; and on and on. As discussed, we are far beyond this simple description of protected patient information.

CEs and BAs still question the longevity of these “new” extensions of HIPAA. For example, the Privacy Rule recognized the legitimate need for public health authorities and others responsible for ensuring public health to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization. Interestingly, this has been in place since the Privacy Rule’s inception.

However, information governance and compliance must continue to evolve as a discipline in conjunction with technologies supporting healthcare. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA using Civil Monetary Penalties (CMP) for enforcement but appear to lack the will to dramatically improve the compliance chaos that remains a decade after the HITECH Act.

We hope that those of us that have to deal with this madness can begin to develop a set of first principles that will ground us.

  1. Compliance always exists along a continuum where full compliance is often nothing more than an aspiration.
  2. Compliance is a journey and not a destination, which implies the creation of a culture wherein compliance is something you do as part of your organization's mission and not as some necessary evil.
  3. Compliance is not an abstraction, but rather is always manifested at the granularity level of a requirement.
  4. For each requirement, you need the following three things to demonstrate visible demonstrable evidence: (1) Policies; (2) Processes that underpin your Policies; and (3) the ability to track process results.
  5. Agile is the only compliance methodology that matters; all others are anachronisms that belong in the dustbin of history because they are woefully inadequate for a rapidly changing complex world.
  6. Every compliance regime is a wicked problem that contains an order of magnitude more organizational complexity than technical complexity, however the latter is ever present and almost always non-trivial.
  7. The only way to improve an organization's compliance narrative is to improve its ability to produce visible, demonstrable, evidence of compliance over time, at the granularity level of a requirement.
  8. Checklists that provide suggested policies, processes, and tracking mechanisms at the granularity level of a requirement prove invaluable because compliance regimes are (almost always) descriptive and not prescriptive (i.e. requirements inform you as to what should be done but not how to do it).
  9. Analytical frameworks and modeling (often one and the same thing) are proven educational transfer vehicles when deciphering the meaning and/or intent of a requirement. 
  10. Scorecards based on specific requirements are the only way to measure progress of your compliance initiative (i.e. by definition, if you are in compliance with all the requirements of a regulatory regime then you are in compliance).

To whom does Information Governance and Compliance apply? Everything and everyone. For knowledge workers, those of us that sit in front of these wonderful (and at times infernal) machines every day, something we interact with each day, yet still it remains amorphous and ill-defined. We create documents; search for documents; modify documents; store documents; search within documents and curse MS Word daily (while loving it at the same time). Something this global and far reaching feels like it is much more than a discipline, perhaps it is a meta-discipline; something that drives all other disciplines.

[1] Virtual Care, Telemedicine Visits, and Real Connection in the Era of COVID-19. Unforeseen Opportunity in the Face of Adversity

Donna M. Zulman, MD, MS; Abraham Verghese, MD, JAMA. 2021;325(5):437-438. doi:10.1001/jama.2020.27304