COVID, Telemedicine, and HIPAA
I can personally attest that in 2020 Health care shifted to virtual telemedicine visits in the early stages of the COVID-19 pandemic to meet the needs of patients without compromising safety. I found a General Physician and Therapist who treated me with quality care for general medicine and physical therapy via telemedicine. Yet, telemedicine is not new, it has been around since the late 1950s and early 1960s first used during psychiatric consultations with patients at the Nebraska Psychiatric Institute and Norfolk State Hospital.[1]
We now experience healthcare devices on laptops, watches, and tablets that can be used in the home. Other devices can also be used for physiological monitoring. For example, wearable wireless devices can combine a stethoscope, electrocardiogram, and other functions to collect data and continuously monitor patient vitals. But what is the adoption rate for these newer technologies? Even though studies have shown that these technologies can improve access and provide a high quality of care, Covered Entities and Business Associates alike have a higher standard to reach for compliance with HIPAA, and specifically the Security Rule (i.e., CyberSecurity). HIPAA was enacted on August 21, 1996 but did not come into full effect until 2005. Sections 261 through 264 of HIPAA require the Secretary of HHS to publicize standards for the electronic exchange, privacy, and security of health information, but compliance efforts have increased with the introduction of new health technologies.
To ensure HIPAA compliance with patient information over Telemedicine communications, just like the patient information contained in an EHR, data should only be accessed by authorized users. Since telemedicine is virtual and “over the wires” communication security is essential for maintaining the integrity (and privacy) of physician-patient communications, data, and to prevent breaches.
When COVID arrived, the Office for Civil Rights (OCR) issued several bulletins, one of which provided guidance to covered entities and their business associates to ensure they were aware of the ways that patient information may be shared under the HIPAA Privacy Rule in an outbreak of infectious disease or other emergency, and to serve as a reminder that the protections of the Privacy Rule are not set aside during an emergency.
OCR reported that protecting the privacy of patients’ health information must be balanced to ensure appropriate uses and disclosures of the information that may be necessary to treat a patient, to protect the nation’s public health, and for other critical purposes. Records management invokes an image of "dusty cellars" with lonely people occupying them that never get visited by anyone unless there is an emergency in progress. Information governance and compliance is growing more important by the day because it touches on so much of what we do: (1) legal; (2) regulatory compliance; (3) contractual compliance; (4) data retention; (5) information technology; (6) privacy; (7) security; (8) big data; and on and on. As discussed, we are far beyond this simple description of protected patient information.
CEs and BAs still question the longevity of these “new” extensions of HIPAA. For example, the Privacy Rule recognized the legitimate need for public health authorities and others responsible for ensuring public health to have access to protected health information that is necessary to carry out their public health mission. Therefore, the Privacy Rule permits covered entities to disclose needed protected health information without individual authorization. Interestingly, this has been in place since the Privacy Rule’s inception.
However, information governance and compliance must continue to evolve as a discipline in conjunction with technologies supporting healthcare. We are drowning in our inability to manage information and the signs are everywhere we look; especially in the daily breaches that we all seem to have become jaded to. The regulatory authorities in the U.S. have the resources, at least with respect to HIPAA using Civil Monetary Penalties (CMP) for enforcement but appear to lack the will to dramatically improve the compliance chaos that remains a decade after the HITECH Act.
We hope that those of us that have to deal with this madness can begin to develop a set of first principles that will ground us.
To whom does Information Governance and Compliance apply? Everything and everyone. For knowledge workers, those of us that sit in front of these wonderful (and at times infernal) machines every day, something we interact with each day, yet still it remains amorphous and ill-defined. We create documents; search for documents; modify documents; store documents; search within documents and curse MS Word daily (while loving it at the same time). Something this global and far reaching feels like it is much more than a discipline, perhaps it is a meta-discipline; something that drives all other disciplines.
[1] Virtual Care, Telemedicine Visits, and Real Connection in the Era of COVID-19. Unforeseen Opportunity in the Face of Adversity
Donna M. Zulman, MD, MS; Abraham Verghese, MD, JAMA. 2021;325(5):437-438. doi:10.1001/jama.2020.27304
Contact us: Mature Compliance Programs Made Easier!