How did the Public Health Emergency impact HIPAA?  At the start of the PHE, the HHS Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to all health care providers that are covered by HIPAA and provide telehealth services during an emergency.  What it has meant is that covered health care providers would not be subject to penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in the good faith provision of telehealth during the PHE.  But the PHE will be coming to an end on May 11, 2023. OCR provided a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. This transition period ended on August 9, 2023

How did things change after August 9, 2023?  It is of utmost importance for all providers to understand the intersection between Telehealth and HIPAA!  To start with, check out this article we wrote on "Preparing for the End of the PHE and the End of HIPAA Enforcement Discretion".

The Center for Connected Health Policy (CCHP) has created this video on how telehealth works with HIPAA and health privacy laws.

 

What Do I Need to Do to Make Sure I am in Compliance?  HIPAA compliance is a combination of physical, administrative and technical safeguards. Technology alone does not ensure HIPAA compliance!

Understanding how telehealth intersects with HIPAA is crucial. Any information that can identify an individual is potentially Protected Health Information (PHI). HIPAA defines 18 types of PHI identifiers, including names, phone numbers, birthdates, IP addresses, email addresses, device identifiers, and photos/images.

If your organization has a dedicated risk and compliance team, leverage their expertise. Always use approved organizational resources when handling PHI with patients, caregivers, or other providers. Using personal accounts on non-approved platforms may expose you to personal liability.

If you are not part of an organization, you must conduct a risk assessment of your telehealth setup. Consider hiring a consultant to perform a HIPAA compliance review for your practice. Assess all telehealth use cases—a telehealth visit from your office may pose different risks than one from your home. If you provide services from multiple locations, conduct separate risk assessments for each setting.  Below are a number of resources to assist you:

What Do I Need to Know About VOIP and Audio-Only Telehealth and HIPAA?

What Do I Need to Tell My Telehealth Patients?

What Do I Need to Know About Business Associates and BAAs?

What Do I Need to Know About Risks Related to Online Tracking Technologies Found on Websites and Mobile Applications?

What Do I Need to Know About Texting and HIPAA?

What Do I Need to Know About the HIPAA Security Proposed Rule?  For the first time in two decades, the Department of Health and Human Services (HHS) has proposed significant updates to the HIPAA Security Rule to better protect electronic protected health information (ePHI) from increasing cyber threats. The Notice of Proposed Rulemaking (Proposed Rule) seeks to modernize security safeguards in response to a significant increase in large-scale healthcare breaches caused by hackers and ransomware between 2018 and 2023. If enacted, the rule would require all HIPAA-regulated entities to enhance cybersecurity practices, including maintaining an up-to-date inventory of technology assets, conducting annual risk analyses, implementing stronger patch management policies, and using multi-factor authentication. Additionally, covered entities would be obligated to encrypt ePHI, perform vulnerability scans and penetration testing, and ensure more rigorous oversight of business associates handling sensitive health data.  As remote care platforms manage vast amounts of ePHI, these new cybersecurity rules could significantly impact telehealth services.

The Proposed Rule also emphasizes stricter compliance documentation and monitoring, including mandating a 72-hour disaster recovery plan, annual compliance audits, and stronger incident response protocols. Notably, business associates would be required to notify covered entities of any contingency plan activation within 24 hours. The proposed rule also seeks comments on emerging technologies such as artificial intelligence, quantum computing, virtual and augmented reality, and HIPAA’s role in regulating these emerging technologies. For more information, read the complete text of the Notice of Proposed Rulemaking.  Comments on the proposed rule are due by March 7, 2025 and can be submitted through the federal register.