While HHS gave you a carrot and on the last possible day extended the public health emergency through mid-October, you better use the time to tighten up your telehealth privacy – or you could face expensive HIPAA violation penalties. Telehealth HIPAA COVID.
CMS has added telehealth audits to its new work plan, so take it as a warning to get back into the swing of proper privacy compliance. Safeguard your practice by avoiding the following telehealth HIPAA emergency waiver traps. Below are 3 emergency telehealth HIPAA waiver traps that will cost you.
Document Why You’ve Chosen Not to Comply with Telehealth Rules
Under the relaxed enforcement during the coronavirus pandemic, HHS has defined two types of HIPAA compliance:
- Mandatory: Areas that are required meaning you must comply with them no matter what.
- Fixable: “Addressable” specifications that you can choose not to comply with provided you have good reasons for doing so. To protect your practice in your documentation include why you could not take additional precautions, or what alternative HIPAA procedures you used.
Update Your Business Associate (BA) Terms
Third party vendors that you use for your telehealth program must be HIPAA compliant, just like your practice. It’s now your responsibility to have a signed BA agreement with the healthcare IT software and verify that your BA has implemented its own set of HIPAA policies, procedures, and training.
To avoid being noncompliant, you should make every effort to add any change privacy terms to your BA agreements — before the public health emergency expires. During the public health emergency, BAs are allowed to disclose patient protected health information (PHI) in “good faith” — for example, providing data to the CDC or state-level organizations for public health and health oversight activities during the COVID-19 emergency. Typically, these terms must be written into your BA agreement.
Encryption Isn’t Everything
During the public health emergency, you may use non-HIPAA compliant platforms (i.e. FaceTime, Skype, WhatsApp) to provide telehealth services, as long as you are doing so in good faith, and not being negligent with patient PHI. Typically, a HIPAA compliant platform must either use end-to-end encryption and not have a shared encryption key, or you must have a BAA with the platform. Telehealth HIPAA COVID.
Some platforms are fully encrypted, yet they won’t confirm that they’re HIPAA-compliant. If that’s the case, you should change your platform so that you can continue to provide telehealth after the public health emergency expires. In the meantime, you should inform patients you treat via those platforms that there may be privacy risks, and document that in the patient record.
There are more tactics you need to take to comply with the more aggressive HIPAA telehealth rules so you can keep providing virtual services to your patient. This is where HIPAA expert, John Brewer, can help. During the online training, “Comply with Tightened Post-COVID-19 HIPAA Telehealth Rules,” he’ll help you avoid the numerous HIPAA compliance hurdles you’ll encounter when the COVID-19 waivers expire. Telehealth HIPAA COVID
More Telehealth HIPAA Violations Online Training
|Medical Records Retention & Destruction Rule Changes
||Comply with Tightened Post-COVID-19 HIPAA Telehealth Rules||Earn $110 For Patient Phone Calls, New CMS Rule Applies