Need glide path on HIPAA telehealth rules when pandemic ends
Although the end of the pandemic is far from near, when it does arrive, the national declaration of a public health emergency will likely soon end with it. When the public health emergency declaration is finally over, the AMA is calling on the government to give doctors who have quickly pivoted to include telehealth in their practice enough time to meet the requirements of Health Insurance Portability and Accountability Act) before audits and other enforcement actions escalate. .
In a letter to the Office of Civil Rights (OCR) of the United States Department of Health and Human Services (HHS), the AMA asked the agency (PDF) to “lay out a one-year trajectory to compliance”.
OCR should give physicians and others time to comply with HIPAA so that they can, among other things, “engage their suppliers in discussions about business associate agreements and initiate or implement their security risk analysis of new telemedicine platform,” says the AMA Letter. In January, HHS extended the public health emergency an additional 90 days.
The letter also asks the OCR to engage telemedicine providers to help clinicians comply and create guidance documents that specifically address telemedicine platforms and what is needed for the technology to be available. HIPAA compliant.
“While HIPAA is familiar to many physicians, we encourage the agency to recognize that many clinicians are new to telemedicine and may be unfamiliar with the unique risks and vulnerabilities associated with the new tools they use,” the letter signed by James L. Madara, MD, CEO and Executive Vice President of the AMA.
Important confidentiality, but time needed
When the COVID-19 public health emergency began nearly two years ago, OCR realized that medical practices would need to quickly adopt telemedicine technologies so they could continue to provide care to their patients. safely and in an accessible way.
To allow this to happen, the OCR has announced a policy of “application discretion” during the public health emergency for HIPAA violations related to remote telehealth communications. It applies to physicians and hospitals who, in good faith, use telemedicine platforms and applications to connect with patients.
The AMA supported the policy because it helped doctors and other clinicians quickly adopt telemedicine as COVID-19 shut down businesses nationwide without implementing contracts and safety reviews that are often complicated and time-consuming.
In the AMA’s letter, Dr. Madara writes that the AMA greatly appreciates the work of OCR in enabling physicians to rapidly adopt telehealth. He notes that while the organization informed members of the app’s discretion, AMA leaders encouraged physicians to seek out telemedicine platforms that “provide secure end-to-end encryption to prevent unwanted third parties from accessing conversations or files”.
The AMA also advised physicians to “enable and enable all available privacy and security features of the platform they have selected.” The AMA worked with the American Hospital Association to create resources to guide physicians and hospitals on how to protect a remote work environment as cyber threats that sought to exploit telecommuting technologies increased.
“The AMA takes HIPAA seriously and fully supports the need to ensure that patient information is secure and private,” the AMA told OCR in its letter. “Simultaneously, physicians have had to adapt to new technologies to deliver virtual care while managing multiple stressors on their practices, in-person patients, and staff during an incredibly demanding and challenging pandemic. They will need time once the PHE [public health emergency] ends to ensure that their policies, procedures, risk analyzes and business associate agreements are in order. »