How We Got Here – HIPAA Compliant Telehealth Regulations
The pandemic-fueled lockdowns put a severe strain on the nation’s health system, as those most at risk of infection struggled to receive treatment in a way that did not increase the risk to themselves or others.
To mitigate this, HHS allowed covered healthcare providers to use widely available communications applications without the risk of penalties imposed by the HHS Office for Civil Rights for violating HIPAA rules (for the good-faith provision of telehealth services). This flexibility only applies while there is a declared COVID-19 public health emergency.
What to Expect – HIPAA Compliant Telehealth Regulations
The current health emergency will end on October 13, 2022, unless extended by the HHS Secretary. In legal guidance provided by HHS website, the agency clearly states:
“When we are not in the COVID-19 public health emergency, all of the telehealth services you provide need to be in compliance with HIPAA rules.”
In other words, HIPAA regulations are fully enforceable, including the HIPAA Privacy Rule and Security Rule.
All non-HIPAA-compliant communication services such as FaceTime or non-compliant versions of services like ZOOM will no longer be allowed. Using non-compliant communication applications or services violate HIPAA regulations, and users would be subject to fines and penalties.
All telehealth services must be HIPAA compliant to protect patients’ protected health information (PHI). Healthcare providers must also ensure that signed business associate agreements are in place with telehealth service companies before using their services.
How to Cope – HIPAA Compliant Telehealth Regulations
Many patients and providers have become accustomed to the convenience and efficiency provided by telehealth. The good news is that more HIPAA-compliant service options are available now than before the pandemic. As is always true, the devil is in the details.
Healthcare providers who wish to begin or continue using telehealth services must be sure their systems meet the standards required by the HIPAA Security Rule. They must also address telehealth access and use in their policies and procedures.
Remember, HIPAA compliance is not just about what you are doing but also what you can prove. With year-end approaching, now is an excellent time to perform an annual Security Risk Assessment (SRA). A thorough SRA will identify any compliance gaps resulting from telehealth or other reasons so that you can remediate them.
Compliancy Group is always available to help you achieve, maintain, and illustrate your organization’s compliance with all HIPAA regulations.