New HIPAA Waivers Relax Telehealth Restrictions to Improve COVID-19 Patient Care
After the White House officially declared a national emergency in the U.S., the U.S. Department of Health and Human Services announced that it will be waiving certain aspects of HIPAA through the Office for Civil Rights (OCR) as a way to help hospitals and telehealth services temporarily care for patients without fear of fines or penalties.
The news comes in wake of the reality that healthcare in the U.S. right now is anything but “normal”--doctors have been sharing stories of having to reuse PPE and N-95 respiratory masks (and just in case it’s not clear, that is NOT safe, but when the other option is nothing, it’s all they can do), supplies are limited, and regular medical care is being compromised out of necessity. So how will this waiver help?
Why the HIPAA Waiver is Necessary
Alissa Smith, a partner at the international law firm Dorsey & Whitney and co-chair of its Health Transactions and Regulations Practice Group, tells Nurse.org that she’s been fielding calls all week about how to navigate HIPAA during COVID-19.
Because hospitals and healthcare providers are trying to deliver care in the midst of an actual national emergency, some of the HIPAA standards were actually hampering care. Waiving them temporarily, she said in a press conference hosted by President Trump, will “improve access to care.”
“Providers have been anxiously seeking guidance from the OCR that will allow them easier access to treat patients and an easier and faster ability to communicate with colleagues outside of their own health system in order to make real-time/rapid differential diagnosis communications, including sharing data and images with peers,” she stated. “The OCR’s guidance today makes sense and will improve patient care.”
Essentially, she added, the waiver will allow healthcare providers to use everyday communications to deliver patient care more effectively and efficiently.
What the HIPAA Waiver Entails
The HIPAA Waiver absolutely does not get rid of HIPAA entirely--it only waives very limited aspects of HIPPA temporarily and it’s only applicable as long as the U.S. remains within a national emergency status.
It’s also important to note that waiver is only good for the first 72 hours after a hospital has instituted a disaster protocol, so they are not long-lasting at this time. Here are the specific aspects of the HIPAA Privacy Act that are being temporarily suspended with the waivers:
- The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient's care.
- The requirement to honor a request to opt-out of the facility directory.
- The requirement to distribute a notice of privacy practices.
- The patient's right to request privacy restrictions.
- The patient's right to request confidential communications.
After the 72 hours following the disaster protocol being started, or if the nationwide emergency status is lifted, the hospital has to go back to following full HIPPA stipulations, with full sanctions and fines possible for any violation.
What this Means for Nurses
In looking at the aspects of HIPAA that are being waived, they definitely make sense under the umbrella of a global pandemic. Hospitals can certainly treat patients faster if they aren’t spending valuable time and resources printing out privacy policies that no one even reads anyway, and confidential communications may just not be logically possible, if say, a doctor has been quarantined and needs to communicate with other providers from home about a patient’s care using a personal phone.
The OCR also explained in more detail just how the waivers might impact patient care for nurses and doctors. They noted, for example, that a video chat might be helpful for assessing if a patient needs to come in for COVID-19 testing, which could help reduce the risk and transmission of infection. Similarly, they pointed out that other, non-emergent care, from sprained ankles to mental health services, could benefit from relaxed restrictions on technology services.
Under the waiver, the OCR released the following list of approved consumer technology services that can be used for healthcare purposes:
- Apple FaceTime
- Facebook Messenger video chat
- Google Hangouts video
- Skype
- Other video chats with a “good faith provision”
Apps that can not be used are anything public and include specifically:
- Facebook Live
- Twitch
- TikTok
If you would like to be extra cautious, the OCR also released a list of technology vendors that have HIPAA-compliant video communication products and have already stated that they will enter into a HIPAA business associate agreement:
- Skype for Business
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
Of course, if you use one of the approved apps, you should make sure all available encryption and privacy modes are turned on when they are active. And no matter which telehealth technology that is chosen, the OCR said that all healthcare providers are encouraged to let their patients know that a third-party application is being used and inform that there may be increased privacy risks as a result.