MSP HIPAA compliance is confusing enough already and now with the pandemic it has become even more so. There are some important temporary changes that have been made to the HIPAA law.
HIPAA Sanctions & Penalties During COVID-19
In response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar’s earlier declaration of a public health emergency on March 15, 2020, Secretary Azar has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
Enforcement of Remote Communications in MSP HIPAA Compliance
Another major change that has taken place during the pandemic is the enforcement of telehealth communications. OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
Applications That Maintain MSP HIPAA Compliance
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
Applications That Do Not Maintain HIPAA Compliance
Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
How to Ensure You Are HIPAA Compliant
Health care providers that seek additional privacy protections for telehealth while using video communication products should first use HIPAA Compliancy Software and then use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
If you would like to learn more about HIPAA compliance and would like additional resources check out https://www.hipaacompliance.org/.