The Biden Administration announced that the federal COVID-19 Public Health Emergency (PHE) will expire at the end of the day on May 11, 2023. As we draw closer to the expiration date of the PHE, do you feel fine about your privacy and security compliance strategy? What is changing and are any of the flexibilities being made permanent?
Health care providers and technology vendors should prepare for the expiration of flexibilities introduced in the March 2020 Notice of Enforcement Discretion (NED) issued by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that will expire with the PHE. This shift to a pre-pandemic approach to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and healthcare privacy law may require a significant re-evaluation of compliance measures by healthcare companies and their telehealth or other healthcare technology vendors. We outline key preparatory steps for providers and vendors alike, below.
NED Background
As a reminder, on March 17th, 2020, OCR issued a bulletin indicating that for the duration of the PHE, the agency would exercise enforcement discretion by waiving penalties for violations of HIPAA (including Privacy, Security, and Breach Notification rules) by covered health care providers serving any patient treatment and diagnostic needs via common telecommunications platforms that do not fully comply with HIPAA. OCR’s intent was to ensure that patients were able to access all forms of health care services remotely during the duration of COVID-19.
You can read more about the NED and other important PHE flexibilities for the health and life sciences industry in our previous Quarles client alerts.
Telehealth Platforms Gain Momentum
Prior to the PHE, it was quite rare to find a communications application that sufficiently implemented HIPAA-compliant administrative, physical, and technical safeguards to safeguard provider-patient interactions. Even rarer was a communications technology vendor willing to enter into a Business Associate Agreement (BAA) with a covered provider. Thus, covered providers took on a significant risk of violating HIPAA Privacy, Security, and Breach Notification Rules by communicating with patients via one of those platforms. As part of the PHE flexibility, OCR cautioned against the unbridled use of previously prohibited communication channels. Specifically, OCR recommended that health care providers: (i) enter into a BAA with any platform used to facilitate patient care; (ii) ensure that all available encryption and privacy measures were implemented to keep patient data safe; and (iii) inform patients of the privacy and security risks associated with using such third-party applications. However, OCR stopped short of mandating these requirements.
Relaxed regulatory positions and enforcement postures across government agencies created an environment in which telehealth and telemedicine models could thrive. The U.S. Government Accountability Office estimated in September 2022 that the use of telehealth services by Medicare patients increased from about 5 million visits between April and December 2019 to 53 million visits during those same months of 2020. Much of this increase, however, is attributable to efforts to slow the spread of COVID-19 and telehealth visit volume has since stabilized significantly. In their 2021 Physician Insights Survey, McKinsey found that while 84% of physicians were offering virtual care services, only 57% of the physicians surveyed preferred to continue serving patients in that way. Only time will tell if the rolling back of HIPAA and other regulatory flexibilities combined with other variables, such as physician preference, will lead to a significant decline in the provision of telehealth services to patients.
Key Steps for Future Success
Lenny Bruce may not be afraid, but we need to offer you solutions, offer you alternatives so you do not decline…
Covered Health Care Providers
There are steps providers should take now to ensure appropriate contracts and compliance practices are in place before May 12, 2023, namely:
- Move to technology products that support HIPAA compliance. While OCR has not validated these claims, the agency has identified certain vendors that “claim” they permit HIPAA-compliant use by patients and providers. Covered entities should take careful due diligence steps when selecting a telehealth services vendor and take additional steps to ensure that patient and provider data is processed securely, including evaluating encryption, data storage, vendor policies and procedures, and assessment standards. Diligence should involve providers’ privacy and security legal teams, as technology product contracting and implementation can have far-reaching compliance implications. Providers should be wary of simply agreeing that vendors are mere “conduits” without diligence. In a world where data collection and monetization permeate the healthcare and tech sectors, it is rare that a technology vendor simply transmits protected health information (PHI) without some type of access or storage.
- Take this opportunity to review arrangements with current “HIPAA compliant” vendors. Any review should evaluate a vendor’s data security policies and procedures, encryption, storage, and data use practices, and risk management plans to determine whether sufficient safeguards are in place to protect patient information. Be wary of technology vendors with “HIPAA certification” badges on their website, as few legitimate certification standards exist. Ask for industry-standard compliance standards.
- Review relationships with Cloud Service Providers and messaging technology vendors. HHS has signaled that Cloud Service Providers (CSPs) are not subject to the conduit exception because CSPs traditionally maintain or store electronic PHI on behalf of covered entities. While arguably engaged in the practice of only transmitting electronic PHI, email, fax, and other messaging service providers are similarly not eligible under the conduit exception.
- Complete an updated risk analysis. Changes in technology products likely trigger the need for an updated risk analysis, including an assessment of threats to the confidentiality, integrity, and availability of PHI through telehealth. Data maps that accurately reflect technology vendor relationships and related PHI flow will support the risk analysis and help providers craft any corresponding risk management plan updates.
- Do not forget sensitive information requirements. While the NED did not address waivers under other federal and state privacy laws (e.g., 42 CFR Part 2 and state laws dealing with behavioral health, HIV, sexual health, and other sensitive data), providers implementing telehealth vendors during the PHE did not always consider requirements other than HIPAA. Providers should take this opportunity to ensure vendors comply with additional privacy standards for sensitive health information.
- Memorialize agreements with vendors that do not use or disclose PHI. Put in place written procedures for any vendors to address inadvertent receipt of or access to PHI as well as any vendors that receive personal information under state comprehensive privacy laws.
- Prepare for post-NED breach notification obligations. OCR’s PHE HIPAA flexibilities notably do not exempt covered entities and their business associates from reporting breaches of PHI that occurred while the NED was in place once the PHE has expired. To put it plainly, if a covered entity or a business associate discovers on May 12, 2023 (or beyond) that a breach of PHI occurred between March 17, 2020, and May 11, 2023, that breach must be reported to OCR.
Apart from vendor relationships, covered health care providers should revisit internal policies and procedures as the PHE winds down. In particular, the following should be updated to reflect both state and federal regulatory requirements, OCR guidance, and data privacy and security best practices:
- Processes and documents used to obtain from the patient: (i) informed consent to receive telehealth services, and (ii) permission to record those interactions;
- Procedures for evaluating and procuring telehealth technologies;
- Policies regarding the ability for providers to exchange data with patients via telehealth technology based on vendor data collection, use, storing, and sharing practices; and
- Policies regarding provider and patient location during a telehealth visit.
Updating these policies and procedures is especially important for the long-term viability of companies that have built multi-state telehealth networks during the PHE. However, the reliance of the healthcare industry on technology will only continue to grow and all covered health care providers should be prepared to take active steps to monitor vendors.
Telehealth Technology Vendors
The end of the PHE and sharp increases in regulatory scrutiny each mark a shift back to many of our pre-pandemic institutions. This means that many technology vendors will have to adapt and pivot in order to survive. Often, healthcare technology vendors are unaware that by claiming they are HIPAA-compliant, the entity is binding itself to an ongoing endeavor. HIPAA compliance is a process, not a goal. Telehealth technology vendors should consider the following as the end of the PHE approaches:
- Conduct an annual assessment of security policies and procedures, engage in a risk analysis, and make updates to a risk management plan based on the findings. This same process should be repeated as necessary, such as in the event of a breach, a change in business model, or even a change in data collection, use, and sharing practices.
- Develop privacy and security compliance programs that go beyond HIPAA. HIPAA does not necessarily apply to an entity or person simply because there is health information involved, and HIPAA may not apply to certain telehealth providers. Even when HIPAA applies, it may not apply to all data involved and other privacy laws extend past HIPAA. For example, we predict that Federal Trade Commission (FTC) enforcement of the Health Breach Notification Rule will increase significantly. Technology vendors should familiarize themselves with the full scope of potentially applicable privacy laws. In addition to reducing enforcement risk, a technology vendor with an appreciation for privacy law can be a market differentiator.
The end of the PHE as we know it likely marks only the beginning of increased federal and state-level privacy enforcement efforts. With data privacy and security top of mind for legislators across the country and already established laws like the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (CDPA) recently coming into effect, there is an ever-growing number of avenues for various enforcement bodies to take in exacting punitive measures against health care providers and technology vendors.