Hi! My name is Kathy Wibberly. I am Director of the Mid-Atlantic Telehealth Resource Center. Today we are going to chat a little about the implications of the end of the PHE taking place on May 11, 2023 on HIPAA.
“Hear No Evil, Speak No Evil, See No Evil” will come to an end!
At the start of the PHE, the HHS Office for Civil Rights (OCR) issued a Notification of Enforcement Discretion to all health care providers that are covered by HIPAA and provide telehealth services during an emergency. What it has meant is that covered health care providers would not be subject to penalties for violations of the HIPAA Privacy, Security and Breach Notification Rules that occur in the good faith provision of telehealth during the PHE.
The Top Ten “Evils” We Have Seen During the PHE
Did You Make the Top Ten List? If So, Time Is Running Out!
Soon you will be subject to penalties. The PHE ends on May 11, 2023. OCR is providing a 90-calendar day transition period for covered health care providers to come into compliance with the HIPAA Rules with respect to their provision of telehealth. This transition period will end on August 9, 2023. The penalties for “Unknowing Violations” are financial, with a minimum of $100 per violation and a maximum of $50,000 per violation (as stipulated by the HITECH Act and then adjusted annually for inflation, which right now is a minimum of $127 to a maximum of $60,973!!!). The financial penalties for “Willful Neglect Violations” (if you are reading this, you now know) are significantly higher and may also come with both criminal and civil penalties. A data breach or security incident that results from any violation could see separate fines issued for each aspect of that violation.
If in one day, you 1) texted a patient about the results of their lab tests using your consumer messaging app, then they called you and you 2) spoke to them while on a speaker phone when at a park with your child, then you connected with them for a 3) video visit using Google Chat over a 4) public Wi-Fi network 5) using your child’s school laptop, you have just set up a situation with multiple violations. Multiple violations could lead to multiple fines. On top of that, fines may be applied daily, so if you have been doing this same type of thing several times a week over the period of a year…well, you get the message!
Yikes, What Can I Do to Make Sure I Am Prepared for the End of the PHE?
First, make sure you understand how telehealth intersects with HIPAA. Here are some resources to help you:
- HIPAA & Telehealth : A Stepwise Guide to Compliance:
- Telehealth 201 – HIPAA & Privacy
- Guidance on HIPAA Rules for Audio-Only Telehealth
If you are working in an organization that has people who conduct risk and compliance assessments, that’s great. But make sure you are using organizational resources and networks every time you have interactions with patients, caregivers or other providers that involve PHI. You may be personally liable if you decide to use a personal account on a platform that is not managed by your organization.
If you are not part of an organization, then you need to understand and conduct a risk assessment of your set-up. Here are a few tools to help you do that on your own:
- Security Risk Assessment Tool
- Health IT Privacy and Security Resources for Providers
- HIPAA Compliance Roadmap
You could also pay a consultant to do a HIPAA assessment for you and your practice. Just make sure that you account for all the ways you use telehealth. Conducting a telehealth visit in your office can look very different than conducting a telehealth visit from your home. If you do both, then you need to conduct a risk assessment for both use cases.
Feeling Overwhelmed or Have Questions? Don’t be afraid to “phone a friend”. Talk to your organization’s compliance officer if you have one. If you don’t have one, or are uncertain about the guidance you have received, you have a friend at your Regional Telehealth Resource Center who would be glad to help you!