The Health Insurance Portability and Accountability Act of 1996, better known as HIPAA, is a huge piece of legislation. While many new laws emanate from this Act, most Americans associate HIPAA with privacy and privacy alone. While the goal of “privacy” is certainly well-meaning, this bill instills so much frustration in the modern healthcare landscape. Around 1996, electronic transfer of protected health information was in its infancy. And Congress correctly recognized that safeguards were necessary to protect patients’ privacy in cyberspace. Sometimes you could argue the treatment is worse than the disease.
HIPAA Privacy Rules
According to the Department of Health and Human Services (DHH) website, “The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.”
How COVID-19 changed HIPAA Privacy Rules
Interestingly, the Office of Civil Rights (OCR) at the DHH is responsible for enforcing certain aspects of HIPAA. Those “aspects’ include privacy regulations. With the onset of the COVID-19 pandemic, a majority of the country had to shelter-in-place. The result was that many patients were unable to attend in-person office visits. Therefore, the OCR informed providers that they would not enforce certain HIPAA guidelines with respect to privacy.
They said, “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.”
What alternative platforms are available?
While not an endorsement, the OCR listed several well-known applications to use for video chat. For example, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. And those that use these platforms can do so “without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
However, the OCR does encourage providers to let patients know that the chosen platform may not provide the security that HIPAA normally warrants. Luckily, a lot has changed since HIPAA’s passage in 1996. Back then, end to end encryption was not readily available.
Now, many of the devices we use have encryption to a level that is HIPAA compliant. Video, once seen as just a nice feature on our phones, comes with secure features. The difference between these features on our phone and typical HIPAA compliant platforms is that our phones are actually easy to use. Previously, you could never use “HIPAA complaint” and “easy to use” in the same sentence!
Almost everyone in the US is comfortable with at least one of the following free platforms: Microsoft’s Skype, FaceTime or Zoom. They all provide encryption during a call. So while they may or may not have the official HIPAA compliance seal of approval (there isn’t technically a seal of approval by the way), they do provide privacy for patients.
The OCR did make clear that “Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.”
Can we use these alternatives even after relaxing HIPAA privacy rules?
Eventually, these rules will return to their more stringent level. However, some of the easy-to-use platforms above will still be available for patient care. The OCR “simply” recommends that the provider obtain a HIPAA business associate agreement (BAA) with these companies. This is an agreement between the healthcare provider and whomever is providing a service that interacts in some way with protected health information. For example, FaceTime from Apple “handles” protected health information during a virtual consult. They don’t store or save the data, they just provide the conduit for the consult to take place. So for FaceTime to be HIPAA compliant, Apple must sign a BAA.
However, Apple is not willing to sign a BAA. And for that reason, they are not “fully” HIPAA compliant. To be clear, FaceTime’s technology is 100% secure from a HIPAA standpoint. But it won’t be considered “HIPAA compliant” because of a single unsigned document! It’s entirely possible DHH will revisit the wisdom of a document standing in the way of convenience and progress. Especially when the actual security threshold is cleared.
According to the DHH website, the list below includes some vendors that state they provide HIPAA-compliant video communication products and who will enter into a HIPAA BAA:
- Skype for Business / Microsoft Teams
- Zoom for Healthcare
- Google G Suite Hangouts Meet
- Cisco Webex Meetings / Webex Teams
- Amazon Chime
- Spruce Health Care Messenger
We’re better off than we were before
In the past, we thought a platform could only be considered HIPAA compliant if it was a pain in the ass to use. During this COVID pandemic, when the rules were relaxed and we were allowed to use encrypted technology on platforms we were already familiar with like FaceTime, Skype and ZOOM, our instinct was: this can’t be HIPAA compliant, it’s too easy to use! Now that we’ve come to this realization that a platform can protect our privacy and be easy to use, we’ll never go back!