Need for glide path on HIPAA telehealth rules at pandemic’s end

Tanya Albert Henry , Contributing News Writer

Though the pandemic’s end is nowhere near, when it does arrive the national declaration of a public health emergency will likely soon end along with it. When the public health emergency declaration is eventually ended, the AMA is asking the government to give physicians who quickly pivoted to include telehealth in their practice ample time to meet Health Insurance Portability and Accountability Act (HIPAA) requirements before audits and other enforcement measures ramp up.

Subscribe to AMA Advocacy Update

Stay current on the latest on the issues impacting physicians, patients and the health care environment with the AMA’s Advocacy Update Newsletter. 

In a letter to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the AMA asked the agency (PDF) to “establish a one-year glide path to compliance.”

The OCR should give physicians and others the necessary time to move toward HIPAA compliance so they can, among other things, “engage their vendors in discussions about business associate agreements and initiate or implement their security risk analysis of the new telemedicine platform,” says the AMA letter. HHS in January extended the public health emergency for another 90 days.

The letter also asks the OCR to call on telemedicine vendors to help clinicians become compliant and to create guidance documents that specifically speak to telemedicine platforms and what is required for the technology to be HIPAA compliant.

“While HIPAA is familiar to many physicians, we encourage the agency to recognize that many clinicians are using telemedicine for the first time and may not be well-versed in the unique risks and vulnerabilities associated with the new tools they are using,” the letter signed by James L. Madara, MD, the AMA’s CEO and executive vice president.

Related Coverage

This is the year to reform Medicare pay, boost telehealth

Privacy important, but time needed

When the COVID-19 public health emergency began nearly two years ago, the OCR realized physician practices would need to quickly adopt telemedicine technologies so they could continue to provide care for their patients safely and in a way that was accessible.

To allow that to happen, the OCR announced a policy of “enforcement discretion” during the public health emergency for HIPAA violations related to telehealth remote communications. It applies to physicians and hospitals, who in good faith, use telemedicine platforms and applications to connect with patients.

The AMA supported the policy because it helped physicians and other clinicians quickly adopt telemedicine as COVID-19 shut down businesses nationwide without implementing contracts and security reviews that are frequently complicated and time-consuming.

In the AMA letter, Dr. Madara writes that the AMA greatly appreciates OCR’s action that allowed physicians to quickly adopt telehealth. He notes that while the organization told members of the enforcement discretion AMA leaders encouraged physicians to seek telemedicine platforms that “provide secure, end-to-end encryption to prevent unwanted third parties from accessing conversations or files.”

Related Coverage

Telehealth is here to stay, but payment is key to future use

The AMA also advised physicians to “enable and activate all available privacy and security features of the platform they selected.” The AMA worked with the American Hospital Association to create resources to guide physicians and hospitals on how to protect a remote work environment as cyber threats that sought to exploit telework technologies spiked.  

“The AMA takes HIPAA seriously and fully supports the need to ensure that patient information is secure and private,” the AMA tells OCR in its letter. “Simultaneously, physicians have had to adapt to new technologies to deliver virtual care while also managing multiple stressors on their practices, in-person patients, and staff during an incredibly demanding and difficult pandemic. They will need time once the PHE [public health emergency] ends to ensure that their policies, procedures, risk analyses, and business associate agreements are in order.”