March 24, 2020 · Regulatory and Health Industry
AHIMA Special Update: Telehealth and Relaxed HIPAA Enforcement During COVID-19
AHIMA privacy and security experts convened to make sense of new and existing guidance surrounding telehealth and HIPAA to deal with COVID-19.
HIM professionals with questions or comments can publish them at the bottom of this post, or visit the COVID-19 community page on AHIMA Engage.
Consents, Reminders, and Communication for Telehealth
- Update telehealth/audio/visual consents pertaining to the difference between a secure connection and an unsecure connection:
- Secure connection: Technology is in place to protect the information being transmitted and ensures it is being delivered to its intended recipient
- Unsecure connection: May not completely protect the transmission of information and may allow inappropriate access to unintended recipients
- Educate staff on the US Department of Health and Human Services’ (HHS’) Office for Civil Rights, “Notification of Enforcement Discretion for telehealth remote communications during COVID-19 nationwide public health emergency guidance” published on March 17, 2020.
- Allowed: In additional to established secure communication channels (e.g., encrypted email, encrypted portal communications, encrypted patient-facing apps, etc.) the notification now allows for two-way synchronous communications using Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype.
- Not Allowed: Public facing tools like Facebook Live, Twitch, TikTok.
- When using an unsecured connection, advocate for a statement that notifies patients of such and asks them if they want to continue with the visit.
- For those that were not previously using telehealth, visit the American Medical Association’s quick guide to telehealth.
- Ensure verbal authorizations have a defined process and associated policy and procedure; consulting in-house counsel and researching state laws.
- Educate staff that virtual care/telehealth visits are not only a conversation—they are documented episodes of care that require the same clinical documentation processes as seeing a patient in a traditional care setting.
- As physicians and advanced practice clinicians take care of patients, the quality of clinical documentations maintains of utmost importance. The expectation is that they will continue with the high standards of documentation, which they’ve always had.
- Importantly, as regulations remain fluid around these new virtual care settings, documentation will be even more important than ever and will help us post-crisis to ensure accurate billing, coding, and syndromic reporting can occur.
- This is a great time to document your new approaches in light of relaxed HIPAA enforcement discretion. A documented baseline approach will support operations and provide consistency to serve as an iterative reference.
- Explore ways of optimizing the EHR and/or master patient index (MPI) where added fields or alerts/notifications would assist in identifying COVID-19 cases (confirmed, unconfirmed, etc.) for future data analytics needs related to coding, billing and reporting services.
- Coding and time tracking:
- For Medicare telehealth visits check the Centers for Medicare and Medicaid Services (CMS) list of approved telehealth codes to ensure that your code can be billed as a telehealth visit service. The codes are available at: https://www.cms.gov/Medicare/Medicare-General-Information/Telehealth/Telehealth-codes.
- For virtual check-in telehealth services, record the amount of time spent with the patient (five-minute minimum) in providing the virtual check-in service
- For e-visits, be aware of the required amount of time needed to bill for these codes and related requirements.
HIPAA Enforcement Discretion Including and Beyond Telehealth
- Create a fact sheet for staff to remind them of the continued importance of access and confidentiality.
- Remind staff that all activity is eligible for appropriate use auditing. Minimum necessary and need to know are still guidelines for access any information. Proactive access monitoring and auditing is still being performed and the same rules apply to everyone.
- These are not a new set of rules when it comes to confidentiality and sharing protected health information. Reminders of sharing information on social media are suggested.
- Defending Against COVID-19 Cyber Scams:
- The Cybersecurity and Infrastructure Security Agency (CISA) warns individuals to remain vigilant for scams related to Coronavirus Disease 2019 (COVID-19). Cyber actors may send emails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes. Exercise caution in handling any email with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19.
- The HHS limited waiver of sanctions and penalties waives sanctions and penalties for the following—ensure they are adopted within your policy, procedure, and training:
- The requirements to obtain a patient's agreement to speak with family members or
- Friends involved in the patient’s care See 45 CFR 164.510(b).
- The requirement to honor a request to opt out of the facility directory. See 45
- CFR 164.510(a).
- The requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- The patient's right to request privacy restrictions. See 45 CFR 164.522(a).
- The patient's right to request confidential communications. See 45 CFR 164.522(b).
- From the Waiver or Modification of Requirements under Section 1135 of the Social Security Act as the Result of the Consequences of the 2019 Novel Coronavirus (COVID-19)
- BULLETIN: Civil Rights and the Coronavirus Disease 2019 (COVID-19).
- To this end, government officials, healthcare providers, and covered entities (CEs) should consider adopting, as circumstances and resources allow, the following practices to help make sure all segments of the community are served:
- Employing qualified interpreter services to assist individuals with limited English proficiency and individuals who are deaf or hard of hearing;
- Making emergency messaging available in languages prevalent in the affected area(s) and in multiple formats, such as audio, large print, and captioning and ensuring that websites providing emergency-related information are accessible;
- Making use of multiple outlets and resources for messaging to reach individuals with disabilities, individuals with limited English proficiency, and members of diverse faith communities;
- Considering and planning for the needs of individuals with mobility impairments and individuals with assistive devices or durable medical equipment in providing healthcare during emergencies;
- Stocking facilities with items that will help people to maintain independence, such as hearing aid batteries, canes, and walkers.
Journal of AHIMA
Federal Laws and Regulations,ARRA Regulatory Issues
Health Law & Compliance