Over the past year, telehealth has expanded through support from federal and state measures intended to increase access during the pandemic. In February 2021, a bipartisan group of lawmakers reintroduced the Protecting Access to Post-COVID-19 Telehealth Act to the US House of Representatives to ensure ongoing accessibility to telehealth services after the COVID-19 crisis. The legislation aims to:
- Ensure use of telehealth for Medicare patients during future disasters and emergencies.
- Remove geographic restrictions on patient access to telehealth services and enable provision of telehealth services to patients in their homes.
- Ensure provision of telehealth services by federally qualified health centers and rural health centers.
As telehealth rules and regulations continue to evolve, healthcare professionals and their legal advisors must closely monitor changes to ensure compliance beyond the pandemic. Health information management (HIM) leaders play a critical role in creating new policies and procedures to ensure the privacy and security of protected health information (PHI).
There will be no turning back from the use of telehealth, as patients, providers, and legislators have accepted it as the new preferred norm. Predictions indicate that telehealth will rapidly increase in 2021. According to a Deloitte report, virtual video visits will rise to 5 percent globally in 2021, up from an estimated 1 percent in 2019. This means expanding roles in areas such as telehealth vehicles, rural access, chronic care management, remote monitoring, and more.
Across the US, physicians and other health professionals have seen between a 50 and 175 times increase in telehealth patient numbers during the pandemic compared to the previous year, according to a report by McKinsey. The report states that about 10 percent of US healthcare consumers used telehealth services in 2019, nearly 50 percent in 2020, and 75 percent are interested in using telehealth more in the future. There are headaches in this, though. In an attempt to make treatment accessible, many physician practices have turned to nonspecialist software such as Zoom or FaceTime to connect with their patients. But detailing private medical conditions through unsecure connections on nonmedical software is a potential HIPAA nightmare. State-by-state regulation systems are problematic as well. What are the implications for privacy and security?
Post-pandemic, the main issue is to make sure appropriate safeguards are in place. Privacy risks involve a lack of control over the collection, use, and sharing of data. For example, home telehealth devices and sensors may collect and transmit information on activities that a patient wishes to keep private. Smartphone apps may share sensitive data with advertisers and other third parties in ways not anticipated by users. The primary security risk involves unauthorized access to data during collection, transmission, or storage.
Existing regulations are insufficient to provide strong privacy and risk protections for users. Currently, HIPAA provides the primary set of regulations that guide the privacy and security of health information. The rule requires that identifiable health information be encrypted so that only those authorized to read it can do so. HIPAA, however, applies only to covered entities—healthcare providers and insurers—not to patients. The Food and Drug Administration (FDA) regulates medical devices but not consumer-facing devices and apps, focusing instead on technical issues related to the security and integrity of information. In this way, the FDA ensures patient safety but not patient privacy.
Telehealth is now a key enforcement priority for federal and state enforcement agencies, including the US Department of Justice, and likely to grow significantly in the coming years. Congressional leaders have reached out to the leaders at the Department of Health and Human Services (HHS) and the Centers for Medicare and Medicaid Services (CMS) to continue telehealth services past the COVID-19 emergency and asked what areas would need legislation actions.
Standard Policies and Procedures
Due to recent surges in telehealth usage, best practices are needed to regulate telehealth documentation, coding, privacy, and record maintenance. As rules and regulations have been relaxed temporarily to accommodate telehealth interaction between patient and provider, it is important to assess and update documentation policies and procedures. HIM professionals are well prepared to make sure workflows are in place for proper documentation and retention of telehealth encounters, while maintaining patient privacy and confidentiality.
Now is the time to re-evaluate, update, and re-educate to incorporate the expanded use of telehealth. Here are recommended guidelines to consider for strengthening your organization’s policies and procedures.
- Obtain consent. If connections are unsecured, update consents outlining the unsecured telehealth service and risks, educate the patient, and obtain consent prior to the visit.
- Establish polices to identify who owns the records and who is responsible for amendments and release of information.
- Determine how test results are communicated to the providers, and how all the appropriate documentation is shared with other providers for continuity of care.
Information governance policies and procedures should cover telemedicine documentation practices to ensure trusted information continues to flow throughout the organization without compromising record integrity and quality. Here are the documentation requirements for each visit via telemedicine:
- Visit occurred via telemedicine
- Location of the provider
- Location of the patient
- Names of all persons participating in the telemedicine service and their role in the encounter
- Length of time of the consultation visit and notation that more than 50 percent of the encounter was spent counseling/coordinating care
- Differential diagnosis, active diagnosis, prognosis, risks, benefits of treatment, instruction, compliance, risk reduction, and coordination of care with other providers
- Orders should include:
- Review/order of clinical lab tests
- Review/order of radiographs
- Review/order of medical tests (e.g., echocardiograms, cardiac catheterization)
- Review/summary of old records
Documentation requirements determine how your organization will be paid. For that reason, it is important to start with the end in mind. In addition to documentation requirements, it is critical to know how you will respond to requests for information, how it will be used, and where it is stored. It is also important to determine what information will be included in your electronic designated record set, or ePHI, because interoperability rules will require that all ePHI be made available to the patient by the end of the transition period.
- Are telehealth sessions recorded? If yes, refer to state law on any applicable telehealth retention guidelines. Where are Zoom recordings stored? Who has access? There are no federal retention requirements of telehealth visits.
- If there are any images or other documents as a result of the encounter:
- How are they secured?
- How will you purge them once they have been transcribed or met policy requirements?
- Who has access?
Privacy and Security
Though some telehealth rules are relaxed, privacy and security practices remain in place. Best practice is to create or update policies and procedures for the type of telehealth platform being used (secure/unsecured).
- Make sure policies specify where the provider can offer the service, and ensure no PHI is visible.
- For unsecured connections, update consents outlining the unsecured telehealth service being used, and obtain patient consent prior to the visit.
- Know who is responsible for handling any possible breaches.
Telehealth Is Here to Stay
Along with the expanded use of telehealth, regulatory oversight will likely increase. Healthcare organizations should develop and maintain a strategy for the provision of services through telehealth, including a well-developed compliance plan and related policies to ensure that telehealth services are provided in manner that is legally compliant—particularly as reimbursement for these services is increasingly available.
An effective telehealth compliance plan will specify policies and procedures that support the basic foundation of information governance: documentation, protection, retention, release, privacy, security, and integrity of patients’ telehealth records.
In addition to internal organizational policies, the plan should be designed to comply with all applicable laws, standards, and regulations. This level of information governance is best guided by a multidisciplinary team including representatives from legal, financial, clinical, compliance, HIM, clinical documentation improvement (CDI), coding and billing, privacy and security, risk management, and IT.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.
Rita Bowen is vice president, privacy, compliance and HIM Policy at MRO.
Diana Warner is director, client relations and account management at MRO.