Facebook tracking bit

HIPAA-compliant messaging in the age of COVID-19

July 10, 2020

The fallout of COVID-19 has had a sweeping impact across most aspects of healthcare delivery as we know itWhile accessing healthcare has changed dramatically and will likely never completely return to pre-pandemic “business as usual,” what can we say about protected health information (PHI) and HIPAA complianceHow has COVID-19 altered HIPAAcompliant messaging, and how might it change in the post-pandemic healthcare environment? 

How did COVID-19 change HIPAAcompliant messaging? 

When hospitals and health systems were suddenly faced with the threat of COVID-19, there was an immediate need for rapid changes to many care delivery policies and procedures. Ensuring secure, fast, hospital-wide communications was challenging enough without the new threat of overburdened hospitals and a large decentralized virtual, remote network of employees and patients. 

Limited waiver of HIPAA sanctions and penalties for hospitals 

To assist in nationwide public health emergencies, like the COVID-19 pandemic, the law allows certain provisions of the HIPAA Privacy Rule to be waived during the emergency. On March 15, the U.S. Department of Health and Human Services (HHS) waived sanctions against hospitals that do not fully comply with five provisions of the HIPAA Privacy Rule during the COVID-19 pandemic: 

  1. Requirement to obtain a patient’s agreement to speak with
    family members or friends involved in the patient’s care
  2. Requirement to honor a request to opt out of the facility directory 
  3. Requirement to distribute a Notice of Privacy Practices 
  4. Patient’s right to request privacy restrictions 
  5. Patient’s right to request confidential communications 

These waivers have helped hospital systems give patients the care they need and to share PHI to support the nation’s response to the public health emergency. 

Waiver of noncompliance for telehealth remote communications  

To help support remote patient care and deliver better care through telemedicinethe Office for Civil Rights (OCR) at the HHS announced they will not impose penalties against hospitals who communicate or provide telehealth services through technology that may not fully comply with HIPAA rules during the COVID-19 response.  

The OCR is allowing providers to use consumer applications like FaceTime or Zoom under this provision, and messaging or texting apps such as Google hangout or Whatsapp, which OCR clarified should use end-to-end encryption. The OCR has made it clear that public-facing apps, like Twitch and TikTok, should not be used.   

What’s the future of HIPAAcompliant messaging? 

While no one can say exactly how COVID-19 will change healthcare in a post-pandemic world, there are a few certainties that will likely impact HIPAAcompliant communications in the future. 

Security threats will not disappear  

Even during this nationwide public health emergency, the OCR is still encouraging healthcare providers to use secure solutions that will protect patient information and have stated waivers will only remain in place during the pandemic.  

Healthcare was the industry most targeted by hackers in 2019, and security experts have already warned the COVID-19 pandemic could exacerbate cybersecurity concerns. As telemedicine adoption has increased during this period, so has the variety of ways a cyber-attack can be carried out. Moreover, as patient volumes increase and providers are saddled with heavier loads, these cyber threats may not be identified as quickly. 

While consumer applications not built for healthcare may be a temporary solution to cope with the response to COVID-19, they present a risk for security threats to PHI that will likely only escalate. 

Communication technology needs to improve—and it likely requires new solutions 

When hospitals and health systems are out from under COVID-19 and have a chance to reflect on their response to the pandemicthey may identify gaps in communication technology that need to be filled. Their response to the pandemic, coupled with the relaxation of  HIPAA compliance requirements, may reveal the need for hospital-wide technology that enables better, faster, and more secure communications.  

Beyond the ability to communicate securely with patients and families, COVID has reinforced the urgent need for health systems to have in place an end-to-end communication strategy that extends from the contact center, to paging codes, secure messaging, critical test results management, and more. Point solutions (such as texting or a badge device) only scratch the surface of the complex needs facing health systems during a pandemic and beyond. 

The opportunity exists to implement decisive change and action 

The COVID-19 pandemic has resulted in the rapid adoption and scaling of telemedicine. By some reportsthe U.S. telehealth market is expected to see 80year-over-year growth due to the COVID-19 pandemic, and about 76% of hospitals are now connecting with patients remotely.  

If telehealth can be transformed by COVID-19, it’s likely other healthcare technologies will follow. While there is no going back to healthcare as usual, after the pandemic, many experts expect COVID-19 to be the catalyst to change healthcare delivery and improve patient outcomes. 

While there is currently no expiration date on the HIPAA compliance waivers, the HHS and OCR have confirmed the original policies will be reinstated at some point in the futureTo better understand how we can help your organization deliver better, faster, and more secure communications, see how Spok Go® works in this video. 


Join Your Healthcare Peers

Get our latest posts in your inbox and stay updated on newest trends in healthcare communications. Subscribe below!


More from the Spokwise Healthcare Blog

Posts on clinical communication and collaboration.

See all

See more in this category

General Healthcare
Matt Mesnik

By Matt Mesnik, MD, Chief Medical Officer
Dr. Mesnik is an emergency physician and business executive with more than 30 years of healthcare, health IT, and medical device experience. He is a former emergency department and urgent care medical director. He is also an accomplished healthcare executive and serial entrepreneur with a reputation for bringing innovative solutions to market, leveraging technology, developing strategic partnerships, practice management, and leadership. He was the CMO of Aprima Medical Software, CVS-MinuteClinic, Medibio, and Sanso Health, and a number of other HIT and medical device companies.