The fallout of COVID-19 has had a sweeping impact across most aspects of healthcare delivery as we know it. While accessing healthcare has changed dramatically and will likely never completely return to pre-pandemic “business as usual,” what can we say about protected health information (PHI) and HIPAA compliance? How has COVID-19 altered HIPAA–compliant messaging, and how might it change in the post-pandemic healthcare environment?
How did COVID-19 change HIPAA–compliant messaging?
When hospitals and health systems were suddenly faced with the threat of COVID-19, there was an immediate need for rapid changes to many care delivery policies and procedures. Ensuring secure, fast, hospital-wide communications was challenging enough without the new threat of overburdened hospitals and a large decentralized virtual, remote network of employees and patients.
Limited waiver of HIPAA sanctions and penalties for hospitals
To assist in nationwide public health emergencies, like the COVID-19 pandemic, the law allows certain provisions of the HIPAA Privacy Rule to be waived during the emergency. On March 15, the U.S. Department of Health and Human Services (HHS) waived sanctions against hospitals that do not fully comply with five provisions of the HIPAA Privacy Rule during the COVID-19 pandemic:
- Requirement to obtain a patient’s agreement to speak with
family members or friends involved in the patient’s care
- Requirement to honor a request to opt out of the facility directory
- Requirement to distribute a Notice of Privacy Practices
- Patient’s right to request privacy restrictions
- Patient’s right to request confidential communications
These waivers have helped hospital systems give patients the care they need and to share PHI to support the nation’s response to the public health emergency.
Waiver of noncompliance for telehealth remote communications
To help support remote patient care and deliver better care through telemedicine, the Office for Civil Rights (OCR) at the HHS announced they will not impose penalties against hospitals who communicate or provide telehealth services through technology that may not fully comply with HIPAA rules during the COVID-19 response.
The OCR is allowing providers to use consumer applications like FaceTime or Zoom under this provision, and messaging or texting apps such as Google hangout or Whatsapp, which OCR clarified should use end-to-end encryption. The OCR has made it clear that public-facing apps, like Twitch and TikTok, should not be used.
What’s the future of HIPAA–compliant messaging?
While no one can say exactly how COVID-19 will change healthcare in a post-pandemic world, there are a few certainties that will likely impact HIPAA–compliant communications in the future.
Security threats will not disappear
Even during this nationwide public health emergency, the OCR is still encouraging healthcare providers to use secure solutions that will protect patient information and have stated waivers will only remain in place during the pandemic.
Healthcare was the industry most targeted by hackers in 2019, and security experts have already warned the COVID-19 pandemic could exacerbate cybersecurity concerns. As telemedicine adoption has increased during this period, so has the variety of ways a cyber-attack can be carried out. Moreover, as patient volumes increase and providers are saddled with heavier loads, these cyber threats may not be identified as quickly.
While consumer applications not built for healthcare may be a temporary solution to cope with the response to COVID-19, they present a risk for security threats to PHI that will likely only escalate.
Communication technology needs to improve—and it likely requires new solutions
When hospitals and health systems are out from under COVID-19 and have a chance to reflect on their response to the pandemic, they may identify gaps in communication technology that need to be filled. Their response to the pandemic, coupled with the relaxation of HIPAA compliance requirements, may reveal the need for hospital-wide technology that enables better, faster, and more secure communications.
Beyond the ability to communicate securely with patients and families, COVID has reinforced the urgent need for health systems to have in place an end-to-end communication strategy that extends from the contact center, to paging codes, secure messaging, critical test results management, and more. Point solutions (such as texting or a badge device) only scratch the surface of the complex needs facing health systems during a pandemic and beyond.
The opportunity exists to implement decisive change and action
The COVID-19 pandemic has resulted in the rapid adoption and scaling of telemedicine. By some reports, the U.S. telehealth market is expected to see 80% year-over-year growth due to the COVID-19 pandemic, and about 76% of hospitals are now connecting with patients remotely.
If telehealth can be transformed by COVID-19, it’s likely other healthcare technologies will follow. While there is no going back to healthcare as usual, after the pandemic, many experts expect COVID-19 to be the catalyst to change healthcare delivery and improve patient outcomes.
While there is currently no expiration date on the HIPAA compliance waivers, the HHS and OCR have confirmed the original policies will be reinstated at some point in the future. To better understand how we can help your organization deliver better, faster, and more secure communications, see how Spok Go® works in this video.