California Extends Telehealth Privacy, Security WaiversState's Renewal of Relaxed Regs Mirrors Handling of Federal HIPAA Waivers
As the COVID-19 pandemic continues to rage and influenza season kicks off, California is extending a waiver that was set to expire this week, which relaxes enforcement of certain privacy and security regulations related to healthcare providers that offer telehealth services.
California Gov. Gavin Newsom on Monday signed an executive order extending provisions of an April 2020 telehealth executive order that was slated to expire today.
That original order - and the extension - promote telehealth services "by enabling medical providers to conduct routine and non-emergency medical appointments through telehealth without the risk of being penalized for privacy or security," Newsom's office said in a statement.
The extension will last through the end of the public state of emergency or until the governor's original executive order is rescinded or modified, the statement says.
California's relaxation of certain privacy and security regulations related to the use of telehealth are similar to the "notice of enforcement discretion" for telehealth put into place at the start of the COVID-19 national public health emergency in March 2020 by the U.S. Department of Health and Human Services (see: COVID-19: HHS Issues Limited HIPAA Waivers).
Under the limited federal waivers, HHS' Office for Civil Rights says it is exercising its enforcement discretion to not impose penalties for noncompliance with the regulatory requirements under the HIPAA rules against healthcare providers "in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency."
Under the HIPAA notice of enforcement discretion, OCR says a covered healthcare provider can use non-public-facing remote audio or video communication technologies to provide telehealth to patients during the COVID-19 nationwide public health emergency.
OCR also says it will not impose penalties against covered healthcare providers for the lack of a business associate agreement with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the "good faith provision of telehealth services" during the COVID-19 national public health emergency.
Among other things, the extended California waiver suspends penalties against healthcare providers if an unauthorized access or disclosure of health information occurs during "good faith" delivery of telehealth services as a result of the use of the technology that does not fully comply with federal or state law.
"Clinics, hospitals, and other healthcare facilities and healthcare providers must maximize the number of capable healthcare workers through the use of telehealth services to ensure that Californians impacted by COVID-19 are able to access medical treatment as necessary," Newsom's order says.
Regulatory attorney Paul Hales of the law firm Hales Law Group notes that Newsom’s executive order covering telehealth services by California HIPAA covered providers "confirms they are covered by OCR’s enforcement discretion that remains in effect during the national public health emergency."
During the pandemic, HHS' Centers for Medicare and Medicaid Services also has provided payment to eligible healthcare providers for certain telehealth services that were previously not covered. "Significant support of telehealth by CMS enabled widespread, important expansion of telehealth services. Awareness of OCR enforcement discretion no doubt helped," Hales notes.
It's important to note that OCR's enforcement discretion did not suspend all HIPAA privacy and security compliance requirements, Hales says. "Nonetheless, providers often neglect procedures that would protect them fully from HIPAA violations when using unencrypted email and text message to communicate with patients and schedule telehealth visits."
The volumes of patients served by telehealth during the COVID-19 pandemic indicates it will be a lasting, important method of healthcare service delivery, Hales says.
"Only time will tell the extent to which some patients may have been harmed by inadvertent disclosures of their protected health information during the scramble to ramp up telehealth services. Health policy experts should evaluate COVID-era telehealth successes and problems to create a strong, secure national telehealth system available to everybody."
While regulators have made moves to help promote the use of telehealth during the pandemic, federal law enforcement agencies have also been cracking down on fraud scams involving telemedicine - including cases that began prior to the COVID-19 outbreak.
For instance, earlier this month, the U.S. Department of Justice announced criminal charges in dozens of healthcare fraud cases across the U.S. - many involving telemedicine scams - totaling $1.4 billion.
In that effort, federal prosecutors filed criminal charges against 138 defendants - including 42 doctors, nurses and other licensed medical professionals - in 31 federal districts.
That includes a $2.9 million fraud case involving conspirators obtaining patients' protected health information and personally identifiable information to create fictitious physicians’ orders for the billing of necessary durable medical equipment and other gear (see: Defendant in Stolen EHR Data Case Sentenced).
"Telehealth is a very complicated issue that obviously has many important state and federal implications," says privacy attorney Iliana Peters of the law firm Polsinelli.
As a result of the pandemic, patients expect to be able to continue to receive remote care, and healthcare providers have largely adjusted to such treatment models, she notes.
"I think state and federal lawmakers, both legislative and regulatory, will continue to have to address these complicated issues to reach some sort of consensus on what will become the status quo in this area at some point in the future," including privacy and security considerations, she says.
New COVID Guidance
Meanwhile, to help clarify confusion about whether HIPAA prohibits disclosures regarding individuals' COVID-19 vaccine status, HHS OCR issued new public guidance on Thursday addressing workplace and related scenarios.
"HIPAA Privacy Rule does not apply to employers or employment records," HHS OCR says. This is because the HIPAA Privacy Rule only applies only to HIPAA covered entities - health plans, healthcare clearinghouses, and healthcare providers that conduct standard electronic transactions - and, in some cases, to their business associates, HHS OCR says.
"We are issuing this guidance to help consumers, businesses, and healthcare entities understand when HIPAA applies to disclosures about COVID-19 vaccination status and to ensure that they have the information they need to make informed decisions about protecting themselves and others from COVID-19," said Lisa Pino, new HHS OCR director, in a statement (see: Former DHS Official to Lead HHS HIPAA Enforcement Agency).