Global pandemics like COVID-19 are unprecedented situations, which call for unprecedented action. This mantra is especially true in the field of healthcare, where in early 2020, operations shifted to pre-dominantly virtual care. This action was initiated to keep people apart and from further spreading a virus we knew so little about.
Today, scientists, doctors, and the general public are more well-informed about COVID-19 and its risks. Many people are also vaccinated against the virus. Despite this, people continue to use virtual healthcare services that became popular during the early days of the pandemic. We are specifically referring to telehealth; the practice of receiving medical care via online mediums like video chats or phone calls. Telehealth was previously popular amongst seniors living in rural areas or having mobility challenges. Today, it has become a convenient choice for those in various situations. However, communicating with healthcare practitioners online was not always this easy. Those in the field must adhere to the guidelines set forth by the Health Insurance Portability and Accountability Act (HIPAA). In simple terms, this act governs the way personal health information (PHI) is stored and shared, among other things.
In March 2020, a U.S. government agency made a significant decision. According to a notice released by the U.S. Department of Health & Human Services, the Office for Civil Rights (OCR) would "not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency." In theory, that meant telehealth appointments could take place on platforms such as FaceTime by Apple or even through video chat functionality on Facebook Messenger. These actions greatly assisted both providers and patients with an abrupt transition to digital care. Although the exceptions have been welcome news to those on both sides, they are not permanent. As the COVID-19 pandemic is slowly inching toward endemic status, the government can re-impose standard HIPAA regulations at any time. With that in mind, what can patients and providers expect in 2022? Let us examine the potential digital care landscape of the near future.
What is a HIPAA Waiver?
Like most waivers, it is an agreement to exempt rules or standards (and associated penalties). This waiver is more significant since it involves HIPAA, which is essentially the set of rules and standards that govern PHI.
According to the U.S. Department of Health & Human Services (HHS), "if the President declares an emergency or disaster and the Secretary declares a public health emergency, the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain provisions of the HIPAA Privacy Rule." This is precisely what happened on March 15th, 2020.
What types of provisions can be waived? Here is a comprehensive list provided by the HHS:
- The requirement to obtain a patient's agreement to speak with family members or friends involved in the patient's care
- The requirement to honor a request to opt out of the facility directory
- The requirement to distribute a notice of privacy practices
- The patient's right to request privacy restrictions
- The patient's right to request confidential communications
A couple examples of exempted activities from the 2020 waiver include:
- Patient communication: Although communicating patient information was always permitted under HIPAA, the waiver provides leniency on the procedures and mediums used to share information.
- Appointment scheduling: The HIPAA emergency exception also applies to web-based scheduling applications. No enforcement measures will be taken against providers or their business associates when it comes to the type of scheduling application used, as long as it is done in good faith.
- Scenarios where PHI is used for research
- Before the sale of PHI
- To obtain substance abuse and treatment records
- Obtaining psychotherapy notes other than for specific treatment, payment, or health care operations
- Acquiring PHI for marketing purposes except when communication occurs face to face between the covered entity and the individual or when the communication involves a promotional gift of nominal value
What is a HIPAA Authorization?
A HIPAA authorization is different from a HIPAA waiver. While a waiver removes the need for compliance in certain situations, an authorization acts as permission to conduct an action. Some might argue that the waiver and authorization are complete opposites.
The HIPAA Privacy Rule allows for PHI to be shared amongst others in the healthcare field, including providers, plan administrators, and business associates of those covered by HIPAA. To share PHI with other individuals or organizations who are not covered under HIPAA, a provider must obtain formal authorization from the patient.
A few examples of when a HIPAA authorization might be required are laid out by the HIPAA Journal:
Looking Ahead to 2022: When Will the US Government End Its Relaxed Rules on HIPAA Compliance
As the pandemic changes, so do the rules mandated by all levels of government. For instance, in the early days of 2020, an almost unanimous number of states relaxed rules around licensing physicians. This action meant that out-of-state healthcare providers could conduct telehealth appointments without paying fees and completing tedious forms. Previous to this exception, if a provider wanted to practice in three separate states (outside their home state), the application process would need to happen three times. So it comes as no surprise that this exception greatly enhanced access to telehealth services - a win-win situation for both provider and patient alike. However, these exceptions are ending, seemingly one by one. As of November 2021, at least half of the states that initially agreed to this arrangement have reverted to standard operating procedures.
Another reason telehealth became more attractive during the COVID-19 pandemic was the Centers for Medicare & Medicaid Services (CMS) allowed Medicare coverage to be applied to any patient, regardless of their location in the country. It was previously limited to rural patients only. This exception also ensured that payments were sufficient to cover the costs (ex. relative to in-person visits). This is an important action considering there are approximately 62 million Americans who use the Medicare program. As of the time of writing, this exception is set to expire in January 2022, unless extended - so be sure to keep an eye on any new developments (or lack thereof).
There is no crystal ball to tell us when the U.S. government will end its relaxed rules on HIPAA compliance. It seems as though every time the world is on the mend, a new variant of COVID-19 appears, setting us back in time. Some might argue that the exceptions will end when the virus is deemed endemic. According to many hypotheses, COVID-19 likely will not be endemic until the end of 2022, with the CEO of Pfizer predicting 2024. So it is likely safe to assume that HIPAA emergency exceptions will continue, in some capacity, for most of 2022 and perhaps beyond.