Heightened Data Privacy Laws Requiring Greater Security and Vigilance
On March 17, the Department of Health and Human Services issued a notice that it would not impose HIPAA penalties on providers for “good faith provision of telehealth during the COVID-19 nationwide public health emergency” and permitted the use of remote communication products that are not public facing.
However, it also cautioned providers that these technologies potentially introduce privacy risks.
With more people shifting to remote care and a simultaneous spike in cybercrime, regulators are poised to strengthen protections for personal information. Expect data privacy and security laws to return to normal following the pandemic and prepare for potentially more stringent privacy laws to follow.
With that in mind, providers should:
- Evaluate security controls of telehealth technologies and vendor HIPAA compliance
- Consider interoperability of platforms and connected devices with electronic health record systems
- Enter into or amend business associate agreements with vendors who have access to protected health information and ensure protections for breaches and security incidents — including strong indemnification, reporting obligations and cyber liability coverage
- Conduct a comprehensive security risk assessment of IT systems
READ MORE: Is your at-home workspace HIPAA compliant? Review our checklist.
Continued Debate Over Reimbursement and Coverage Expansion
Before the pandemic, Medicare coverage of telehealth services was extremely restrictive, with limitations for originating sites, geography, eligible practitioners and services, and qualifying technology.
The Coronavirus Aid, Relief and Economic Security Act allowed the Centers for Medicare and Medicaid Services to temporarily remove these requirements under broad waivers. Congressional action will be needed to permanently expand Medicare telehealth coverage, a measure that has long received bipartisan support.
The Congressional Budget Office has historically been forced to draw inferences from commercial health insurance programs in projecting telehealth expansion costs. However, it claimed this comparison was of limited use because private insurers have more tools to influence physician and patient choice over treatment decisions.