Employers in the healthcare industry are no strangers to change. After all, you are constantly adapting to cutting-edge medical technologies to improve and expand patient care, reform health inequities, advance care coordination and continuity, facilitate data analysis for diagnosis and treatment, and harmonize advanced levels of care across the country. Nonetheless, in hasty response to the pandemic, the industry is experiencing a profusion of advanced technologies now more than ever. These primarily include the unparalleled resurgence of telehealth as well as complex advancements to the nuanced roles of artificial intelligence, analytics, and biometrics to improve integrity of electronic health records (EHR), including migration to a cloud-based platform. In today’s unpredictable and volatile COVID-19 environment, it is critical that you not only confront but embrace this advent of technology through continued employee education and training.

Of course, this is no easy task. In fact, the application of this technology to reality is wrought with challenges arising from providers’ legal duties and your moral imperative to safeguard patient privacy. It is incumbent for you to invest not only in the technologies themselves but in the continued education and training of employees to ensure patient privacy. Thus, it is also critical that you and your employees alike adhere to patient privacy laws, including HIPAA and other statutory obligations. To make matters all the more complicated, these obligations are currently changing, mirroring the volatility of the pandemic’s impact on the practice of medicine. Accordingly, this article seeks to educate healthcare employers as to the impact of these pioneering technologies on patient privacy laws and, despite the unpredictability of the current climate, forecast the staying power of telehealth and related evolving modalities. 

Post-Pandemic Predictions For Telehealth Illustrate Need To Invest In The Technology

Given the current momentum of telehealth services, federal policymakers have enacted upwards of 30 changes to enable greater access to telehealth in the COVID-19 era. Driven by telehealth’s obvious unique ability to deliver contactless patient care, these changes include the relaxation of regulatory hurdles (specifically, the temporary lifting of penalties) by the Center for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR) around HIPAA.

In mid-March, the OCR announced easement of restrictions on telehealth during the pandemic, including the temporary lifting of penalties generally imposed on providers who use non-HIPAA compliant virtual communications technology during the public health emergency provided such use is in good faith. By way of vague guidance, the OCR announced that healthcare providers seeking to use telehealth to reach patients “can use any non-public remote communication product that is available to communicate with patients. . . This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”

In its announcement, the OCR specifically recognized the essential link telehealth affords patients and providers while removing the need to travel to burdened hospitals. OCR Director Roger Severino stated, “We are empowering medical providers to serve patients wherever they are during this national public health emergency. . .We are especially concerned about reaching the most at risk, including older persons and persons with disabilities.”

Unfortunately, the vague relaxation of many regulations by the Department of Health and Human Services (HHS) has left healthcare employers in the dark as to permanence. Concurrent with the introduction of a related bipartisan bill in mid-June and in response to the concerns of constituents largely made up of healthcare employers, senators from both sides of the aisle requested HHS and CMS provide a written plan for permanent changes to the rules around telehealth. The June 26 request specifically seeks guidance as to OCR’s enforcement discretion of HIPAA compliance, including a security analysis of non-HIPAA compliant tools on which providers and patients rely during the current pandemic. While a formal response is outstanding, CMS Administrator Seema Verma acknowledged the importance of clarity for the future, stating that she “can’t imagine going back.”

In response to the lack of guidance for healthcare constituents and in recognition of telehealth’s staying power, in early July, bipartisan legislation aimed at codifying clarity for telehealth regulations was introduced. Notably, the Exposure Notification Privacy Act would mandate that providers using telehealth services or other advanced modalities storing EHR to analyze patient data – examples of which include patient data used in COVID-19 exposure notification systems – obtain patient consent for specific utilization of said data.

The pending bill’s focus on preservation of patient privacy illuminates the significance of privacy. Echoing the public’s concern, the American Medical Association recently released patient privacy principles warning that the government must not trade privacy for efficiency of telehealth. Accordingly, the importance of safeguarding patient privacy must remain at the forefront of healthcare employers’ minds when training employees on the provision of telehealth services as well as all tasks involving patient data stored in EHR.

Takeaways For Healthcare Employers

With the temporary relaxation of HIPAA penalties and other regulatory enforcement, providers have been afforded the unprecedented opportunity to offer telehealth without concern of major financial repercussions related to the technology’s unique threat of exposure. In fact, many have touted the advent of telehealth amidst COVID as the “unexpected experiment.” Certainly, the value of telehealth services cannot be overstated and thus, the related investment in technology and employee training is pivotal.

However, with the hurried, en masse implementation of telehealth stemming from the pandemic, new challenges become evident. It is in this erratic environment that healthcare employers must function. To that end, as evidenced by public concern and thus forthcoming legislation, patient privacy and HIPAA compliance should remain of tantamount concern.

Ultimately, evidenced by telehealth’s vital role in evolving patient care, investment in the service is critical to continuing to operate as a provider in the 21st century. The question remains: to what degree? Nonetheless, from a legal preparedness and risk aversion standpoint, in continuing to utilize telehealth, healthcare employers should remain vigilant in the protection of patient privacy.