COVID-era telehealth HIPAA enforcement discretion to end

Dental practices have until Aug. 9 to comply

An enforcement discretion in place during the COVID pandemic that allowed health care providers to conduct telehealth appointments that were not in full compliance with HIPAA is set to expire.

The U.S. Department of Health and Human Services Office for Civil Rights announced April 11 that this enforcement discretion ends May 11 and dental practices have until 11:59 p.m. on Aug. 9 to come into full compliance with the Health Insurance Portability and Accountability Act rules on telehealth.

The enforcement discretion provided that during the public health emergency a dental practice could use any available nonpublic facing remote communication product to provide telehealth, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. OCR encouraged health care providers to notify patients that these third-party applications potentially introduce privacy risks and to enable all available encryption and privacy modes when using such applications. The OCR notification stated that public facing video communication applications should not be used, such as Facebook Live, Twitch, and TikTok.

OCR encouraged health care providers seeking additional privacy protections while using video communication products to provide such services through technology vendors that are HIPAA compliant and willing to enter into HIPAA business associate agreements. The OCR notification provided examples of vendors that represent they provide HIPAA-compliant video communication products and will enter into a business associate agreement.

Some tips to consider when working toward compliance, include:

• Revise the HIPAA security risk analysis to assess the data security risks of their current method of providing telehealth services and implement risk management to bring any risks that are not low to an acceptable level.
• Enter into a business associate agreement with any telehealth vendor that creates, receives, maintains or transmits patient information. If a current vendor is unwilling to enter into a business associate agreement or otherwise not in compliance with HIPAA, take reasonable steps to fix the problem and if not successful, terminate the relationship if feasible.
• Encrypt patient information at rest and in transit.
• Update HIPAA policies and procedures on telehealth as appropriate and train staff on any new policies and procedures. Apply appropriate sanctions if a staff member does not comply with the policies and procedures. Telehealth policies and procedures may include details such as which workstation(s) may be used to provide telehealth and how the workstation(s) should be protected, and how to manage which staff members are permitted to access telehealth patient information. In addition, telehealth may be part of a dental practices contingency planning.

Different dental practices will develop different solutions for providing HIPAA compliant telehealth. There is no one-size-fits-all HIPAA Security Rule solution. The HIPAA Security Rule permits a flexible approach, and requires dental practices to take the following factors into account when deciding which security measures to use:

• The size, complexity, and capabilities of the dental practice.
• The dental practice’s technical infrastructure, hardware, and software security capabilities.
• The costs of security measures.
• The probability and criticality of potential risks to electronic patient information.

The OCR notification of enforcement discretion for the public health emergency does not apply to the HIPAA Breach Notification Rule. If a dental practice providing telehealth discovers a breach of unsecured patient information, the dental practice may be required to notify affected individuals, OCR, and in some cases the media. Similarly, the OCR notification did not affect state laws on privacy, data security, or breach notification.

Compliancy Group, an ADA Member Advantage-endorsed service, offers HIPAA compliance software that can help dental practices comply with the law. Visit https://compliancy-group.com/hipaa-compliant-telemedicine-software for more information or to purchase the software, visit https://store.ada.org/catalog/compliancy-group-hipaa-compliance-software-solution-88833.