Understanding OCR HIPAA Enforcement Waivers for Telehealth Expansion During COVID-19

Date: March 30, 2020
Good morning, good afternoon, and on behalf of myself, Ryan, Carolyn and Stacey, we are so glad that you could join us today for our latest webinar as part of our COVID 19 resource effort. Today we are going to be talking with you about understanding recent OCR HIPPA enforcement waivers and certain telehealth expansions, as well as some related topics concerning privacy. On behalf of all of us, we first want to say to everyone at the front lines of keeping us and our families healthy, we are so incredibly grateful for all the work that you’re doing.

So, today we hope to talk a bit about some recent OCR activity, as well as some activity by sister federal agencies that relate to telehealth and the use of health-related information to respond to COVID 19.

As most of you know, on March 13th of this year, President Trump issued his proclamation declaring a national emergency with respect to COVID 19. In response to this, numerous federal agencies SAMHSA, OCR, FDA, as well as many others, have issued enforcement discretion, and new guidances to help, healthcare systems, health plans and the many companies out there seeking to support them to respond to this pandemic.

Here is a brief timeline of some of the activities, excuse me, over just the last two weeks. You can see that the first OCR bulletin with respect to COVID 19 came out in early February. And then, beginning in the middle of March, there has been a flurry of activity by OCR and other agencies. This is just a sample of the OCR related statements, guidances and enforcement discretions that are guiding all regulated parties as they respond to COVID 19. We’re going to spend most of our time today talking about the enforcement discretion guidance and follow up information from the agency, as well as parallel efforts by other agencies to talk about how information could be used and disclosed to respond to COVID 19 as well certain expansions of telehealth. And with that, I will turn it over to Carolyn.

Thanks. I’m going to talk a little bit about the OCR enforcement waiver. So, OCR will not impose penalties for noncompliance with HIPPA against covered entity healthcare for providers in connection with the good faith provision of telehealth during the COVID 19 national emergency. Covered entity healthcare providers that want to use remote communication technologies to provide telehealth to patients during COVID 19 national emergency, even if the telehealth is not related to diagnosis or treatment of COVID 19, they can use any non-public facing remote communication products that are available to communicate with the patient. Non-public facing remote communication products include, for example, with respect to the video application context, Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, WhatsApp video chat, Skype. In the text application context, they include Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, and iMessage. An OCR notification that came out on the 17th of March, the OCR effectively, effectively said that immediately, it’s going to exercise its enforcement discretion, and it will not impose penalties for noncompliance with HIPPA, the guide is to cover entity healthcare providers in connection with the good faith provision of telehealth during this national emergency. It specifically stated that covered under the healthcare providers that want to use the remote communication technologies to provide telehealth, again, during this national emergency can do so, even if it’s not related to COVID 19 diagnosis or treatment. As long as it’s a non-public facing remote audio or video communication, and I just described to you with those examples were. Now the list of remote communication product examples that was provided in the OCR notification that came out on the 17th was not intended to be exhaustive. In the OCR FAQs that came out on March 20th, the OCR provided additional examples of remote communication products to which the enforcement waiver would apply, and clarify that they could include text applications, not just audio and video applications. The list was expanded. The list of examples, expanded to include, for video applications, WhatsApp video chat, and for text applications, Signal, Jabber, Facebook Messenger, Google Hangouts. I already mentioned some of these, but it was expanded again on the 20th. On the 20th, in the OCR FAQs, OCR notes favorably that these applications—what’s great about these applications, or at least that protects privacy to some extent is that they typically employ end-to-end encryption. They support individual user accounts, logins and passcodes to help limit access and verify participants and/or permit participants to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or commute or turn off video or audio any point. OCR now says, in the OCR notification that came out on the 17th, that the enforcement waiver extends to failure to enter into business associate agreements with vendors of non-public facing remote communication products. OCR distinguishes the above non-facing remote communication products from public facing ones, and it described public facing one’s as including, Facebook live, TikTok, Twitch, and similar video communication applications. These are not subject to the enforcement wavier and may not be used to provide telehealth. OCR notes that these products are designed to be open to the public or allow wide or indiscriminate access to the communication, and accordingly, a provider that chooses to use these products would not be covered by the enforcement waiver. It should be noted that the enforcement waiver extends to covered entities that are healthcare providers, and not to covered entities that are healthcare plans or healthcare clearinghouses. OCR made it very clear in the FAQs, that even health plans that pay for telehealth services are not subject to the enforcement waver because they’re not engaged in the provision of health care. The OCR encourages providers to notify patients that third-party applications for communication potentially introduced privacy risks and that the patient should, to the extent they can, enable protective measures such as encryption and other privacy modes when using these applications. The OCR does not address whether the patient notifications of privacy risks should be in writing or delivered orally. It doesn’t provide guidance as of when it should be delivered in the course of the visit, whether it needs to be provided prior to the visit. OCR is merely encouraging and not requiring providers to provide such notifications. Therefore, providers really need to think about the feasibility of such notifications and the appropriate measures and methods of providing the notifications. Now I’m going to turn it over to Stacey.

Thank you, Carolyn. So while the OCR did indicate that it will exercise the enforcement discretion and against covered entity healthcare providers in the connection with good faith provision of telehealth during this COVID 19 national emergency as my, as my collage has explained, it is important to note that the guidance was also somewhat measured, that is, the OCR advised that covered entity health care providers that seek additional privacy protections for telehealth should provide such services using vendors that both provide HIPAA compliant remote communication products and that will enter into business associate agreements in connection with providing those products. In the OCR, notification from March 17th, the OCR provided a list, a non-exhaustive list of vendors that represent that they provide HIPPA compliant video communication products and that they will enter into business associate agreements. And we’ve listed those on this slide here. The OCR did not apine on whether those BAAs are in fact HIPPA compliant, but, but noted that these vendors do represent that they will enter into such agreements. Because the OCR is merely advising those providers that seek additional privacy protection to use these sorts of vendors and not requiring it’s important that providers evaluate the feasibility of using such vendors during the national emergency. When the enforcement waiver described in the OCR notification ultimately terminates providers that are not using HIPPA compliant remote communication products, will need to evaluate whether they’re preferred product vendors are properly categorized as business associates, or if they are mere conduits. In prior guidance, the OCR explained that they have a privacy rule, it does not require a covered entity to enter into a business associate agreement with an organization that acts merely as a conduit for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Accordingly, covered entity providers should evaluate all relationships with any remote communicate vendors following the termination of the OCR enforcement waiver. And sorry, Carol, we’re back two slides, sorry. So, after the termination of this, then, they’re under recommendations that that these, these should be examined to make sure that where a business associate agreement is necessary, that that there is one in place, and where it’s a mere conduit relationship that that has been evaluated. So okay, so next slide, please.

It’s important to note that the waiver described in the March 17th OCR notification does not have an expiration date. Gecause the notification states that the OCR will not impose penalties for non-compliance in connection with the good faith provision of telehealth during the COVID 19nationwide public health emergency, many initially concluded that the waiver may automatically terminate once there is a presidential proclamation indicating that the national emergency has ended. But the OCR clarified in the FAQs that were published on March 20th that Carolyn mentioned, that the enforcement waiver will terminate only after the OCR issues an additional notice to the public that it’s no longer exercising this enforcement discretion. So, as such, it’s important for covered entity providers to monitor OCR guidance in case the OCR terminates its March 17th notice prior to the end of the national emergency. That’s not something that many are anticipating, but it is possible based on, on the guidance that we have seen. Next slide, please. Can you go to the next slide?

So, another notable fact about the enforcement waiver that was described in the OCR guidance is that it may not extend to non-HIPPA compliant voicemail applications. While the guidance makes it clear that the enforcement labor extends to non-public facing remote communication products with specific reference to audio, video and text applications, it does not specifically address voicemail application. And as Carolyn mentioned, in the March 20th FAQs, the OCR notes that the products to which it has specifically extended this enforcement waiver, typically employ end-to end-encryption, support individual user accounts, logins and passcodes to help limit access and verify participants and/or permit participants to assert some degree of control over particular capabilities, such as choosing to record or not record. So, voicemail, then would seem to fall outside of the enumerated products to which the enforcement waiver extends, although this is not specified. So accordingly, providers should further evaluate the use of any non-HIPPA compliant voicemail applications prior to implementation. So, with that, I’m going to turn over to Ryan Higgins to discuss how the guidance may affect security risk analyses and another, and other items.

Thank you. I’m going to highlight here, a potential ambiguity with respect to the enforcement waiver, and I’m going to underline the word potential, with respect to compliance with the HIPPA security rule, security risk analysis requirements. But, in order to focus on the ambiguity, I want to back up just a little bit. So, on March 13th, the president issued this proclamation of the national emergency concerning COVID 19 and, among other things, that declaration said that the secretary of HHS could temporarily waive or modify certain requirements of the HIPAA Privacy Rule. It didn’t specifically mention the Security Rule or the Breach Notification Rule, but I just mentioned here that it just, it just focused on the Privacy Rule. The OCR waiver notice of March 17th makes the broad statement that OCR will exercise its enforcement discretion and will not impose penalties for non-compliance with the HIPPA rules, and in that context it refers to Privacy, Security and Breach Notification Rule, against health care providers in connection with the good faith based provisions of telehealth during the COVID 19 national emergency. Most of the discussion in the waiver centers on the concept of remote communication products in the absence of business associate agreements with vendors, where those business associate agreements might otherwise be required. The waiver, notice, does not specifically discuss the covered entities own internal HIPPA security rule risk analysis requirement, which would ordinarily need to be updated to reflect the utilization of a new remote communications product. Will a covered entity face potential penalties for failures to update its security risk analysis to include these new remote communication products? I’m certainly not saying that they will, because in part of the broad waivers articulated in the notice. I’m just flagging here. There’s a least a potential ambiguity, because, in my mind, unlike entering into a business associate agreement with a third party, the security risk analysis process is primarily internal for the covered entity. Completion of the security risk analysis requires no action by a third party. If the purpose of the waiver is to utilize, enable utilization of commonly available products to promo telehealth, with a focus on broadening usable technologies and waiving business associate requirements, it just didn’t talk about that security risk analysis issue that I just raised. So, covered entities might consider including, in there, including their selected telehealth products, within the scope of their security risk analyses notwithstanding the OCR guidance. Now, let me be clear. I’m not recommending the covered entities delay implementation of their selected remote communication products in the context of this national emergency. Rather, I’m just suggesting that covered entities evaluate whether they ought to do so at a time that makes sense, as a compliance risk mitigation measure because such an update really is, would take very little time. Next slide, please.

So, OCR has given us an ostensibly non-exhaustive list of products that are covered by its waiver. For video, that would be Apple Face time, Facebook Messenger video chat, Google Hangouts video, WhatsApp video chat, and Skype. And for text messaging, they mentioned Signal, Jabber, Facebook Messenger, Google Hangouts, WhatsApp, and iMessage. OCR also mentioned certain products that are ostensibly compliant even without the waiver notice, because they say that they’re HIPPA compliant and they will enter into business associate agreements. Those are Skype for business, Updox, VC, Zoom for healthcare, doxy.me and Google G Suites hang out meets. So, what if you want to utilize a product that’s not on that list? First, you have to consider whether or not it is public or non-public facing. Public facing tools are not covered by the waiver. Examples of those, again, are, and these were provided by OCR, Facebook Live, Twitch and TikTok. These are all generally viewable by more than one person without some sort of individual authentication mechanism. What about potentially other non-public facing products that aren’t on OCRs list? So, the waiver notice is broad, and reading it, you can see that it’s not intended to be an exhaustive list of products. So, if you’re, if you’re going to utilize a product that’s not on the OCR list, you might think about what features does this product that I might use have the comparison to those products on the list? A lot of products on the list will have end-to-end encryption, they will support individual user accounts, logins, and passwords, they help limit access and verify who’s participating in the telehealth interaction, and they will often permit the users some degree of control over the application, meaning whether or not it’s recording at any given moment, whether or not it’s on mute, those types of controls. And then, even before the waiver notice was in place, some providers were more comfortable using peer-to-peer type tools and characterizing them as mere conduits, as opposed to business associates. So, in addition to those features, I just mentioned, end-to-end encryption, supporting individual user accounts, user control over capabilities, you might want to also think about whether the product your using functions as a peer-to-peer, which might even qualify as a mere conduit, or if it’s using some more traditional cloud infrastructure or client server architecture. Next slide, and then we can get back to Jenn.

Thanks, Ryan. I’m the only one not in Chicago, so I think my slides are a little bit on a delay, so we just need slide 14. There we go. So, we wanted to spend a few minutes talking about the rollout reality for these remote and telehealth tools. Historically, the degree to which an individual used a telehealth tool had to do with their providers insistence on it, but also that patient’s comfort level. Some patients really were not comfortable using technology and have the luxury of seeking in-person contact and won’t have a lot of experience using telehealth tools as we are in the middle of this rapid pivot to remote monitoring in telehealth, so that, we have a lot of patients interacting with healthcare providers, where both sides are relatively new to the use of telehealth technology. And to make this expanded access to telehealth and remote monitoring successful, some attention that needs to be paid to helping patients understand how to use this technology safely and effectively. So, the first thing we wanted to talk about was incidental disclosures. So, the classic example of an incidental disclosure is a patient walking down a corridor in a hospital or other setting and seeing the names of other patients, perhaps as a nameplate when they’re going to see their loved one. Or, hearing a name called out in a waiting room. Those are incidental disclosures, or where the disclosure of PHI or the use of PHI is permitted, and part and parcel of that, the PHI as disclosed to someone else in a way that’s really not avoidable, where reasonable safeguards aren’t sufficient to rule out that possibility. So, incidental disclosures also have a place and telehealth and I want to encourage you to think about what are the ways in which a disclosure of PHI might occur by accident. So, that could be a situation where providers are working remotely themselves. They are taking telehealth visits from the safety of their own home, and, I think, everyone now is working from home quite a bit, and we are all sympathetic to family members coming in, background noises, so we’re all working parents now, essentially, and that can cause some risk of an incidental disclosure on the provider side. Similarly, you could have an incidental disclosure potentially on the patient side and counseling your patients, are you in a private place? Can we talk now? Is this a goodtime? Helping patients think about the fact that they’re on video. Or perhaps, they could put in earphones. Some of these things may seem basic, but to the extent that your providers are working with patients who have different socioeconomic or generational experiences with technology, some tips for your providers to minimize the chance that protected health information will be used or disclosed in ways that are unintended is part of this rollout. So, our recommendation, as you can see at the bottom, is that covered entity healthcare providers, whether they’re using technologies within the enforcement discretion or technologies subject to a valid business associate agreements, are taking some best practices to limit incidental uses and disclosures of patient PHI when helping patients remotely. One thing we, we wanted to add is that this isn’t just for the national emergency. Once your patients become familiar working with telehealth, it’s reasonable to expect that there’s going to be an ongoing demand for telehealth services. People will have gotten over their initial discomfort or reservation about using these resources. So, these policies, procedures, training for your personnel, tips you could be sending to your patients in advance of their first telehealth visit, these are things that are not just for the national emergency, but pay dividends on an ongoing basis for communicating effectively and securely with your patients. Next side. We can go to slide 15.

It’s on its way. It’s just a little delayed.

No problem. It’s as if lots of people are using the Internet at once, Carolyn. There we go, there’s slide 15. Thank you for everyone’s patience, so we wanted to talk a bit about onboarding and engaging patients. So, continuing the theme of acclimating your patients very quickly to using telehealth, especially when they may be isolated and scared. Perhaps separated from adult children who could help them become more familiar with these technologies. People are afraid, and you want to encourage them to use telehealth before they come into institutional healthcare settings as a way to slow the spread of COVID. So, there are some operational and communication challenges that you may experience as you are rapidly pivoting. And again, this is not limited to technologies covered by the enforcement discretion. But there are a few specific ones that are more, more particular to technologies that fall within that enforcement discretion. So, first is thinking about the written and oral communications that you want to provide patients. Many of the patients that are going to be using telehealth will never have done so before. You’ll, if you can, and this is difficult, I know everyone is working under incredible time pressures, and there’s not always a lot of warning for patients who may become ill, but providing, if you can, instructions well in advance of the call. Perhaps instructions by email that they could share again with someone who might be able to walk them through the technology. Instructions for scheduling and downloading the applications that they need. So, many of your patients may be used to using your patient portal, for example. But perhaps you have, you’re using your leveraging telehealth service that’s not through the regular patient portal. And that telehealth service may have its own privacy policies, terms of use and other click through menus. So, that patient goes to their patient portal, where they have the calendar invite for their telehealth visit. Just a few months, a few minutes, excuse me, before the visit, and then they realize they have, you know, five or 10 minutes to wait for an app to download and to process through the typical terms of use and privacy policies. So, if you are using a system, again, whether HIPPA compliant or not, that will require a patient to proceed through that as they would with downloading a different type of app or web application, making sure that they know that, that there’s an alert that they should start 30 minutes in advance, for example. You may also need to think about an online way of acknowledging receipts of notices of privacy practices, especially for your new patients. Provider patient communications using unencrypted email is not new. Some patients really do prefer, especially when a patient portal is not available, to communicate with their patients by email. This may be increasing in your practice as you have more patients trying to reach doctors and using their existing email accounts to do so, having template communications that warn patients of some of those risks so that patients can make informed decisions for themselves about whether they want to continue to use email and then have providers have a way of documenting that that warning was provided and that the patient decided that the privacy risk was not paramount to them as they weighed other risks, including the need to reach their physicians quickly. There is, as you know, OCR guidance regarding unencrypted email communications. This guidance is still an important one to consult if you are finding that your patients are reaching out to you by email, as opposed to, for example, a secure patient portal. If we could go to the next slide, that would be great.

Terrific. Thank you. And finally, the OCR guidance does note the need to explain to patients the risk of using non-HIPPA compliant, non-public facing remote communication products. And this is an example of an onboarding technique, or, compliance that’s really specific to this national emergency. So, if you have access to HIPPA compliance scalable solutions, we encourage you to use them. The purpose of this guidance is when you either cannot get HIPPA compliant technologies in the time that you need them to care for your patients, or you’re, you’re hitting, for example, a barrier on scale and you need to be bringing in additional products. So, to the extent you have decided after looking at all the facts and circumstances, that leveraging this guidance is important, you still need to communicate with your patients about the potential risks and benefits of using them .You know, many patients may feel like the types of things that they’re discussing with you are not particularly sensitive. They just want to run their symptoms by you, maybe they’re feeling a little bit nervous, or it may be something completely unrelated to COVID. A well visit that you’re able to do remotely, or, you know, something that clearly is not COVID related. But you still want to discuss with your patients that they are using, or that you are using a technology that is, not does not, necessarily meet all of the HIPPA standards to make sure that patients are comfortable with that. We recommend that you have talking points to guide your providers in how they have that communication, so that you can make sure that your patients are receiving consistent information across providers, and so that you can, to the extension, you can grab a moment to do this, craft these talking points to not overstate and alarm, overstate the risks and alarm your patients, but also not to understate them, so that patients can feel that you are being transparent about the choices that you’re you are making and you are offering to those patients. Patients can decide if they want to proceed. The other important thing here is the guidance makes clear that the use of these non-HIPPA compliant technologies, as of now, would expire when the national emergency expires. And so, patients should understand if you are using a non-HIPPA compliant technology within the scope of this enforcement discretion, that this technology may not be available long term, especially if you cannot convert it to a business associate HIPPA compliant solution for use by your providers. Finally, you may want to help give your patients some information about things that they could be doing to make their device that they’re using to connect with you remotely safer. So, we’ve listed a few examples here. So, many patients may have a pretty long period of time before their phone, when idle, clicks over to a password setting. And if they’re going to be using their phone to get medical care from you, you may want to suggest that they shorten the window before a password, the password lock engages. They may want to improve their password strength or change their password more frequently. You may find that you’re asking patients to take a video or a picture, for example, of a rash or a video of someone walking, as part of your telehealth visit. If they’re using their regular, their smartphone or their tablet to do that, then that, video or picture would be saved in the usual course. You may want to counsel patients that they may want to delete those images from their device after they’ve been provided to you if they feel that they are sensitive information that they wouldn’t want to keep on their phone. And, if we could go to slide 17.

Great. So, this one is, is hard. We know that our providers are stretched, beyond stretched. So, we did want to just gently remind providers that they should try, whenever possible, to timely document the telehealth visit in the EMR. So, some of these technologies may not have direct reporting capabilities into the EMR. They may require that information be copied, essentially, into the to the EMR when possible. And so, if you are doing visits remotely, and don’t have the same connectivity that you’re used to, with respect to your EMR, to circle back and get that documentation in. Second, you may find that you have multiple patients during a single telehealth visit. So, if a family, for example, falls ill, you may have the mom and two kids on her lap all having a telehealth visit, and you will want to document the information in the correct medical record, and also think about how you document the telehealth visit for the purposes of reimbursement. And with that, I will turn it back to Ryan.

Thank you. There’s a little bit of sister agency additional guidance that is important to telehealth context that I want to touch on here. Many of you are familiar with 42 CFR Part 2, which relates to the disclosure of substance use disorder treatment information. The Substance Abuse and Mental Health Services Administration, SAMHSA, for short, provided some guidance on March 19th in response to the COVID 19 pandemic, to help ensure that it could be consent requirement under Part 2 for disclosures of information wouldn’t unnecessarily constrain telehealth visits. And so, SAMHSA issued some guidance that simply elaborated on existing rules but said that in the emergent situation the need to get consent to utilize the telehealth vendor, ought not impact the ability to give telehealth services to a patient in an emergency situation. So, that was guidance, that was an elaboration on existing rules. But in the stimulus bill that was enacted last week, there was actually a pretty big change that will actually change how we practice in a lot of ways and our advice, not just in the—for the duration of this pandemic, but, but after. So, Section 3221 of the stimulus bill included, actually a change in the underlying law that said, once a patient consents to the disclosure of their substance use information, in the same manner that it could be disclosed under HIPPA, well, then uncovered any could use and disclose that information just like any other protected health information as it could under HIPAA. So here, in the context of telehealth and this pandemic, you have number one. You have guidance from SAMHSA saying that you don’t need to get consent to disclose in the telehealth context if it’s an emergent situation. But then you have this new change in the law that goes beyond that, saying if you get a general consent from the patient , that their substance use treatment information can be used and disclosed, like any other PHI under HIPAA, then, you know, we would default to all the other flexibility that we’ve been discussing for the whole presentation. Meaning, if the patient, Part 2 patient, has provided that consent, well, then you could do telehealth with any of these non-public facing products, even in a non-emergent situation, just like you can under HIPAA. So, it was a really important change of the law that we’ll be focusing on in the weeks and months ahead. If we go to the next slide and then we’ll kick it back to Carolyn.

Thank you, Ryan. So, we’ve received some guidance in recent weeks, but there’s still plenty of opportunities for additional guidance. And, based on our review of what we’ve seen, and feedback from clients who are on the front lines dealing with this pandemic and trying to interpret these guidelines, we’ve, we see some opportunities. So, first, the OCR could clarify that the enforcement waivers extend to failures by covered entity care providers to consider non-facing, non=public facing remote communication products within the scope of the HIPPA. Security risk analysis in connection with the provisional telehealth services during this pandemic. Two, the OCR could clarify that the enforcement waiver described, extends to the transmission of unencrypted email communications by covered entity health care providers during the pandemic, regarding product onboarding, telehealth visit scheduling, and just utilization and other administrative matters in connection with telehealth during this national emergency. We know that on March 16th the OCR bulletin addressed covered hospitals, and it provided them with an exception of providing a notice of privacy practices in certain situations. But it didn’t address other health care providers and only addressed covered entity hospitals. We could benefit from some additional guidance from the OCR on whether the privacy rule requirement for the provision of a notice of privacy practice could also be waived, and the, the acknowledgement of receipt that is often, that patients provide. This would expedite and streamline the provision of teleservices during this pandemic. Particularly, as to covered entity healthcare providers and patients that do not have HIPPA secure compliant means for communications. There are probably other opportunities where we could benefit from guidance, but these are the ones that we’ve identified based on the feedback from our clients that are on the first line, that are responding to this, and based on our interpretation of the guidance and what I’ve seen so far. And with that, I’m going to kick it back to Jenn.

Great. So, we wanted to make sure that everyone was aware of the resource center that we have. A couple of things. First, the next COVID webinar is today at 2:00 Eastern, and it will be on telehealth reimbursement. If 2 COVID webinars in a day are too much for your psyche, they’re all recorded, and you can go back and look at all of the webinars that have happened over the last number of weeks, pull up and listen to the extent that you missed something. We also have a lot of written work product. We’re developing tools for our clients, articles and so forth. So, we encourage you. It’s available to all of you. It’s the least we could do to visit this this research center. If you’d like certain updates sent, you’ll also see that there is the ability to subscribe, so if you’re, if you’re new to these resources and want to get alerts about future webinars or articles, you can certainly subscribe to receive them. We also understand that there’s been some questions that have come in. We can do our best to go through them, but we also have our contact information, our names on these slides, and you’re welcome to reach out to any of us, here they are, thanks, Carolyn, to ask a question if you think of something later today. So, let me, I guess, pull up the questions, and we can try to take a few. We have a lot, so let me see if I can answer some. So, so one question that came through, Stacey, I think this would be great for you, as you mentioned that health plans are not considered to be engaged in the provision of healthcare, and one of our listeners asked if you could just go back over that, and what that means for health plans.

Yes. I actually think that Carolyn touched on that so I might go ahead and throw this one to her.

I think I’m unmuted. Yeah, the guidance was specific that it only pertained to healthcare providers, and that even though plans may pay for telehealth services, they’re not, typically, they’re not in the business of providing healthcare services. I don’t know if Ryan had, wants to add anything to that.

No, that’s it. So, you know, all the existing rules continue apply to health plans. There’s no waiver and telehealth context because they’re not healthcare providers. The OCR waiver use the term covered entity healthcare provider, several times throughout, and it’s pretty clear that it applies only to healthcare providers.

Another question that came up, was really a caution from one of our listeners, about certain technologies that are on the illustrative, permitted list, but have callback features. And so, a patient could call back, on a repeat basis because these were really not designed to be meeting technologies. I think this is an important point, in terms of thinking through whether, these technologies, are right for your organization and what you’re trying to achieve. So, the enforcement guidance is not a blank check. It’s not trying to encourage you to move in a particular direction and its certainly not encouraging you to use technologies that are not HIPPA compliant. It’s trying to give providers some much needed flexibility to the extent that they feel like they have exhausted the options available to them during this very pressing time. So, I think this comment from one of our listeners is important because you still want to make sure that the technology does what you want it to do, doesn’t do what you don’t want it to do, and whether or not you’re asking your patients to invest in technologies, that on a going forward basis, you would likely not continue to use. And I don’t know if my fellow presenters have anything they want to add on that topic.

No, thank you.

Okay. So, one of the questions, and I’ll just open it up to the panel, is to ask about text messaging, and what happens if a patient provides verbal consent to receive messages containing PHI through a text function. Who would like to take that one?

I’m happy to handle that.


So even prior to this waiver, text messaging was an okay method of communication between a patient and health care provider, provided the patient consents to it. You know, the patient has a right under HIPPA to ask the provider to communicate via whatever confidential means that the patient prefers. So, there’s pretty clear existing guidance on that. That it would be appropriate and fin in most instances. The waiver here doesn’t impact that, except maybe even to strengthen the position of the provider to be able to use text messaging. Because the guidance does specifically permit quote non-compliant, non-public, facing text applications. So before, you know, it would have been fine, you could have gotten comfortable with it if the patient specified they want to receive messages via SMS, and now its, you even, kind of, in an even better enhanced compliance position because the waiver specifically extends to non-public facing text communications. What I would caution, though, is that if a patient were to consent to receive text message, text messages for treatment purposes, or even just in the context of this pandemic, that you do think about other compliance regimes and the attached. TCPA, for example, you wouldn’t want that cell phone number to land on a marketing list, and then after the pandemic is over, continue to use that same cell phone number for marketing purposes or even appointment reminders and other purposes that may require some TCPA consent.

Okay, great. Thank you, Ryan. Speaking of consent, we have a question about the degree to which the OCR enforcement guidance preempts state requirements that might require consent for telehealth or for other uses and disclosures of PHI. Would someone like to take that one? We’re doing these in real time, so, and we’re in different offices, obviously.

I don’t believe that it addresses that at all. I think that would remain an open issue, open question. I think it’s a really good question, but I haven’t seen anything that addresses that.

That’s my—that’s my instinct as well. In general, HIPPA does not tend to preempt stricter state law. HIPPA serves as a floor, so my instinct is the same as Carolyn’s that if a state nonetheless wanted to be more protective and continue to require its consent requirement. I think that’s where I would lean unless the state was putting out as part of its own emergency declaration certain flexibility. Stacey, I’m sorry.

Yeah, no, no worries. And I would agree, generally. But I would also note that during this time there have been, you know, almost every state has issued certain guidance, and so I would encourage everybody to kind of take note of, of what has been going on in the pertinent states, because there has been a lot of easy enough requirements, especially as they relate to telehealth services. So, there’s likely something on point, at a state level as well.

Okay, so, the next question is, could we talk a little bit more about what we meant by, or what we think the guidance means, I should say, about a good faith effort. So, the, you know, the enforcement discretion announcement indicates that the reasonable use with a good faith effort of non-public, non-HIPPA compliant technologies. Would one of my fellow presenters like to speak to that?

We’re all too polite.

Yeah, in this context, none of us know exactly what good faith effort means. But I think it is just signal from OCR that they do not want privacy rule restrictions, at least, to get in the way of telehealth services in the middle of a pandemic. It obviously ought not be used as a backdoor to knowing and gross noncompliance. I think that’s what the good faith language probably means. So, I don’t attach any particular meaning to another than OCR is truly trying to be helpful here, not get in the way of telehealth during a pandemic.

Yeah, I would take it, building on what Ryan’s said is, they don’t want this to be a blank check. They still want providers to act responsibly and to try to balance caring for people with privacy. And it’s a way of saying, you know, stay awake, think about what risks and benefits make sense for your organization. Perhaps certain types of telehealth platforms are used with less sensitive health information. And I think documenting your choice, and why that, why you felt that it was good faith and reasonable could be important step to showing that you thought this through, and you made a decision in the best interest of your, of your patients. Carolyn, one of the questions, I think there’s time for one or two more is, this is going to ask you to project, do you think that, to get out your crystal ball.

Let me get out my crystal ball. It’s in my office, downtown.

Exactly. Do you think that OCR will extend the guidance to add health plan case managers or care managers the same way in order to help the participants whose cases they currently handle?

Extend the guidance to healthcare plans into these specific individuals?

Yeah, case and care managers working for health plans is how I read the question.

I don’t think so, because, first of all, I can’t predict. But second of all, I think there is guidance that would be more relevant and a broader application that, that could really benefit the group in general that would come out before the OCR got that specific. So, I do not see that coming anytime soon. I don’t know if any of my other esteemed panelists, if their crystal ball, they could dust it off and weigh in. But I don’t have any reason to see that coming down the pike.

I think I think one of the challenges there is you have a very specific statement by OCR and this guidance that health plans do not provide healthcare, whereas your question suggests some actually do. And so, you would butt up against a pretty clear statement in this guidance from OCR, you know, that doesn’t concede or acknowledge that. So, unfortunately, the guidance was not helpful in that respect.

Yep. That’s right. So, I think that, with that, if you have additional questions, or questions that are very specific to your business, we, you know, we encourage you to reach out to any of us. And if we can’t answer it, we have a colleague who can. We want to thank you for joining us for this webinar and our best wishes to stay safe and healthy in the weeks to come. Thank you so much.


Related Site:     McDermott+ Consulting

Attorney Advertising ©2023 McDermott Will & Emery