Key Takeaways:

1. The Department of Health and Human Services Office of Civil Rights (OCR) has been active in October, releasing important guidance related to telehealth privacy and security risks under Health Insurance Portability and Accountability Act (HIPAA).
2. The OCR issued guidance for healthcare providers and patients on safeguarding protected health information (PHI) during telehealth sessions. While the guidance is voluntary, OCR recommends providers educate patients about the telehealth risks and the importance of using privacy and security safeguards during telehealth sessions to protect their PHI.
3. The OCR also emphasized in its fall cybersecurity newsletter the importance of implementing sanction policies to support HIPAA compliance and advised entities subject to HIPAA to use a formal process for sanctions, document the process and apply sanctions consistently based on the severity of violations.

October has been a busy month for the OCR, which is tasked with enforcing the regulations issued under HIPAA. In the past week, the OCR released two new guidance documents aimed at reducing the privacy and security risks related to use of telehealth, as well as its quarterly cybersecurity newsletter, which focused on optimizing workforce sanction policies to support HIPAA compliance.

Guidance Regarding HIPAA Telehealth Policies

On Oct. 17, the OCR published two resource documents, which were geared at providing guidance for both healthcare providers and patients on the privacy and security risks to PHI when using telehealth services and advising on ways to reduce these risks. The OCR was tasked by the Government Accountability Office with providing plain-language guidance that would educate healthcare providers on the inherent health information privacy and security risks involved in using remote communication technologies and apps for telehealth (Provider Guidance). While the Provider Guidance expressly states that providers are not required to educate patients regarding telehealth privacy and security risks, it was published by the OCR as a resource for those providers that wish to explain the risks to their patients. Notably, however, other guidance that was initially presented by the OCR as an optional best practice has generally become accepted as industry standard over time, such as the OCR guidance urging healthcare providers to put patients on notice of the risks of transmitting PHI over email and text messages.

The Provider Guidance encourages providers, prior to a telehealth session, to consider explaining to patients what telehealth is; the telehealth options that are available; and the possible risks to a patient’s PHI when using remote technologies such as viruses and other malware, from unauthorized access to a patient’s device or health information, or from accidental disclosures if the patient is not in a private location during their appointment. The Provider Guidance also recommends that providers consider doing the following to help patients better safeguard their health information when engaging in telehealth:

• Ensure that the patient knows when and how they will be contacted for the telehealth session so they can avoid potential phishing emails and other scams and provide a patient with a phone number they may call if they want to verify a link or other information they receive in an email or text message.
• Encourage the patient to ask questions about the telehealth technology being used, including the privacy and security controls in place.
• Provide information about the privacy and security practices of the telehealth vendor(s) being used, if applicable, including information about where to view the vendors’ websites and privacy practices.
• Advise the patient about the privacy and security safeguards that the telehealth vendor has agreed to use and whether the telehealth app uses tracking technologies.
• Notify patients of their right to file a privacy complaint.

The OCR also issued plain-language guidance notifying patients of the risks of telehealth and providing tips on how to safeguard PHI when accessing telehealth services, such as:

• Participating in the telehealth appointment in a private location.
• Turning off any nearby electronic devices that may record information.
• Using a personal computer or mobile device.
• Installing all available security updates.
• Using strong passwords.
• Turning on the lock-screen function.
• Deleting outdated health information.
• Installing two-step authentication.
• Using encryption tools when available.

While this recent telehealth guidance from the OCR is not currently mandatory, it demonstrates how OCR would view telehealth activities. As such, healthcare providers should consider reviewing any telehealth consent forms they use or telehealth educational material they provide to patients to put patients on notice of the privacy and security risks of telehealth and to educate patients on safeguards they can utilize to minimize the risk.

October Cybersecurity Newsletter

In addition, this month saw the release of the OCR’s fall cybersecurity newsletter. Each quarter, OCR releases a cybersecurity newsletter to help HIPAA-covered entities and business associates (regulated entities) remain in compliance with the HIPAA Security Rule by identifying emerging or prevalent issues and highlighting best practices to safeguard PHI. Notable past newsletters have focused on access controls, audit logs and IT asset inventories. In this latest newsletter, OCR focused on the importance of sanctions to support HIPAA compliance.

HIPAA requires that regulated entities ensure that their workforce members comply with the HIPAA Rules, which includes sanctioning workforce members for failure to comply. While both the HIPAA Privacy Rule and the Security Rule require that regulated entities implement policies to sanction workforce members who fail to comply with HIPAA, the OCR has provided limited guidance to date regarding how sanction policies should be operationalized, including what elements such a policy should contain and how sanctions should be implemented. In accordance with its fundamental principle of allowing flexibility of approach to achieve compliance, HIPAA does not require that regulated entities implement any particular sanction methodology. Rather, the OCR highlighted several elements that regulated entities should consider when drafting or revising their sanction policies, including:

• Using a formal process to implement sanctions.
• Requiring workforce members to acknowledge that a violation of policy may result in sanctions.
• Formally documenting the sanction process.
• Implementing sanctions appropriate to the nature of the violation that vary based on the severity of the violation and “range from a warning to termination.”
• Providing workforce members with examples of potential violations of policy.

Although the OCR did not specify that such elements are necessarily required, several directly relate to requirements under the Privacy or the Security Rule (e.g., documentation of any sanctions is expressly required under 45 CFR 164.530(e) and is needed to demonstrate compliance with 45 CFR 164.308 (a)). Others, such as requiring workforce members to acknowledge the entity’s sanction policy, align with best practices in labor and employment generally.

The OCR also stressed the importance of implementing sanctions consistently and in accordance with stated policy. While HIPAA does not require that regulated entities impose any specific penalty for any individual violation, it does require that regulated entities follow their policies regarding sanctions. The OCR has taken enforcement action in the past against regulated entities that either failed to sanction workforce members for violating HIPAA or were unable to provide documentation supporting the sanction. Finally, the OCR urged regulated entities to consider whether their sanction policies align with general disciplinary policies; how workforce members, departments and managers involved in the sanction process can work in unison; and how such policies can be equitably applied throughout an organization.

Nicole D. Katapodis assisted with the creation of this alert.

[View source.]