Whether or not you’re feeling sick, staying home is the best thing you can do to stem the spread of COVID-19—which makes seeking medical care a complicated proposal Shutteright now. Thankfully, it just got easier for healthcare providers everywhere to offer their patients virtual visits, so you can see a doctor without stepping foot outside.
Last week, the Centers for Medicare and Medicaid Services (CMS) and the Department of Health and Human Services (HHS) announced two measures to expand telehealth access for patients across the country. As of March 6, 2020, providers can offer telehealth visits to all of their Medicare and Medicaid patients, regardless of location, and still get reimbursed for the costs. (Previously, only patients in certain rural areas were eligible.) And, until further notice, the HHS Office for Civil Rights (OCR) has chosen not to enforce HIPAA Rules violations for telehealth services. In other words, for the duration of the COVID-19 public health emergency, healthcare providers can communicate with any patient, anywhere, via video chat without getting dinged for HIPAA noncompliance.
Obviously, these changes are intended to make it easier for people with possible COVD-19 symptoms to get medical attention while staying the hell inside—but increased access to telehealth benefits everyone right now. As long as healthcare providers believe that a service can be adequately and appropriately provided over video chat, it’s fair game. The list of programs they can use to provide those services is longer, too; according to the OCR FAQs on the subject, all of these popular apps are now eligible for use in a telehealth setting:
- Apple FaceTime
- Facebook Messenger, including video chat
- Google Hangouts, including video chat
- WhatsApp, including video chat
There are two notable exceptions. First, “public-facing” products like Facebook Live, TikTok, Twitch, or Slack chat rooms are not eligible because they’re intentionally designed to reach as many people as possible—not exactly what you want when exchanging sensitive information with your doctor. Second, the relaxed penalty rules only apply to healthcare providers, not insurance companies or any other entities that interact with patient data under HIPAA.
It’s also important to remember that FaceTiming your doctor didn’t magically become HIPAA-compliant overnight—they just won’t get in trouble for using less-secure apps to continue seeing patients during these unprecedented circumstances.
Normally, providers who wish to offer remote visits are required to use a program with a strict, HIPAA-compliant Business Associate Agreement (BAA), which deals specifically with the collection, storage, and transmission of private patient data. The conferencing apps that do offer BAAs—including Skype for Business, Google G Suite Hangouts, and Zoom for Healthcare—tend to be expensive for both providers and patients, and using anything else comes with hefty fines. If a provider is caught seeing patients via a video conferencing app without a proper BAA, they can expect fines of anywhere from $100 to $50,000 per instance, with a maximum of $1.5 million per year.
The only thing affected by these changes are the fines; the security and privacy risks inherent in using a noncompliant app are still there, and mitigating them is up to your provider. To that end, the OCR recommends that providers “notify patients that these third-party applications potentially introduce privacy risks, and … enable all available encryption and privacy modes when using such applications.” From a privacy standpoint, this isn’t ideal—but it sure beats hanging out in a crowded waiting room during a pandemic.
Hopefully, expanding access to telehealth during the outbreak will help people get the care they need without further stress to our already swamped healthcare infrastructure. So, before you assume otherwise, ask your provider if your visit could be conducted remotely—there’s a good chance that it can.