An enforcement discretion in place during the COVID pandemic that allowed health care providers to conduct telehealth appointments that were not in full compliance with HIPAA is set to expire.
The U.S. Department of Health and Human Services Office for Civil Rights announced April 11 that this enforcement discretion ends May 11 and dental practices have until 11:59 p.m. on Aug. 9 to come into full compliance with the Health Insurance Portability and Accountability Act rules on telehealth.
The enforcement discretion provided that during the public health emergency a dental practice could use any available nonpublic facing remote communication product to provide telehealth, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. OCR encouraged health care providers to notify patients that these third-party applications potentially introduce privacy risks and to enable all available encryption and privacy modes when using such applications. The OCR notification stated that public facing video communication applications should not be used, such as Facebook Live, Twitch, and TikTok.
OCR encouraged health care providers seeking additional privacy protections while using video communication products to provide such services through technology vendors that are HIPAA compliant and willing to enter into HIPAA business associate agreements. The OCR notification provided examples of vendors that represent they provide HIPAA-compliant video communication products and will enter into a business associate agreement.
Some tips to consider when working toward compliance, include:
Different dental practices will develop different solutions for providing HIPAA compliant telehealth. There is no one-size-fits-all HIPAA Security Rule solution. The HIPAA Security Rule permits a flexible approach, and requires dental practices to take the following factors into account when deciding which security measures to use:
The OCR notification of enforcement discretion for the public health emergency does not apply to the HIPAA Breach Notification Rule. If a dental practice providing telehealth discovers a breach of unsecured patient information, the dental practice may be required to notify affected individuals, OCR, and in some cases the media. Similarly, the OCR notification did not affect state laws on privacy, data security, or breach notification.
Compliancy Group, an ADA Member Advantage-endorsed service, offers HIPAA compliance software that can help dental practices comply with the law. Visit https://compliancy-group.com/hipaa-compliant-telemedicine-software for more information or to purchase the software, visit https://store.ada.org/catalog/compliancy-group-hipaa-compliance-software-solution-88833.