The Department of Health and Human Services is ending a Covid-era policy allowing dentists to do telehealth visits outside HIPAA compliance.
The American Dental Association is reminding members that an enforcement discretion in place during the Covid pandemic allowed healthcare providers to conduct telehealth appointments that were not in full compliance with the Health Insurance Portability and Accountability Act (HIPAA) is set to expire.
The US Department of Health and Human Services Office for Civil Rights announced that this enforcement discretion ends May 11, and dental practices have until 11:59 pm on August 9, to come into full compliance with HIPAA rules on telehealth.
The enforcement discretion provided that a dental practice could use any available nonpublic facing remote communication product during a public health emergency to provide telehealth, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype.
OCR encouraged healthcare providers to notify patients that these third-party applications potentially introduce privacy risks and to enable all available encryption and privacy modes when using such applications. The OCR notification stated that public-facing video communication applications should not be used, such as Facebook Live, Twitch, and TikTok.
OCR encouraged healthcare providers seeking additional privacy protections while using video communication products to provide such services through technology vendors that are HIPAA compliant and willing to enter into HIPAA business associate agreements. The OCR notification provided examples of vendors that provide HIPAA-compliant video communication products and will enter into a business associate agreement.
The ADA offered tips to consider when working toward compliance, including:
- Revise the HIPAA security risk analysis to assess the data security risks of their current telehealth services and implement risk management to bring any risks that are not low to an acceptable level.
- Enter into a business associate agreement with any telehealth vendor that creates, receives, maintains, or transmits patient information. If a current vendor is unwilling to enter into a business associate agreement or otherwise not in compliance with HIPAA, take reasonable steps to fix the problem and, if not successful, terminate the relationship if feasible.
- Encrypt patient information at rest and in transit.
- Update HIPAA policies and procedures on telehealth as appropriate and train staff on new policies and procedures. Apply appropriate sanctions if a staff member does not comply with the policies and procedures. Telehealth policies and procedures may include details such as which workstations may be used to provide telehealth, how workstations should be protected, and how to manage which staff members can access telehealth patient information. In addition, telehealth may be part of a dental practices contingency planning.
Different dental practices will develop different solutions for providing HIPAA-compliant telehealth. There is no one-size-fits-all HIPAA Security Rule solution. The HIPAA Security Rule permits a flexible approach and requires dental practices to take the following factors into account when deciding which security measures to use:
- The size, complexity, and capabilities of the dental practice.
- The dental practice’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic patient information.
The OCR notification of enforcement discretion for the public health emergency does not apply to the HIPAA Breach Notification Rule. If a dental practice providing telehealth discovers a breach of unsecured patient information, the dental practice may be required to notify affected individuals, OCR, and in some cases the media. Similarly, the OCR notification did not affect state laws on privacy, data security, or breach notification.