Blog

HIPAA-compliant messaging in the age of COVID-19

COVID-19 has had a sweeping impact across most aspects of healthcare delivery as we know it. While accessing healthcare has changed dramatically and will likely never completely return to pre-pandemic “business as usual,” what can we say about protected health information (PHI) and HIPAA compliance? How has COVID-19 altered HIPAA-compliant messaging, and how might it change in the post-pandemic healthcare environment?

How did COVID-19 change HIPAA-compliant messaging?

When COVID-19 hit, hospitals and health systems made rapid changes to many care delivery policies and procedures. Ensuring secure, fast, hospital-wide communications was challenging enough without the new threat of overburdened hospitals and a large, decentralized network of remote employees and patients communicating virtually.

Limited waiver of HIPAA sanctions and penalties for hospitals

To assist in nationwide public health emergencies like natural disasters and the COVID-19 pandemic, the U.S. Department of Health and Human Services (HHS) can waive certain provisions of the HIPAA Privacy Rule for a finite period. On March 15, 2020, HHS waived sanctions against hospitals that do not fully comply with five provisions of the HIPAA Privacy Rule during the COVID-19 pandemic:

  • Requirement to obtain a patient’s agreement to speak with family or friends involved in the patient’s care
  • Requirement to honor a request to opt out of the facility directory
  • Requirement to distribute a Notice of Privacy Practices
  • Patient’s right to request privacy restrictions
  • Patient’s right to request confidential communications

These waivers have helped hospital systems give patients the care they need and to share PHI to support the nation’s response to the public health emergency.

Waiver of noncompliance for telehealth

To help support remote patient care and deliver better care through telemedicine, the Office for Civil Rights (OCR) at the HHS announced they will not impose penalties against hospitals who communicate or provide telehealth services through technology that may not fully comply with HIPAA rules during the COVID-19 response.

The OCR is allowing providers to use consumer applications like FaceTime or Zoom under this provision, as well as messaging or texting apps such as Google hangout or WhatsApp, which OCR clarified should use end-to-end encryption. The OCR has made it clear that public-facing apps, like Twitch and TikTok, should not be used.

Waiver of noncompliance for other specified groups and tools

In addition to the short-term telehealth penalty waiver, the OCR/HHS also announced that several additional groups and applications will not incur standard penalties during the pandemic. These include first responders, healthcare business associates, community-based testing sites, and most recently, vaccine scheduling tools. Details about each of these notifications can be found here.

Proposed changes to the HIPAA Privacy Rule — new deadline for public comments

In light of this evolution in healthcare delivery, HHS will be updating the HIPAA Privacy Rule to improve care and access on several fronts. The agency is seeking public input on the proposed changes and has extended the due date to May 6, 2021. These changes revolve around strengthening patients’ access rights regarding their PHI and enhancing caregiver practices designed to effectively coordinate treatment. There are also updates for how to incorporate flexibility for PHI disclosure during emergency situations, and more. Overall, the goal is to ease the administrative burden on healthcare providers while giving patients more control over how their sensitive healthcare information is handled.

What’s the future of HIPAA-compliant messaging?

While no one can say exactly how COVID-19 will change healthcare in a post-pandemic world, there are a few certainties that will likely impact HIPAA-compliant communications in the future.

Security threats will not disappear

Even during this nationwide public health emergency, the OCR is still encouraging healthcare providers to use secure solutions to protect patient information. The organization has stated waivers will only remain in place during the pandemic and has not yet announced an end date.

FBI statistics show a 400% increase in cyberattack complaints since March 2020, with healthcare being the most targeted industry. As telemedicine adoption has increased during this period, so has the variety of ways a cyberattack can be carried out. Moreover, as patient volumes increase and providers are saddled with heavier loads, these threats may not be identified as quickly. While consumer applications not developed for healthcare are a temporary solution for coping with the response to COVID-19, they present a risk for security threats to PHI.

Communication technology needs to improve — and it likely requires new solutions

When hospitals and health systems are out from under COVID-19 and have a chance to reflect on their response to the pandemic, they may identify gaps in communication technology that need to be filled. Their response to the pandemic, coupled with the relaxation of HIPAA compliance requirements, may reveal the need for hospital-wide technology that enables smarter, faster, and more secure communications.

Beyond the ability to communicate securely with patients and families, COVID-19 has reinforced the urgent need for health systems to have in place an end-to-end communication strategy that extends from the contact center to paging codes, secure messaging, critical test results management, and more. Point solutions (such as texting or a badge device) only scratch the surface of the complex needs facing health systems during a pandemic and beyond.

The opportunity exists to implement decisive change and action

The COVID-19 pandemic has resulted in the rapid adoption and scaling of telemedicine. About 76% of hospitals are now connecting with patients remotely. In addition, a bipartisan group of U.S. representatives has proposed legislation to improve telehealth access in the recent bill, Protecting Access to Post-COVID-19 Telehealth Act of 2021.

If telehealth can be transformed by COVID-19, it’s likely other healthcare technologies will follow. While there is no going back to healthcare as usual, many experts expect COVID-19 to be the catalyst to change healthcare delivery and improve patient outcomes.

While there is currently no expiration date on the HIPAA compliance waivers, the HHS and OCR have confirmed the original policies will be reinstated at some point in the future. Curious to learn more? To explore this topic further from the nursing point of view, read a nurse perspective on secure messaging in healthcare.

Topic: Secure messaging

Editor’s note: This post was originally published in July 2020 and has been updated for relevancy and accuracy.

Join the Spok blog and stay informed on the latest updates in clinical communications.

Related Blogs