Governance & Risk Management , Healthcare , HIPAA/HITECH
Telehealth Privacy Concerns to Be in Spotlight Post-COVID-19
Privacy Attorney Adam Greene on HIPAA, Regulatory Issues Once Health Emergency EndsThe telehealth industry exploded in the wake of the COVID-19 pandemic as a way to relieve crowded waiting rooms and examine patients without the risk of spreading the virus. U.S. federal regulators recognized the benefits of telehealth and waived some provisions of HIPAA patient privacy rules as the medical community explored this evolving technology.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
That's all about to come to an end on May 11, when President Joe Biden is expected to lift the coronavirus public health emergency order, which will end the Department of Health and Human Services' Office for Civil Rights limited HIPAA waiver program.
"With those coming to an end, that essentially means that OCR could potentially begin bringing enforcement actions for violations in these areas," says privacy attorney Adam Greene of the law firm of Davis Wright Tremaine. "The big one is certainly going to be telehealth."
Greene says OCR regulators said they would exercise discretion in enforcing certain potential HIPAA violations during the pandemic and overlook issues such as a lack of reasonable safeguards or failure to have a business associate agreement in place. But setting up an agreement with a telehealth vendor could be challenging, he says.
"Right now you can do telehealth using whatever app is most convenient to you and the patient," Greene says. "Some of those app providers may not necessarily be willing to sign business associate agreements, and so some organizations may need to shift to different telehealth solutions that may not be quite as patient-friendly - at least compared to what they were used to."
In this video interview with Information Security Media Group, Greene also discusses:
- The latest HHS OCR breach investigation and HIPAA enforcement trends;
- The Federal Trade Commission's recent $1.5 million civil monetary penalty against telehealth services and discount prescription drug company GoodRx - the agency's first enforcement action involving the FTC's 14-year-old Health Data Breach Notification Rule;
- Growing privacy concerns involving the use of tracking codes in healthcare websites.
Greene specializes in health information privacy and security laws, including applying those laws to new technologies, such as artificial intelligence and machine learning. He formerly served as senior health information technology and privacy specialist at the HHS OCR, where he played a significant role in administering and enforcing HIPAA privacy, security and breach notification rules.