Manage HIPAA risks in your practice

Video chat tools such as FaceTime, Skype and Zoom are now available to physician practices that want to treat patients on a remote basis, according to March 17, 2020, guidance from the Department of Health and Human Service’s Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA).

Michele P. Madison, J.D., a health care attorney at Morris, Manning & Martin in Atalnta, points out that OCR won’t enforce penalties for physician practices that use “non-public-facing video and audio technology that’s not secure, and they won’t require business associate agreements.” Still, she advises that practices take the following steps:

Validate that the physician or other clinician is licensed to provide care by telemedicine in the state where they’re providing the service.
Secure verbal or written confirmation that patients understand that the platform used to receive telehealth-based care isn’t secure.

Communicate to physicians and clinicians that they must fully and completely document the interaction with patients, including their clinical findings, medical decision-making and other necessary variables to support the Current Procedural Terminology code used by the billing department.

According to the OCR guidance, platforms such as Facebook Live, TikTok and Twitch are examples of public-facing video communications platforms, and providers shouldn’t use them when providing care to patients.

Billing for telehealth visits

Elizabeth P. Litten, J.D., a health care attorney and chief privacy and HIPAA compliance officer at Fox Rothschild in Princeton, N.J., points out that practices need to ensure they’ll be reimbursed for the care provided using telehealth. Kelli Carpenter Fleming, J.D., an attorney at Burr & Forman in Birmingham, Ala., advises practices to check with health insurers to make sure they’ll be paid for the patient visit.

The Centers for Medicare & Medicaid Services (CMS) has said that Medicare will reimburse health care providers for treating patients using telehealth for COVID-19 and other medically reasonable purposes from offices, hospitals and residences such as homes, nursing homes and assisted living facilities. The federal agency noted that Medicare Advantage plans may offer additional telehealth services beyond what was included in its approved 2020 benefits.

States “have broad flexibility to cover telehealth through Medicaid, including the methods of communication (such as telephone, video technology commonly available on smartphones and other devices) to use,” according to April 2 guidance from CMS. In addition, states aren’t required to seek federal approval “to reimburse providers for telehealth services in the same manner or at the same rate that states pay for face-to-face services,” CMS notes.

Fleming highlights that OCR’s March 20 guidance says that a telehealth-based visit doesn’t have to be for a COVID-19-related condition. That means, for example, that a physician can use telehealth to consult with a patient about an earache, she says.

Disclosing PHI

OCR’s March 24 guidance provided insight into ways that health care providers can disclose protected health information (PHI) about a person who has been infected by or exposed to the COVID-19 virus. Health care organizations can disclose PHI, including the name and other identifying information about the person, under the following four circumstances:

When needed to provide treatment
When required by law
When first responders may be at risk for an infection
When disclosure is necessary to prevent or lessen a serious and imminent threat

Fleming points out that this allows a call center employee or an emergency medical technician to communicate to a physician or other clinician that the patient has been around someone with COVID-19 or has tested positive for the disease. It also allows health care providers to adequately respond and protect themselves, she explains. But she points out that this type of communication has always been permissible between first responders and health care providers.

Managing billing staff

To date, 42 state governors have issued stay-at-home orders or advisories, which generally mean that only essential personnel should show up physically at their workplaces. In addition, OCR issued guidance on April 2 that it won’t impose penalties for violations of some provisions of the HIPAA Privacy Rule against health care providers and their business associates “for good faith uses and disclosures of protected health information … by business associates for public and health and health oversight activities during the COVID-19 nationwide public health emergency.”

In a statement, Roger Severino, director of OCR, said, “Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

Some clinicians may be able to provide telehealth consults from their home offices, whereas administrative employees who aren’t patient facing can work remotely, with the right guidance. Alissa Smith, J.D., an attorney at Dorsey & Whitney in Des Moines, Iowa, points out that employees providing administrative and billing support can work from home. Her advice for physician practices with billing employees working from home includes the following:

• Keep billing files and other patient records away from others in the household.

• Use safeguards, such as firewalls, encryption and a private network, to prevent patient information from being hacked.

Fleming recommends that practices require remote billing staff to log in to the practice’s systems using two-factor authentication. That requires a code to be sent to the billing employee’s cellphone for an additional level of security.

Practices should discourage employees from saving any files onto the hard drives on their computers at home, says Fleming. In addition, the employee’s computer should be set up to require an additional login if the computer isn’t in use for three minutes or even less. Employees should also limit printing of any patient information, she adds.

Most payers allow providers up to a year to drop a claim, says Fleming. But waiting to send claims to health insurers will hurt the practice’s cash flow.

Physicians tell her that billing employees “are essential - they help me keep my doors open,” she adds.