Time to revisit the Health Insurance Portability and Accountability Act (HIPAA)? Accelerated telehealth adoption during the COVID-19 pandemic

Abstract

To the Editor: Throughout the coronavirus disease 2019 (COVID-19) pandemic, campaigns to promote social distancing and sheltering-in-place in the United States forced most dermatology offices to change the way they operate. These measures, combined with a temporary easing of the enforcement of the Health Insurance Portability and Accountability Act (HIPAA) for telehealth during the public health emergency, motivated dermatologists to embrace teledermatology in all its forms. Despite the return of in-office evaluation, telemedicine will likely remain a part of our new normal. Enacted nearly 25 years ago, HIPAA impacted every aspect of health care,1Edemekong P.F. Haydel M.J. Health Insurance Portability and Accountability Act (HIPAA). StatPearls Publishing, Treasure Island, FL2020Google Scholar,2HIPAA Privacy rule. 45 CFR parts 160 and 164, Subparts A, C and E.Google Scholar including, but not limited to, the design of software for medical record keeping, insurance claim review, research, and communication. While technologic innovation, video conferencing, and telework were embraced in some industries, the patient-facing elements of health care lagged behind, partly because of the impact of regulatory requirements on medical communication software. Early in the pandemic, health care providers in the United States scrambled to find avenues for “telehealth at home” by any means necessary to serve their patients and support their staff. Many adopted video conferencing applications, independent of electronic medical record systems, as essential patient care tools. Most electronic medical record systems did not offer these services or they were inefficient or expensive, or both. Many everyday teleconferencing applications not native to health care contain robust privacy elements such as end-to-end encryption; however, these are not necessarily HIPAA-compliant if they do not feature the audit controls required in the privacy rule: system administrators must be able to record and follow audit trails whenever protected health information is created, modified, accessed, shared, or deleted.2HIPAA Privacy rule. 45 CFR parts 160 and 164, Subparts A, C and E.Google Scholar This includes encrypted communications with patients. For this same reason, private text messaging is not HIPAA-compliant. Conventional audit control rules require health care workers or their organizations to enter into a Business Associate Agreement with the third party handling protected health information. Because these third parties generally will not enter into such agreements, the burden of liability for breaches or other violations falls entirely onto health care staff and their organizations. In medicine, risks are weighed against benefits. Patient care may be compromised when health care providers disproportionately fear the consequences of HIPAA violations, which include professional, legal, and monetary penalties. Some suggest the misinterpretation of HIPAA can lead to a “code of silence,”3Berwick D.M. Gaines M.E. How HIPAA harms care, and how to stop it.JAMA. 2018; 320: 229-230Crossref PubMed Scopus (14) Google Scholar,4Span P. HIPAA's use as code of silence often misinterprets the law.https://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-law.htmlDate accessed: March 29, 2020Google Scholar impeding the sharing of medical information. Did the easing in its enforcement actually improve communication among colleagues and with patients? Should the ongoing use of agile teleconferencing software, independent of electronic medical records, be embraced in the provider-patient relationship? Protecting patient privacy is important. The revision of audit controls in HIPAA could allow for the protection of privacy while also permitting patient and caregiver to exercise judgment in making decisions about the provision of health care. Such changes, and the general expansion of telemedicine, raise additional questions; for example, liability, cybersecurity, appropriateness of use, and scope of practice. They may, however, directly address existing problems in access to dermatologic care for underserved individuals. A careful review and amendment of HIPAA could allow health care providers to continue optimizing telemedicine services for the benefit of patients during and beyond COVID-19.5Portnoy J. Waller M. Elliot T. Telemedicine in the era of COVID-19.J Allergy Clin Immunol Pract. 2020; 8: 1489-1491Abstract Full Text Full Text PDF PubMed Scopus (347) Google Scholar