State and Federal Governments ease regulatory enforcement to expand access to telehealth
In response to the Covid-19 pandemic, Ohio and federal officials have recently taken two dramatic actions to greatly increase the public’s access to medical and mental healthcare via “telehealth.” This article will focus on mental healthcare providers; however, the subject actions apply equally to medical healthcare providers.
Now on to the subject actions:
Action 1: The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) recently issued a notification that it would exercise its enforcement discretion to not impose penalties against covered entities for failing to comply with HIPAA requirements regarding the good faith provision of telehealth. Chiefly, this means that providers can use their discretion to utilize “non-public facing audio or video communication products” to provide telehealth without concern of an enforcement action for failing to comply with HIPAA security requirements. Per the notice, “non-public facing” products include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. Examples of public-facing products are Facebook Live, Twitch, Instagram Live, or Tik Tok. Generally, any application in which you would be “streaming” should be considered “public-facing.”
This is a significant departure from HIPAA guidelines which in general require providers to ensure confidentiality and security, most importantly encrypted transmission. However, the notice does encourage providers to seek out applications that claim to meet HIPAA security requirements and that will provide a Business Associate Agreement. Ultimately, while the OCR may not fine a provider for non-compliance, the notice does not address what the OCR will do in the event of a data breach.
Given the plethora of options available, any provider, regardless of size, should be able to provide telehealth utilizing a reasonably secure and HIPAA compliant platform.
Action 2: On March 19, 2020, Gov. DeWine signed executive order 2020-05D, declaring a public emergency requiring immediate adoption and/or amendment of administrative rules pertaining to telehealth. For example, the Ohio Dept. of Mental Health and Addiction (“ODMHA”) substantially amended the interactive videoconferencing requirements of OAC 5122-29-31, including:
1. Eliminates the requirement that videoconferencing be secure. OAC 5122-29-31(A).
2. Permits the use of telephone calls and email as “interactive videoconferencing” under the rule. See id.
3. Eliminates the requirement of a face-to-face initial appointment prior to participating in telehealth.
Similarly, the Ohio Counselor, Social Worker, Marriage & Family Therapist (“CSWMFT”) Board approved Emergency Rule 4757-5-13, which notably modified the rule in several ways, including:
1. Eliminates the requirement of a face-to-face initial appointment prior to participating in telehealth. See OAC 4757-5-13(A)(7).
2. Relaxes the requirements for informed consent.
3. Permits verbal informed consent in cases in which written informed consent cannot be obtained. See OAC 4757-5-13(A)(7).
4. Eliminates and/or modifies security and encryption requirements for telehealth in accordance with the HIPAA guidelines set forth in Action 1.
These changes are significant departures from the original version of the rules and HIPAA guidelines.
Ohio providers subject to the CSWMFT Board should note that there are strict location requirements for telehealth based on the location of the client/patient at the time services are rendered. The location of the client determines the jurisdiction for the counseling. So, if the provider and client are located in Ohio at the time of service, the telehealth is “provided” in Ohio. If the provider is in Ohio and the patient is located in Arizona at the time of service, telehealth is “provided” in Arizona. Many states have similar rules. Please also note, that providers using telehealth need to be careful to avoid accidentally practicing outside of a jurisdiction in which they are licensed.
Law related to Covid-19 is rapidly changing, which is creating a fluctuating, complex, and potentially dangerous regulatory environment. If you have any questions regarding your organization’s telehealth compliance, please contact Ickes\Holt.
ICKES \ HOLT