During the COVID-19 public health emergency, Governments, as well as public and private organizations throughout the world are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of sensitive personal data, including protected health information.

Healthcare providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services, through remote communications technologies.  Some of these technologies, and the manner in which they are used by HIPAA covered healthcare providers, may not fully comply with the requirements of the HIPAA Rules.

In an effort to “empower medical providers to serve patients wherever they are during this national public health emergency” the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced that it “will exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

The goal is to ensure that public health officials, working to combat the pandemic, have quick access to as much data as possible by granting hospitals the ability to pass pertinent information along without worrying about violating any HIPAA rules. By relaxing HIPAA penalties, and thus ensuring public health organizations have access to the latest metrics and developments, health organizations could better design plans to manage the pandemic and more effectively halt its spread.

Although data security worries likely still abound among consumers — and while the suspension of data-sharing penalties could make their worries more severe, the value that new data will provide in the short-term will likely override their concerns.

According to the OCR notice, a healthcare provider that wants to use audio or video communication technology to provide telehealth services to patients during the COVID-19 public health emergency can use any available ”non-public facing remote communication product” to communicate with patients.

For example, a healthcare provider may request to examine a patient exhibiting COVID- 19 symptoms, using a video application. The provider can take advantage of the app features to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a healthcare provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, adhering to social distancing measures and limiting unnecessary movement of patients.

The OCR Notice suggests that healthcare providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. At the same time, OCR states that Facebook Live, Twitch, TikTok, and similar video communication applications are public-facing, and should not be used in the provision of telehealth.

However, the use of such applications is not risk-free. For instance, it was only recently that the University of Toronto’s Citizen Lab examined Zoom’s encryption and concluded that the teleconferencing app is “not suitable for secrets.” It is important to understand the security of any video teleconferencing system used. Understanding and accepting the risk is important for any outsourced service.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks. In addition, healthcare providers, as well as their patients, are strongly encouraged to enable all available encryption and privacy best practices when using such applications, such as:

  • Keeping the app updated
  • Using passwords and two-factor authentication to protect meetings
  • Not sharing meeting details in public (i.e. pictures)
  • Using waiting rooms
  • Managing participants

If healthcare providers wish to seek additional privacy protections for telehealth, they could use services from technology vendors that are HIPAA compliant by signing a business associate agreement (BAA) for the provision of their video communication products. Such products include, but are not limited to, Skype for Business, or Microsoft Teams, Zoom for Healthcare, and Cisco Webex.

Together with the notice for the use of videoconference tools, OCR has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies.

The European Union has taken a similar approach to the US OCR. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), has stated that “Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.” However, even in these exceptional times, “the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”

To contain the pandemic, there is the need to share information quickly or adapt the way we work. Data protection isn’t about stopping healthcare providers or civil protection workers from protecting us. “It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is,” says the UK’s Information Commissioner’s Office (ICO).

Therefore, the ICO as well as all EU Data Protection Authorities (DPAs) have issued guidance that state the Authorities “won’t penalize organizations that need to prioritize other areas or adapt their usual approach during this extraordinary period.” There is a common understanding that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work.

Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies, for instance, when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR), or to comply with another legal obligation.

However, the EU has stated implicitly that there are special precautions when it comes to the processing of electronic communication data, such as mobile location data. Governments are leveraging contact tracing technology in an effort to have a cartography of the virus spread. Generalized location data trend analysis is helping to tackle the coronavirus crisis. “Where this data is properly anonymized and aggregated, it does not fall under data protection law because no individual is identified,” both the ICO and the EDPB have stated.

In extraordinary times, extraordinary measures are required. However, these measures need to be proportionate and under a lawful basis. What is more, governments and public and private organizations have to plan in advance for transitioning back into normal conditions, as far as personal and sensitive data processing is concerned. Otherwise we run the risk of abolishing all human rights and establishing an unprecedented surveillance state. Governments and agencies need to be transparent with the use of personal data gathered and processed during the COVID-19 public health crisis to avoid any misunderstandings and conspiracy theories.

ITEGRITI can help healthcare providers navigate this emergency environment and provide high-quality services. Visit our website to learn how our services can help you.