[fusion_builder_container hundred_percent=”no” hundred_percent_height=”no” hundred_percent_height_scroll=”no” hundred_percent_height_center_content=”yes” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” status=”published” publish_date=”” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” enable_mobile=”no” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” video_preview_image=”” border_color=”” border_style=”solid” margin_top=”” margin_bottom=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” type=”legacy” admin_toggled=”no”][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ spacing=”” center_content=”no” link=”” target=”_self” min_height=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_image_id=”” background_position=”left top” background_repeat=”no-repeat” hover_type=”none” border_color=”” border_style=”solid” border_position=”all” border_radius=”” box_shadow=”no” dimension_box_shadow=”” box_shadow_blur=”0″ box_shadow_spread=”0″ box_shadow_color=”” box_shadow_style=”” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”” margin_bottom=”” animation_type=”” animation_direction=”left” animation_speed=”0.3″ animation_offset=”” last=”true” border_sizes_top=”0″ border_sizes_bottom=”0″ border_sizes_left=”0″ border_sizes_right=”0″ first=”true” type=”1_1″][fusion_text columns=”” column_min_width=”” column_spacing=”” rule_style=”default” rule_size=”” rule_color=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=””]During the COVID-19 public health emergency, Governments, as well as public and private organizations throughout the world are taking measures to contain and mitigate COVID-19. This can involve the processing of different types of sensitive personal data, including protected health information.<\/p>\n
Healthcare providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services, through remote communications technologies.\u00a0 Some of these technologies, and the manner in which they are used by HIPAA covered healthcare providers, may not fully comply with the requirements of the HIPAA Rules.<\/p>\n
In an effort to \u201cempower medical providers to serve patients wherever they are during this national public health emergency\u201d the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced<\/a> that it \u201cwill exercise its enforcement discretion and will not impose penalties for non-compliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.\u201d<\/p>\n The goal is to ensure that public health officials, working to combat the pandemic, have quick access to as much data as possible by granting hospitals the ability to pass pertinent information along without worrying about violating any HIPAA rules. By relaxing HIPAA penalties, and thus ensuring public health organizations have access to the latest metrics and developments, health organizations could better design plans to manage the pandemic and more effectively halt its spread.<\/p>\n Although data security worries likely still abound among consumers \u2014 and while the suspension of data-sharing penalties could make their worries more severe, the value that new data will provide in the short-term will likely override their concerns.<\/p>\n According to the OCR notice, a healthcare provider that wants to use audio or video communication technology to provide telehealth services to patients during the COVID-19 public health emergency can use any available \u201dnon-public facing remote communication product\u201d to communicate with patients.<\/p>\n For example, a healthcare provider may request to examine a patient exhibiting COVID- 19 symptoms, using a video application. The provider can take advantage of the app features to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a healthcare provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, adhering to social distancing measures and limiting unnecessary movement of patients.<\/p>\n The OCR Notice suggests that healthcare providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. At the same time, OCR states that Facebook Live, Twitch, TikTok, and similar video communication applications are public-facing, and should not be used in the provision of telehealth.<\/p>\n However, the use of such applications is not risk-free. For instance, it was only recently that the University of Toronto\u2019s Citizen Lab<\/a> examined Zoom\u2019s encryption and concluded that the teleconferencing app is \u201cnot suitable for secrets.\u201d It is important to understand the security of any video teleconferencing system used. Understanding and accepting the risk is important for any outsourced service.<\/p>\n Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks. In addition, healthcare providers, as well as their patients, are strongly encouraged to enable all available encryption and privacy best practices<\/a> when using such applications, such as:<\/p>\n If healthcare providers wish to seek additional privacy protections for telehealth, they could use services from technology vendors that are HIPAA compliant by signing a business associate agreement (BAA) for the provision of their video communication products. Such products include, but are not limited to, Skype for Business, or Microsoft Teams, Zoom for Healthcare, and Cisco Webex.<\/p>\n Together with the notice for the use of videoconference tools, OCR has published a bulletin<\/a> advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies.<\/p>\n The European Union has taken a similar approach to the US OCR. Andrea Jelinek, Chair of the European Data Protection Board (EDPB), has stated that<\/a> \u201cData protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic.\u201d However, even in these exceptional times, \u201cthe data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.\u201d<\/p>\n To contain the pandemic, there is the need to share information quickly or adapt the way we work. Data protection isn\u2019t about stopping healthcare providers or civil protection workers from protecting us. \u201cIt\u2019s about being proportionate – if something feels excessive from the public\u2019s point of view, then it probably is,\u201d says the UK\u2019s Information Commissioner\u2019s Office<\/a> (ICO).<\/p>\n Therefore, the ICO as well as all EU Data Protection Authorities (DPAs) have issued guidance that state the Authorities \u201cwon\u2019t penalize organizations that need to prioritize other areas or adapt their usual approach during this extraordinary period.\u201d There is a common understanding that resources, whether they are finances or people, might be diverted away from usual compliance or information governance work.<\/p>\n Indeed, the GDPR provides for the legal grounds to enable the employers and the competent public health authorities to process personal data in the context of epidemics, without the need to obtain the consent of the data subject. This applies, for instance, when the processing of personal data is necessary for the employers for reasons of public interest in the area of public health or to protect vital interests (Art. 6 and 9 of the GDPR), or to comply with another legal obligation.<\/p>\n However, the EU has stated implicitly that there are special precautions when it comes to the processing of electronic communication data, such as mobile location data. Governments are leveraging contact tracing technology<\/a> in an effort to have a cartography of the virus spread. Generalized location data trend analysis is helping to tackle the coronavirus crisis. \u201cWhere this data is properly anonymized and aggregated, it does not fall under data protection law because no individual is identified,\u201d both the ICO<\/a> and the EDPB<\/a> have stated.<\/p>\n In extraordinary times, extraordinary measures are required. However, these measures need to be proportionate and under a lawful basis. What is more, governments and public and private organizations have to plan in advance for transitioning back into normal conditions, as far as personal and sensitive data processing is concerned. Otherwise we run the risk of abolishing all human rights and establishing an unprecedented surveillance state. Governments and agencies need to be transparent with the use of personal data gathered and processed during the COVID-19 public health crisis to avoid any misunderstandings and conspiracy theories.<\/p>\nThe Use of Telepresence Tools<\/h2>\n
\n
What Happens in Europe?<\/h2>\n
Final thoughts<\/h2>\n