When the Covid pandemic began, many health care providers wanted to make use of telehealth to continue providing care while limiting exposure. However, providers worried that remote communications technologies could violate the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. In March 2020, the Office for Civil Rights (OCR) notified health care providers that it would use enforcement discretion in applying HIPAA so that care could be furnished remotely as long as reasonable precautions were taken to protect confidentiality. However, this notification will expire when the Covid public health emergency (PHE) is no longer in effect.
On June 13, 2022, OCR published guidance on how providers may continue to use audio-only telehealth once the PHE expires. OCR notes that health care providers must use reasonable safeguards to limit incidental disclosures of protected health information (PHI), by using a private office if available, or if not, by avoiding use of a speakerphone. OCR also states that if the patient is not known to the provider, the provider must verify the identity of the patient, either orally or in writing (which could include using electronic methods).
OCR notes that the HIPAA Security Rule does not apply to audio-only telehealth services if the provider is using a landline, because the information transmitted is not electronic. However, electronic communication technologies do require compliance with HIPAA Security. This would include smartphone apps, Voice over Internet Protocol (VoIP) technologies, and messaging services that electronically store audio messages. Providers using these technologies should address the vulnerabilities in their security risk analysis, including whether risks can be mitigated with use of encryption. OCR points out that the HIPAA rules apply only to the health care provider end of the communication: the patient may use any telephone system they choose.
Finally, OCR addressed when a provider must have a business associate agreement (BAA) with a vendor providing telecommunications services (TSP). If the TSP has only transient access to PHI being transmitted, no BAA is required because the TSP is merely a conduit. However, if the service provided by the TSP includes storing recordings or transcripts, then a BAA is needed.
- Published: 21 June 2022 21 June 2022
- Last Updated: 21 June 2022 21 June 2022
The US Food and Drug Administration (FDA), along with Health Canada and the United Kingdom's Medicines and Healthcare Products Regulatory Agency, have identified ten guiding principles for development of safe and effective medical devices that use artificial intelligence and machine learning (AI/ML). AI/ML technologies have the potential to improve device performance by deriving insights from data generated through the delivery of health care in real-world use. The ten principles, called Good Machine Learning Practice (GMLP), are intended to be used to identify GMLP best practice and consensus standards.
The principles are:
- Multi-disciplinary expertise is leveraged throughout the total product life cycle.
- Good software engineering and security practices are implemented. The agencies explain this should include the fundamentals of good software engineering practices, data quality assurance, data management and cybersecurity.
- Clinical study participants and data sets are representative of the intended patient population. Data collection should ensure that relevant characteristics of the intended population (such as demographics) are represented in a sample of adequate size so that results can be generalized to the population.
- Training data sets are independent of test sets.
- Selected reference datasets are based upon best available methods.
- Model design is tailored to the available data and reflects the intended use of the device. Design should support the active mitigation of known risks, like overfitting, performance degradation, and security risks.
- Focus is placed on the performance of the human/AI team. Developers need to address human interpretability of the model outputs.
- Testing demonstrates device performance during clinically relevant conditions. Test plans are developed to generate clinically relevant device performance information independent of the training data set, considering the intended patient population, clinical environment and other factors.
- Users are provided clear, essential information. Users have access to information appropriate for the intended audience, such as health care providers or patients, and a means to communicate product concerns to the developer.
- Deployed models are monitored for performance and re-training risks are managed. Models must be monitored in real world use for potential improvement of safety and performance.
- Published: 11 November 2021 11 November 2021
- Last Updated: 11 November 2021 11 November 2021
OIG reports most Medicare beneficiaries using telehealth had an established relationship with a provider
The Office of Inspector General (OIG) of the Department of Health and Human Services published a data snapshot dated October 2021, examining telehealth utilization by Medicare beneficiaries from March to December 2020. During this period, 26 million Medicare beneficiaries (39% of all Medicare beneficiaries) received at least one telehealth service. The OIG found that 84% of Medicare beneficiaries received all their telehealth services from providers with whom they had an established relationship. For office visits, 83% of beneficiaries had an established relationship. Office visits were the most common type of telehealth service, accounting for nearly half of all telehealth services (45.5 million office visits). Beneficiaries receiving home visits via telehealth were the least likely to have an established relationship with their provider (34%). However, home visits were only 1% of all services provided via telehealth.
There were some differences in telehealth utilization between beneficiaries in traditional Medicare and Medicare Advantage plan enrollees. This is not unexpected, since Medicare Advantage plans had greater flexibility to cover telehealth services prior to the pandemic. During the study period, one third of beneficiaries in traditional Medicare received telehealth services compared to 45% of Medicare Advantage enrollees. A slightly larger percentage of traditional Medicare beneficiaries (86% compared to 81%) had an established relationship with the telehealth provider compared to Medicare Advantage enrollees, except for physical, occupational and speech therapy. Both traditional Medicare and Medicare Advantage beneficiaries with established provider relationships had an in-person visit with the provider an average of four months prior to the first telehealth service.
Comment: this study should be reassuring to policymakers who worry that expanding telehealth eligibility permanently would open the floodgates to Medicare fraud. It suggests that Medicare beneficiaries are generally using telehealth as an adjunct to regular provider relationships.
- Published: 24 October 2021 24 October 2021
- Last Updated: 24 October 2021 24 October 2021
The Office for Civil Rights (OCR) of the Department of Health & Human Services has published guidance on what inquiries and disclosures about COVID-19 vaccination status are permitted. The OCR notes that the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule applies only to covered entities and their business associates. (Covered entities are health plans, health care clearinghouses and health care providers that conduct electronic transactions, and business associates are entities that provide various management and related services for covered entities.).
The HIPAA Privacy Rule does not prohibit businesses or individuals from asking whether customers or clients have received a COVID-19 vaccine. This is the case even for businesses that are covered entities or business associates, because the HIPAA Privacy Rule applies to uses and disclosures of protected health information (PHI) by covered entities and business associates, not requests for information. HIPAA also does not prohibit an individual from disclosing whether the individual has been vaccinated.
The OCR points out that the HIPAA Privacy Rule does not apply to employment records (including records held by covered entities or business associates in their capacity as employers). HIPAA does not regulate what information can be requested from employees as a condition of employment. Therefore, employers (including covered entities and business associates) can require their employees to provide documentation of COVID-19 vaccination, to sign an authorization for the employee's health care provider to provide such documentation, to wear a mask while on the employer's premises or in the course of performing their duties, or to disclose whether the employee is vaccinated if a patient asks for that information. The OCR notes, however, that the Americans with Disabilities Act requires that documentation of vaccination, like other employee health information, must be kept confidential and stored separately from personnel files. The OCR also addressed questions relating to employee health services. Health care providers are permitted to disclose PHI relating to an individual's vaccination status to an employer in connection with medical surveillance of the workplace or to evaluate whether the individual has a work-related illness, but only if the health care provider is providing services to the individual at the request of the employer, the individual is notified that PHI related to medical surveillance and work-related illnesses will be disclosed to the employer, and certain other conditions apply.
It is necessary to distinguish between employment records and health records maintained by a health care provider in the course of treatment. The HIPAA Privacy Rule generally requires covered entities, including health care providers, to obtain the patient's authorization in order to disclose information (with certain exceptions, such as disclosures to public health authorities).
- Published: 04 October 2021 04 October 2021
- Last Updated: 04 October 2021 04 October 2021