CA Extends Telehealth HIPAA Penalty Exemption Until End of PHE

October 01, 2021 - California Governor Gavin Newsom renewed most of Executive Order N-43-20, which provides certain HIPAA penalty exemptions surrounding the release of patient information for providers who deliver telehealth services through the end of the COVID-19 public health emergency (PHE), according to the California Medical Association. The order was originally set to expire on September 30.

The pandemic kickstarted a nationwide telehealth boom as the US went into lockdown. The Office for Civil Rights (OCR) issued a telehealth “good faith provision” in March 2020, enabling providers to care for patients via telehealth without facing HIPAA violations.

Normally, providers are required to deliver telehealth services via a HIPAA-compliant platform. But during the PHE, providers are permitted to use FaceTime, Skype, and other communication services to deliver care.

“For example, a covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID- 19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation,” the OCR’s March 2020 statement explained. 

“Likewise, a covered health care provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.”

Some states have since expanded these provisions through the end of the PHE, modified them, or let them expire altogether.

Governor Newsom’s executive order renewal, N-16-21, renewed all provisions of the original executive order with the exception of one element. As of September 30, physicians will no longer be able to deliver telehealth services without first obtaining verbal or written consent.

“As this component expires, physicians will now be subject to the pre-pandemic requirement to obtain patient consent,” the California Medical Association’s announcement stated. “This consent can either be written or obtained verbally and documented in the patient record.”

The expansion of telehealth has allowed patients to receive quality care while avoiding the risk of contracting COVID-19. The care delivery method has become crucial to healthcare throughout the pandemic, but telehealth poses security risks that may put patient data in jeopardy if used incorrectly.

Providers were forced to adopt telehealth technologies extremely quickly due to the urgency of the pandemic. But with rapid implementation comes significant security gaps.

The Cloud Security Alliance (CSA) released guidance surrounding compliance and cybersecurity in the context of telehealth risk management. CSA recommended that healthcare organizations establish a governance program for telehealth management in order to ensure compliance, improve care quality and manage stakeholder expectations.

“During the COVID-19 pandemic, the rules governing telehealth changed dramatically, prompting health delivery organizations to quickly update and revise their governance and risk programs,” Jim Angle, lead author and co-chair of the Health Information Management Working Group, explained in the paper.

“Now, with the rapidly changing demands and regulatory requirements for telehealth, it’s essential that HDOs have effective governance and risk programs to ensure a smooth and seamless transition while improving their current risk postures.”

The paper recommended that providers implement strict privacy guidelines to guarantee compliance and prepare for the end of the PHE when the good faith provision expires.