During the COVID-19 public health emergency, the U.S. Department of Health and Human Services (“HHS”) has authorized HIPAA covered entity providers to communicate with patients and perform telehealth services using remote communications. These technologies may not, however, be “HIPAA compliant.”
OCR will not impose penalties against covered providers who, in good faith, provide telehealth services to consumers during the emergency. Thus, these providers may use any non-public facing remote communication product suitable for communications with patients. It is not necessary for the telehealth services to be COVID-19 related.
This non-imposition of penalties does not, however, allow covered providers to ignore the HIPAA rules. They still should conduct a risk analysis of the telecommunications and implement reasonable and appropriate security measures to protect patient privacy, such as the following, for example: ensuring that the prior patient’s data is not left up on the screen for the next patient to view, having a telemedicine policy, conducting training on how to engage in it without violating privacy, and getting an informed consent to the service. Read the full HHS notice here: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
I have previously posted my sample telemedicine policy that is normally free only to premium members, and I am now adding a sample telemedicine informed consent to this blog post. As always, you must tailor the sample to your specific situation. Stay safe out there.
Telemedicine Informed Consent and User Agreement
Introduction. [Name of Practice] offers this treatment option as a courtesy to our patients who, because of a lockdown or social distancing due to an epidemic or pandemic, cannot travel to [Name of Practice]’s offices or for whom it is otherwise difficult to travel to [Name of Practice]’s location. [Name of Practice] has performed a risk analysis of this communication tool and has implemented reasonable and appropriate security measures to protect patient privacy.
Privacy and Security. As stated above, [Name of Practice] has implemented, in its opinion, reasonable and appropriate security measures as required by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Telemedicine and telehealth services rely on the transfer of data from one location to another, whether through interactive video consultations, store and forward technology, or remote patient monitoring. Unfortunately, this data can be stolen or even manipulated during transmissions by cyber criminals looking to harm patient outcomes. Harm resulting from such cyberattacks can include identity theft, disclosure of highly sensitive health information that may cause loss of job, reputation, and the like, and other harms, such as embarrassment and emotional distress. Or a power outage or some other denial of service attack (such as ransomware) could prevent or stop the telemedicine conference.
These security measures that [Name of Practice] has implemented include [state security measures, such as VPN, encryption, and so forth]. The best technical security can be defeated, however, particularly if you do not protect your [user ID and password] [other information to verify your identity] to access the telemedicine session. If you believe that these security measures have been compromised, immediately change your password and report the matter to [Name of Practice]’s [Security Officer][Office Manager][other] at (___) ___-____. Even with our security measures and your assistance in protecting your [user ID and password][other information to verify your identity], we cannot guarantee that your health information, including financial, demographic, and lifestyle information, as well as clinical information, as used or disclosed in the telemedicine session, will not be compromised. Knowing this, if you still want to participate in telemedicine and you are willing to adhere to the conditions below, please sign at the bottom of this form.
[Name of Practice] provides this telemedicine as a courtesy for our consumers and does not charge a service fee over and above the regular cost for the clinical services. If, however, consumers misuse the service, we reserve the right to terminate those patients’ access or otherwise modify the telemedicine services offered.
Instructions. When you sign this Telemedicine Informed Consent and User Agreement, you must also provide us your email address. Upon receipt of your email address, we will provide instructions as to how to access the service.
Patients with Disabilities. If you have a disability that will make it difficult for you to use telemedicine services, please notify us and we will see whether we can make a reasonable accommodation.
Telemedicine Informed Consent and Agreement. The undersigned has read and understands this Telemedicine Informed Consent and Agreement Form. Understanding that some risks exist with use of this method of treatment, I agree to the conditions specified and consent to the use of my or my child’s or ward’s individually identifiable health information in this manner. I also consent to any instructions that my physician or other clinician may impose for telemedicine communications.
Signature of Patient __________________________________________________________
Printed Name of Patient _______________________________________________________
If Minor Patient(s):
Relationship to Patient(s)[1] ______________________________________________________
Names and Ages of Patient(s)___________________________________________________
____________________________________________________________________________
Date Signed _________________________________________________________________
Email Address _______________________________________________________________
[1] If divorced, indicate whether Parent has joint, shared and sole, or full custody under [name of state] law or type of custody under another state’s law.