HIPAA, telehealth, and managing billing staff working remotely

April 8, 2020

Expert advice to secure your practice.

Video-chat tools such as Apple FaceTime, Skype, and Zoom are now available to physician practices that want to treat patients on a remote basis, according to March 17 guidance from the U.S. Department of Health and Human Service’s Office of Civil Rights (OCR), which enforces HIPAA.

Michele Madison, JD, an Atlanta-based healthcare attorney at Morris, Manning, & Martin law firm, points out that OCR won’t enforce penalties for physician practices that use “non-public-facing video and audio technology that’s not secure and they won’t require business associate agreements.” Still, she advises practices to take the following steps: 

  • Validate that the physician or other clinician is licensed to provide care by telemedicine in the state where they’re providing the service.

  • Secure verbal or written confirmation that patients understand the platform used to receive telehealth-based care isn’t secure. 

  • Communicate to physicians and clinicians that they must fully and completely document the interaction with patients, including their clinical findings, medical decision-making, and other necessary variables to support the CPT code used by the billing department. 

According to the OCR guidance, platforms such as Facebook Live, TikTok, and Twitch are examples of public-facing video communications platforms and shouldn’t be used when providing care to patients. 

Trending: Coding during the Coronavirus pandemic

Investigate ability to bill for telehealth visits

Elizabeth Litten, JD, a Princeton, NJ-based healthcare attorney and chief privacy and HIPAA compliance officer at Fox Rothschild law firm, points out that practices need to ensure that they’ll be reimbursed for the care provided using telehealth. Kelli Fleming, JD, a Birmingham, AL-based attorney at Burr Forman law firm, advises practices to check with health insurers to ensure they’ll be paid for the patient visit. 

CMS has said that Medicare will reimburse healthcare providers for treating patients using telehealth for Covid-19 and other medically reasonable purposes from offices, hospitals, and residences such as homes, nursing homes, and assisted living facilities. The federal agency noted that Medicare Advantage plans may offer additional telehealth services beyond what was included in their approved 2020 benefits.

States “have broad flexibility to cover telehealth through Medicaid, including the methods of communication (such as telephone, video technology commonly available on smartphones and other devices) to use,” according to April 2 guidance from CMS. In addition, states aren’t required to seek federal approval “to reimburse providers for telehealth services in the same manner or at the same rate that states pay for face-to-face services.”

Fleming highlights that OCR’s March 20 

 says that telehealth-based visit doesn’t have to be for a Covid-19-related condition. That means, for example, that a physician can use telehealth to consult with a patient about an earache, she says.

 

Disclosing PHI

OCR’s March 24 guidance provided insight on ways that healthcare providers can disclose PHI about a person who has been infected by or exposed to Covid-19. Healthcare organizations can disclose PHI, including the name and other identifying information about the person under the following four circumstances:

  • When needed to provide treatment

  • When required by law

  • When first responders may be at risk for an infection

  • When disclosure is necessary to prevent or lessen a serious and imminent threat 

Fleming points out that this allows a call center employee or an EMT to communicate with a physician or other clinician that the patient has been around someone with Covid-19 or has tested positive for the infectious disease. It allows healthcare providers to adequately respond and protect themselves, she explains. But she points out that this type of communication has always been permissible between first responders and healthcare providers. 

Read More: Family First Coronavirus Response Act: What physicians need to know

Managing billing staff working remotely

To date, 41 state governors have issued stay-at-home orders or advisories, which generally means that only essential personnel need to show up physically at their places of work. 

In addition, OCR issued 

 on April 2 that it won’t impose penalties for violations of some provisions of the HIPAA Privacy Rule against healthcare providers and their business associates “for good faith uses and disclosures of protected health information (PHI) by business associates for public and health and health oversight activities during the Covid-19 nationwide public health emergency.”

In a statement, Roger Severino, director of OCR, said, “The CDC, CMS, and state and local health departments need quick access to Covid-19-related health data to fight this pandemic. Granting HIPAA business associates greater freedom to cooperate and exchange information with public health and oversight agencies can help flatten the curve and potentially save lives.”

Some clinicians may be able to provide telehealth consults from their home offices, whereas administrative employees who aren’t patient-facing can work remotely, with the right guidance. Alissa Smith, JD, a Des Moines, Iowa-based attorney at Dorsey & Whitney law firm, points out that employees providing administrative and billing support can work from home. Her advice for physician practices with billing employees working from home includes:

  • Keep billing files and other patient records away from others in the household.

  • Use safeguards, such as firewalls, encryption, and a private network to prevent patient information from being hacked. 

Fleming recommends that practices require billing staff who are working remotely to log in to the practice’s systems using two-factor authentication. That requires a code to be sent to the billing employee’s cell phone for an additional level of security, she explains. 

An additional safeguard is to discourage employees from saving any files on the hard drives on their computers at home, says Fleming. In addition, the employee’s computer should also be set up to require an additional log in if the computer isn’t in use for three minutes or even less. Employees should also be told to limit printing of any patient information, she adds. 

 

Most payers allow providers up to a year to drop a claim, says Fleming. But waiting to send claims to health insurers will hurt the practice’s cash flow. Physicians tell her that billing employees “are essential, they help me keep my doors open,” she adds.