The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) issued four distinct Notifications of Enforcement Discretion between April, 2020 and February 2021, and all Notifications collectively were associated with the COVID-19 public health emergency. These discretions were issued to essentially allow healthcare providers the ability to adapt their care models to unprecedented circumstances during the pandemic. In this quick blog I will discuss one of the expiring discretions associated with telehealth and the use of “non-public facing remote communication technologies”, which includes Microsoft Teams.
When healthcare providers use virtual healthcare or telemedicine to deliver services, they must ensure that they comply with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. OCR is tasked with enforcing this application of HIPAA and HITECH to these services that use remote communication technologies, thus, why they issued the initial notification detailing their provision to not impose penalties. When they issued the notice on March 17, 2020 – the accompanying FAQ did not specify when the notification would expire. That TBD expiration date is now May 11, 2023 - yet, there will be a 90-day transition period to mitigate identified gaps ending August 9, 2023.
IMPORTANT FACTOID: The Consolidated Appropriations Act of 2023 extends Medicare telehealth flexibilities to December 31, 2024. See SEC. 4113. ADVANCING TELEHEALTH BEYOND COVID–19.
RANDOM FACTOID: In the "FAQ on Telehealth and HIPAA during the COVID-19 nationwide public health emergency" linked above, they suggest "reasonable precautions could include using lowered voices" if a covered healthcare provider cannot utilize a private setting when offering telehealth services. These were unique times. Needless to say, a lowered voice won't be reasonable after May 11.
Foundationally HIPAA’s standards for the privacy and security of Protected Health Information (PHI) includes any individually identifiable health information transmitted or maintained by a covered entity or business associate. Modern remote communication solutions like Microsoft Teams often, both, transmit and maintain PHI when used for telehealth. When healthcare providers use virtual healthcare to deliver services, they must ensure that PHI is secured and protected from unauthorized disclosure.
Under HIPAA, covered entities are also required to enter into Business Associate Agreements (BAA) with their video communication technology vendors to ensure that the vendor also complies with the HIPAA Privacy Rule and Security Rule. Thankfully, Microsoft can enter into a BAA with customers who are covered entities to support compliance with the applicable requirements in the HIPAA Rules. In fact, Microsoft Teams is listed as one of the potential solutions for healthcare providers to use in the initial OCR notification of discretion.
HITECH provides additional requirements for the privacy and security of electronic PHI (ePHI). It requires covered entities and business associates to implement reasonable and appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. These safeguards include measures such as access controls, encryption, and backups.
National Institute of Standards and Technology (NIST) Special Publication 800-66 (NIST 800-66) is the federal guidance for protecting ePHI in accordance with HIPAA and is currently undergoing a revision, but the draft for NIST 800-66r2 is a great place to start in assessing your telehealth platform of choice.
Let’s start with the good news. There is a 90-day transition period where organizations can adapt existing policies – written and technical – as well as assess technical controls to identify gaps. When healthcare providers provide virtual healthcare, they must ensure that they have appropriate security measures in place to protect ePHI from improper exposure or exfiltration. This includes using secure communication channels, encrypting messages and data, and implementing access controls to limit who can view and transmit ePHI. In addition, healthcare providers using virtual healthcare must comply with HIPAA's breach notification requirements. If there is a breach of ePHI, providers must notify affected individuals and the Department of Health and Human Services (HHS) within a specified timeframe.
An organization can enable these capabilities with Microsoft Purview solutions, Azure Active Directory (AAD), and admin settings within Microsoft Teams. Some of the solutions to enable include:
Microsoft Purview Audit: Audit logs are enabled by default and can track user activity in Teams and other workloads. For Audit (Standard) activities can be audited and analyzed up to 90 days back, but with Audit (Premium) organizations can go beyond 90 days by establishing audit log retention policies. Microsoft Purview Audit logs can help you identify potential HIPAA violations via many Teams activities of users and admins. You can also run audits on Teams activities via Microsoft Purview Audit Premium.
Microsoft Purview Data Loss Prevention (DLP): DLP policies can help prevent users from sharing sensitive data, such as ePHI, in Teams. DLP policies can be configured to delete sensitive messages as they're shared, prevent non-authorized parties from opening a file containing ePHI that was shared in Teams, etc. You can create custom DLP policies to meet your organization's specific needs and now deploy Adaptive Protection to adjust policy application based upon risky user behavior.
Microsoft Purview eDiscovery: Once a potential ePHI exfiltration event or HIPAA violation occurs, eDiscovery allows you to search for and export Teams messages, files, and other data related to the user and case. All relevant sources can also be placed on hold for review. This solution can be essential for responding to legal requests and ensuring compliance with HIPAA requirements for data loss notifications.
Microsoft Purview Compliance Manager: Upcoming changes to NIST 800-66, the official implementation guidance for HIPAA compliance, puts an “increased emphasis on assessment and management of risk to ePHI.” Microsoft Purview Compliance Manager templates provide step-by-step control implementation guidance to help organizations know which specific actions they can take in their Microsoft 365 environment (inclusive of Teams) to meet these compliance requirements.
There are several requirements for access control that can apply to Microsoft Teams, especially in the case of virtual healthcare. Establishing multifactor authentication (MFA) with a FIPS compliant authenticator technology is a great place to start. Microsoft's Authenticator app meets this standard, and Microsoft AAD Conditional Access policies can extend protections to limit authentication attempts to certain locations, from specific devices, and based upon other relevant conditions to prevent compromised users and identities from accessing ePHI on Teams.
BONUS: New Microsoft Teams Premium features provide the ability to label meetings where ePHI will likely be shared. Labeling the meeting can automatically enforce protections, apply watermarking to video or presentation materials, and limit participant controls.
After May 11th, Microsoft Teams can continue to be suitable for HIPAA and HITECH compliance. Though Teams may be a suitable telehealth platform, organizations should validate their BAA and conduct an assessment on their "remote communications technologies" to identify risks or gaps.
Additionally, Microsoft has committed to continuing to invest in Teams' security and privacy features to meet the evolving needs of healthcare organizations. As the healthcare industry continues to adopt new technologies and regulations, Microsoft is committed to ensuring that Teams enables compliance and can defend against modern threats. Microsoft's healthcare commitments have never been more evident, with announced AI partnerships with Epic and collaboration with the Health Information Sharing and Analysis Center (H-ISAC) to thwart ransomware attacks costing "hospital systems millions of dollars in recovery and repair costs".
Original LinkedIn Article:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.