This post was authored by Mason Barnard, a summer 2020 CDT intern and a PhD student at Princeton.
As government leaders, policymakers, and technology companies continue to navigate the global coronavirus pandemic, CDT is actively monitoring the latest responses and working to ensure they are grounded in civil rights and liberties. Our policy teams aim to help leaders craft solutions that balance the unique needs of the moment, while still respecting and upholding individual human rights. Find more of our work at cdt.org/coronavirus.
As COVID-19 shifted our work and social lives online, it also shifted ordinary medical practice away from hospitals and doctors’ offices and onto computers and smartphones. The Department of Health and Human Services (HHS) helped facilitate this shift. On March 13th, HHS rolled back the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security requirements, diversifying the technologies available for communicating with patients but also removing safeguards for the protection of patient data. This policy, alongside changed reimbursement practices that better compensate telehealth visits, contributed to a rapid expansion of telehealth use. As the outbreak continues, policymakers are now calling for these policy adjustments to be made permanent.
Doing so without important considerations for privacy and security would be a mistake. The HHS policy as it now stands carries long-term privacy and security implications, exposing patients to avoidable data disclosure risks. Specifically, these federal actions unnecessarily relax commonly available security protections, such as the use of end-to-end encryption and unique user identification, thus encouraging users to share health information on less secure platforms. Conversely, other policy changes, such as those increasing reimbursement for telehealth services, don’t go far enough and fail to build a strong foundation for long-term equity in telehealth access and security. Simple modifications can resolve these issues, and in the process expand telehealth use without sacrificing the privacy of its users.
Prior to the pandemic, telehealth saw limited use in the United States. Only 2.4% of enrollees in large employer plans used a telehealth service in 2018, and only 15% of physicians reported using telehealth in any capacity with their patients (Kaiser Family Foundation). Although many large insurers, such as Kaiser Permanente and the Cleveland Clinic, do maintain access to a robust telehealth network, many smaller insurers and hospital networks do not.
Such limited use arises from telehealth’s numerous pre-pandemic economic, legal, and financial challenges. Most physicians and patients do not desire telehealth when surveyed (Definitive Healthcare), and both federal and state laws impose restrictions on how, when, and where telehealth can be used to see patients. For example, HIPAA permits a limited number of licensed communication softwares for telehealth visits, and these software providers must be willing to enter into strict Business Associate Agreements that hold them liable for information breaches and for regular security audits. These requirements significantly raise the costs and complexities of telehealth software investments, often restricting telehealth systems to large, wealthy provider networks.
But even when telehealth investments are made, they regularly face obstacles to profitability. Many states restrict the market for telehealth by forbidding patients from remotely seeing out of state physicians unless they maintain an in-state license, and Medicaid, Medicare, and most private insurers pay physicians less for visits conducted by telehealth (Kaiser Family Foundation). Together, these legal and financial obstacles have limited telehealth use prior to the coronavirus outbreak.
The pandemic flipped many of these limitations on their head. Nationwide calls for social distancing and temporary business closures mandated that most patients see their physicians through telehealth, drastically increasing demand for telehealth services. The HHS Office of Civil Rights (OCR) and the Centers for Medicare and Medicaid also altered their policies regarding telehealth use (HHS Telehealth Memo). OCR relaxed HIPAA restrictions on telehealth software and Business Associate Agreements, permitting providers to use any non-public facing communication technology to see patients (i.e. Facebook is not permitted, but telephone calls and services such as Zoom are allowed). CMS likewise shifted reimbursement practices to pay providers seeing patients remotely at the same rate as ordinary practice (CMS Memo).
Preliminary research suggests that these policies, alongside the massive behavioral changes associated with the pandemic, produced a major shift towards telehealth. Medicare beneficiaries’ telehealth use increased 11,718% during the month and a half following most state shutdowns, with private insurers reporting similar, but less drastic, increases in remote care (Healthcare Dive, Commonwealth Fund).
Lawmakers and policy groups also took notice. In a June 15th letter, a bipartisan group of 30 senators formally requested that the coronavirus telehealth provisions enacted by CMS and HHS be made permanent. They noted:
“Americans have benefited significantly from this expansion of telehealth and have come to rely on its availability. Congress should expand access to telehealth services on a permanent basis…Doing so would assure patients that their care will not be interrupted when the pandemic ends” (Connect for Health Senate Letter).
The call to extend changes has also been made by providers, with the American College of Physicians similarly writing: “It is clear that the policy changes provided by CMS…have played a pivotal role in mitigating the effects of the COVID-19 pandemic while providing a source of much needed revenue for physician practices across the country” (American College of Physicians).
Planning for Permanence
Calls to permanently extend telehealth policies emphasize the importance of maintaining access to healthcare throughout the pandemic–a critical component of a successful response. But access does not have to come at the cost of privacy and security. Federal leaders can modify OCR and HHS’ existing pandemic policies to better balance the need to protect patient data while allowing patients access to their physicians. These modifications would target two major areas:
- Mandating Encryption and Password Protection
- Ensuring Equal Access to Secure Communication Technologies
Mandating Encryption and Password Protection
HIPAA requires that technology platforms maintain robust security standards for telehealth. These technologies must restrict access to protected health information through unique user identification, automatic logoff, and end-to end encryption, and they must also provide audit controls and information validation for HHS to monitor potential breaches (HIPAA 45 CFR Parts 160 and 164). OCR’s pandemic policy modifications remove the need for each of these requirements, mandating only that communication technologies not be “public-facing” social media platforms, such as Twitter and Instagram (OCR Press Release).
OCR’s temporarily low bar for patient privacy should not be permanent. Many technologies available for widespread, cheap consumer use maintain many of the same security standards ordinarily required by HIPAA, enabling HHS to impose higher expectations for telehealth communications. OCR even recognizes the overlap in its own guidance: “Typically, these platforms [commonly used communication softwares] employ end-to-end encryption…individual user accounts, logins, and passcodes to help limit access and verify participants” (OCR Press Release). It likewise recommends that providers use technologies offering these features and that they “should enable all encryption and privacy modes when using such applications” (OCR FAQs on Telehealth Rollback). These recommendations should become an enforceable requirement.
Ensuring Equal Access to Secure Communication Technologies
The initial policy changes made by Congress and HHS contributed to a successful and rapid shift to telehealth care. But that shift requires ongoing investment to protect patient data over the long-term. This investment takes two forms: continuing and expanding reimbursement for providers using telehealth; and offering sources of funding for providers and hospitals to transition away from consumer based communication technologies and towards more secure, HIPAA compliant systems.
The first form of investment has already been adopted by CMS and other insurers. Providers are now reimbursed for telehealth appointments at the same rate as ordinary visits by Medicare and Medicaid, with many states voluntarily adopting a similar policy for all insurers. Yet many other insurers and states have not yet made this policy change. They should be encouraged to do so.
The second form of investment–offering a source of funding for major telehealth purchases–likewise currently exists in a weak form. Prior to the pandemic, the federal Telehealth Network Grant Program (TNGP) awarded $8.7 million a year to providers and hospitals in rural or medically underserved areas to invest in telehealth technology. The Coronavirus Aid, Relief, and Economic Security Act (CARES) bolstered this funding to $29 million for five years starting in 2021, but it does not extend funding to all hospitals. Although rural hospitals are those most in need of support, surveys show that the high cost of telehealth investment remains a deterrence for many hospital systems. Increasing the funding available for telehealth in the CARES Act and expanding access to it will thus help ensure that all providers can access secure, effective telehealth technologies going forward (Health Affairs).
Telehealth policy to date has emphasized expanding access, often at the perceived tradeoff of privacy and security. Such a tradeoff is not inevitable. Good policymaking can balance the need for remote health with the need for privacy and security–building the foundation for a robust telehealth system both during and after the current health emergency.