Patient data protection and telehealth compliance are key pieces for hospices to bear in mind when navigating technology partnerships in a post-pandemic regulatory landscape.
Hospices are facing regulatory concerns since the COVID-19 public health emergency ended (PHE) on May 11 that have centered around telehealth. Some telehealth flexibilities temporarily instituted during the PHE will linger until the end of 2024, while others have already ended.
Hospices are also facing the growing risk of cybersecurity threats that have included incidents of exposed private health information belonging to patients.
Looking within a hospice organization’s system capabilities before seeking a technology partner is a crucial step, according to Dr. Balu Natarajan, chief medical officer of AccentCare Hospice.
“Good hospices know their own systems’ capabilities and requirements, and seek partners who understand and can comply with those requirements while enhancing the delivery of patient care,” Natarajan told Hospice News in an email. “With the flexibilities of the PHE expiring, hospices need to ensure that all telehealth communication meets those requirements and that, to the extent they made use of the flexibilities of the PHE, related policies and processes are updated to reflect current standards.”
How data privacy fits into tech relationships
The U.S. Centers for Medicare & Medicaid Services (CMS) issued waivers that allowed hospices to perform routine home care visits virtually during the pandemic, as well as conduct face-to-face recertification visits. Congress has since extended the recertification waiver through Dec. 31, 2024. This may or may not mean a return to in-person recertification visitsthe following year.
The routine home care telehealth waiver ended with the PHE. This includes care and services provided via remote patient monitoring systems, telephone calls and audiovisual technologies, according to CMS guidance.
Providers can still use telehealth as a follow-up tool.
A key consideration for telehealth regulations is compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Federal Trade Commision rules.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established HIPAA rules aimed at protecting sensitive health information. The OCR in April announced an enforcement policy that would impose penalties on covered health care providers for noncompliance with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
“Both pre-and post-pandemic, compliance with HIPAA, HITECH and applicable state data security laws and regulations is essential to safeguarding information that our patients share with us in confidence,” Natarajan said. “It is important that hospices have robust clinical, compliance, IT and information security departments who work together to support high quality care. Without this proactive, collaborative approach, care can be impacted.”
Some hospices have seen an increase in cyberattacks, with private information of thousands of patients at risk of public exposure. In some instances, these cyberattacks have exposed health care providers to potential legal liability, with hospices involved facing class action lawsuits.
Due diligence is needed to ensure that potential technology partners have adequate privacy and security policies and procedures in place, according to Valerie Witmer, vice president of compliance at AccentCare.
“[Tech partners] need to be able to demonstrate that they are compliant with HIPAA, HITECH and other applicable privacy and security requirements,” Witmer said. “They also must be willing and able to agree to reasonable and appropriate contract terms related to safeguarding patient information, including business associate agreements.”
Address data security in contract negotiations
Hospices are walking a tightrope when negotiating contracts with tech companies, due to data security risks and fluctuating telehealth rules.
A business associate agreement establishes a legally binding relationship between HIPAA-covered entities and vendors like technology companies.
Hospices must maintain and enforce appropriate safeguards for any technology used in connection with patient care, as well as administrative activities such as billing, according to Witmer. This includes developing information security policies and procedures with any and all technology business partners, she said.
Hospices should carefully vet technology partners’ telehealth platforms before making any commitments, Jennifer Rangel, health care attorney at the law firm Holland & Knight, indicated
“Confirm that any telehealth software or platforms are secure and meet state and federal requirements. If any visits were being conducted on an audio only platform, be aware of current limitations on audio-only calls,” Rangel told Hospice News. “It is also key to think through who your business associates are, and be sure that business associate agreements are in place.”
A viable technology partner should be transparent and detailed about their security measures and compliance policies, according Rangel. Those that are less than forthcoming about these policies might carry regulatory risks for hospices, she added.
“Red flags include refusal to enter into a business associate agreement or providing a very cursory agreement and a refusal to negotiate and agree to standard, protective clauses,” she said. “In addition, a technology partner should be willing to share their security certifications, explain their security processes in depth and provide information on their risk assessments and any risks that have been identified. A strong technology partner should be willing to provide indemnification for their errors and errors in their technology not due to the user.”