Attorney Aaron Brooks offers some legal advice for healthcare providers during this pandemic, particularly how they should handle communicating with the public and how to use telehealth services appropriately. Brooks Law and Consulting, LLC is a Naperville law firm focusing on technology, privacy and security. We implement and manage privacy and security compliance programs, handle data breach management and prevention, and consult on the design, licensing and implementation of software applications that create, receive, store or transmit highly sensitive data. Aaron W. Brooks, founder, has over 23 years of experience representing technology developers, health care providers, medical technology partners, and other clients who focus on technology and data. Mr. Brooks is a member of the American Bar Association and the Illinois State Bar Association, and he is a current appointee to the ISBA Intellectual Property Section Council and ISBA Committee on Legal Technology.
Managing COVID-19 Communications
Health care providers need to manage four main types of communications during the COVID-19 public health emergency.
Public Health Authorities: Providers should report COVID-19 diagnosis information to federal, state and local public health authorities in accordance with applicable law. For example, hospitals may provide reports about COVID-19 patients to the CDC and Illinois Department of Public Health.
Friends and Family. Healthcare providers are permitted to share health information with a patient’s family members, friends, or other people who the patient identifies as involved in the patient’s care. If the patient is unconscious, a provider may share relevant health information with family, friends or others if the provider reasonably determines that doing so is in the patient’s best interests.
First Responders: Providers can and should disclose medical information to first responders when they are at risk of contracting or spreading COVID-19. For example, a 911 call center may inform police officers if they are being dispatched to a scene where they may encounter specific individuals who have tested positive for COVID-19.
Communicating with the Media: As a general rule, health care providers should not discuss specific patient information with the media without a patient’s written authorization. However, if a member of the media asks about a particular patient by name, a provider may release limited facility directory information to acknowledge that the individual is a patient at that facility, and the provider may give basic information about the patient’s condition in general terms (i.e. critical or stable, deceased, or treated and released). Additionally, limited media disclosures are permitted when necessary to prevent a serious and imminent threat to the health and safety of the public. For example, when a provider encounters the first positive COVID-19 test result in a community, that provider may determine that a public statement is necessary in order to quickly alert the community that the virus has been discovered in that area. Otherwise, providers should refer members of the media to the appropriate public health authorities.
Rolling Out Telehealth Services
The federal government and State of Illinois have created temporary rules to help health care providers quickly implement telehealth services during the COVID-19 public health emergency. Providers should understand three important things about these temporary rules.
Location of Services: Normally, a patient must be in an approved location to receive telehealth services. For example, rural patients might consult with a distant specialist using telehealth technology at their local physican’s office. During the COVID-19 emergency, patients can receive telehealth services from anywhere, including their own homes.
Privacy and Security: Healthcare Providers may use any telehealth technology that isn’t public-facing. So, for example, a provider may use Apple FaceTime or Zoom (which are not public-facing), but should not use Facebook Live or Slack (which are public-facing). Providers who engage in good faith provision of telehealth are exempt from penalties for violating the HIPAA Privacy, Security and Breach Notification Rules during the COVID-19 emergency. Thus, for example, it is not necessary to sign a HIPAA business associate agreement with a telehealth vendor prior to rolling out a telehealth system during the emergency.
Preparing for the Return to Normal
The temporary rule waivers are exactly that: Temporary. Health care providers who rapidly roll out telehealth technology during the emergency should already be planning to revise their practices and update their policies and contracts as needed to comply with the normal telehealth rules.