The COVID-19 Pandemic has created seemingly endless challenges and conflicts for businesses and employees in most, if not all, industries. For licensed health care facilities, those challenges include satisfying the statutory obligation to investigate and, where necessary, discipline practitioners through a peer review process while also supporting social distancing and shelter-in-place orders.
An obvious option is to conduct medical review committee meetings, including peer review committee meetings, remotely. However, any medical staffs considering conducting their committee meetings remotely must ensure that they instill and maintain appropriate safeguards to comply with federal and state regulations protecting the confidentiality of patients’ Protected Health Information.
Consider the following guidance and recommendations for remote medical review committee work during this pandemic:
- Review Medical Staff Bylaws and Rules & Regulations
Medical staffs should first consider whether their governing documents, particularly medical staff bylaws and rules & regulations, permit meetings to be conducted by telephone or video conference. If a health care facility’s governing documents to not provide for committee meetings to be conducted remotely, the Medical Executive Committee should consider a resolution to allow for such meetings for the duration of the emergency.
- Review Laws on Immunity from Discovery of Committee Records
Various states’ laws protect the investigations, proceedings, and records of health care facilities conducting medical staff credentialing and peer review activities from discovery or introduction in any civil or administrative action arising out of matters which are the subject of review and evaluation by the facilities. These laws may similarly protect the investigations, proceedings, and records of any medical review committee – even those that do not actually discipline the practitioner. Many of these statutes, however, do not speak to in-person vs. remote participation.
Florida’s applicable statutes, for example, expressly provide that “no person who was in attendance” at these meetings may testify in a civil action regarding those proceedings. The statutes’ references to persons “in attendance” at these meetings, however, do not define or limit such attendance to being in-person. Accordingly, conducting a peer review committee or other medical review committee meeting via video or telephone conference would not appear to jeopardize these statutory protections.
- The Remote Meeting Platform Must Comply with Patient Privacy Laws
Various health care privacy laws, including HIPAA, impose obligations upon health care entities to protect the confidentiality of Protected Health Information (“PHI”). Principally, medical staffs should be conscientious about ensuring that they continue to comply with the HIPAA rules when sharing patient PHI during a remotely conducted peer review meeting, although other state privacy laws must be considered as well, particularly where they are more restrictive.
HIPAA’s Security Rule applies to health information a covered entity creates, receives, maintains, or transmits in electronic form. Electronic protected health information (“ePHI”) is defined as individually identifiable health information that is electronically transmitted or maintained. HIPAA specifies that transmissions via paper, facsimile, or telephone are not considered transmissions via electronic media if the information being exchanged did not exist in electronic form immediately before the transmission. However, transmission media is specifically defined to include the Internet, extranet or intranet, leased lines, dial-up lines, and/or private networks. Accordingly, a meeting conducted through the internet would need to comply with HIPAA’s Security Rule protecting ePHI. Furthermore, information on removable or transportable electronic storage media, like a CD or jump drive, transmitted to the remote participants in the committee meeting could also be considered ePHI.
Moreover, HIPAA’s Privacy Rule prohibits the unauthorized disclosure of PHI in any format, so covered entities should take all necessary steps to ensure their compliance regardless of the form of the remote meeting.
Entities other than health care providers that perform functions involving the use or disclosure of PHI on behalf of or for a covered entity are generally considered “business associates.” A covered entity must enter into a business associate agreement (“BAA”) with any business associates prior to sharing any form of PHI with them.
An exception to this general rule is when an entity acts as a conduit such that the entity transmits PHI but does not have access to or store the transmitted information. This exception is narrowly construed to cover organizations such as the U.S. Postal Service and certain other private couriers (e.g., UPS) as well as their electronic equivalents. Entities that manage the transmission and storage of PHI, such as a cloud hosting company, or an email or SMS provider, require access to PHI on a routine basis. Therefore, they are considered business associates for which BAAs are required.
Whether a covered entity will be required to enter into a BAA with a service provider hosting a remote meeting depends on the platform selected and the nature of the services provided, including the extent to which the provider has access to or stores PHI.
- OCR Notification of HIPAA Enforcement Discretion Regarding Telehealth
The Office for Civil Rights (“OCR”) at the U.S. Department of Health and Human Services (“DHHS”) has announced that it will not impose penalties for HIPAA violations against health care providers that in good faith provide telehealth using non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.
The OCR did not clearly state whether this exercise of enforcement discretion would apply to a HIPAA violation occurring during a remote peer review committee or medical review committee meeting. However, the Health Resources and Services Administration of the DHHS defines “telehealth” as the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. Elsewhere, “telehealth” is defined to include remote nonclinical services, such as provider training, administrative meetings, and continuing medical education, in addition to clinical services. See https://www.healthit.gov/faq/what-telehealth-how-telehealth-different-telemedicine.
While health care providers should strive to comply with HIPAA and state privacy laws, it is important to note that, to the extent it is considered “telehealth,” a HIPAA violation occurring during a peer review committee or medical review committee meeting may not be subject to penalty during the COVID-19 nationwide public health emergency.
- Remote Committee Meeting Best Practices
Health care facilities should work with their Information Technology group to ensure that the platform utilized for remote medical review committee meetings complies with HIPAA and Florida privacy laws.
- Determine whether the platform to be utilized to host the meeting is already HIPAA-compliant. If the service provider is considered a business associate, confirm that a BAA is in place. The facility should do the same with respect to the platform to be used to share documents or information in advance of or during the meeting.
- Ensure that any internet-based conferencing service is configured to protect against retention or further disclosure of PHI (e.g., recording and transcribing options are disabled) and that added security messages are enabled (e.g., password or log-in required for every participant).
- Do not use personal email to share documents that contain protected health information. After execution of a BAA, documents should be uploaded to a HIPAA-compliant cloud-based site. Also consider whether additional encryption or other security measures should be put into place.
- Identify all participants at the start of any meeting, limit the amount of PHI shared during the meeting, and require participation from a secure location where conversations cannot be overheard. Participants should be discouraged from using speaker phone unless they can ensure their location is private.
Alternatively, meetings could be conducted without reference to or discussion of PHI. However, since it is not yet known when in-person meetings can resume, the best course of action is to determine a procedure to conduct remote credentialing, peer review, and medical review meetings.
Tache, Bronis, Christianson and Descalzo, P. A.
150 S.E. 2nd Avenue, Suite 600, Miami, FL 33131