Disclaimer and Disclosures: This is an informational resources page/guide and should NOT be used in lieu of training. We hope in this difficult time it will act as a general guide, but specifics of implementation depend on several and complex factors that cannot be fully considered in this format. Click here to see Dr. Malandraki's disclosures.
To cite this page:
Malandraki, G.A. (2020, April 24). Telehealth Recommendations for Dysphagia Management during COVID-19. Purdue I-EaT Lab. https://www.purdue.edu/i-eatlab/telehealth-resources-for-dysphagia-management-during-covid-19/
Part B Introduction
You may think that the first thing you have to consider is the technology you will use. This idea has been reinforced by the new initiatives of many healthcare facilities providing clinicians with iPads and other technologies and asking them to continue offering their services using these technologies. However, this is typically done without further guidance on how to best deliver these services using this new, to most, delivery modality. Particularly in the US (but also globally), before considering technology, the first things you should consider include a) federal and state laws regarding privacy and security, b) licensure requirements, c) reimbursement and billing, and d) you should also make sure you/your employer/company/facility have legal safeguards in place.
1. Privacy, Confidentiality, and Security
Privacy and Security Recommendations
One of the first guidelines often listed in telehealth policy documents is that organizations and clinicians shall be familiar with and comply with federal laws on confidentiality and privacy (HIPAA, FERPA, HITECH) for their respective professions (Krupinski et al., 2014; Gough et al., 2015; Richmond et al., 2017; Turvey et al., 2013). However, standardized practical guidance on how this can be achieved is not universal, which can create uncertainty about best practices. The American Telemedicine Association (ATA) has provided several high-level policy documents that offer specific recommendations on these issues and for a variety of disciplines, including telerehabilitation (ATA, n.d.). For our professions, ASHA also provides guidance on the ASHA Telepractice Portal.
Based on these published documents, Table 1 summarizes some of the main technical security points to consider ensuring best possible protection of privacy and confidentiality of our patients (Krupinski et al., 2014; Gough et al., 2015; Richmond et al., 2017; Turvey et al., 2013). These issues are very important to inquire about and ensure, when one considers specific telehealth programs and platforms.
|Table 1: Recommendations for Privacy & Security in Synchronous Sessions (ATA, NIST, ASHA)|
|Private point-to-point circuit|
|Advanced Encryption Standard (AES) encryption or virtual private network (VPN)|
|Compliance with state, federal and international laws and regulations|
|Two-factor or other authentication processes|
|Additional measures to safeguard data|
Let’s now briefly explain what some of these main recommendations mean. Point-point (or end-to-end) encryption means that there is no in-between server where the data are stored or transferred and only the clinician (on one end) and the patient (on the other end) have access to the videoconferencing session. Using advanced encryption means that even in the very unlikely event the data are hacked, they are processed through a cryptographic algorithm, therefore they cannot be read. In the last few days alone there have been several instances that users were hacked during therapy sessions (e.g., Zoombombing), so this is a very real risk, especially now that Internet use is extraordinarily high. The current encryption standard used by the US Government is called AES (Advanced Encryption Standard) and is established by the National Institute of Standards and Technology (NIST). Finally, Virtual Private Networks (VPNs) allow us to securely connect to a private local network/computer at a remote location.
In order to meet ATA practice guidelines, as well as HIPAA, NIST and Health Level-7 (HL7; international standards for transfer of clinical and administrative data) guidance, in addition to the aforementioned recommendations, other safeguards should also be considered. These include the use of two-factor or other authentication, secure data backup and storage, the use of antivirus protection, and ability to recover data for auditing purposes (Watzlaf, Zhou, Dealmeida, & Hartman, 2017). If a third party entity (i.e., a technology company) is involved in processes including PHI collection, storage, or transmission, a business associate agreement (BAA) between the technology company and the facility is important, as this agreement should list all the provisions listed above (Gough et al., 2015; Watzlaf et al., 2017). Additional practical tips to protect privacy and confidentiality during tele-sessions are available in Part C of this guide.
In the current situation, some clinicians have been directed by their employers to use mobile devices, such as tablets, to provide clinical services. From a security perspective, it is important to highlight that such devices, if used for telehealth provision, must require authentication for access and have timeout thresholds, in the case they are lost, misplaced, or stolen (Turvey et al., 2013). For the same reasons, clinicians should also make sure that these devices could be disabled or wiped remotely (Gough et al., 2015; Turvey et al., 2013).
Comprehensive HIPAA resources and guidance can be found on the HHS (Health and Human Services) website and on the HealthIT.gov website. FERPA guidance during COVID-19 can be found on this document: FERPA Guidance.
To learn more about cybersecurity and how to protect oneself, the Department of Homeland Security has also provided some important tips.
Recent news regarding HIPAA compliance and telehealth platforms
In late March 2020, the US Department of Health and Human Services published a notification of enforcement discretion stating: "OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency." The full notification statement can be found here: HIPAA Emergency Preparedness Telehealth Notification.
According to this notification, a covered health care provider will not receive penalties for noncompliance/violations with these regulations, in connection with the good faith provision of telehealth during this time. Since this regulation was published, one of the most frequent question clinicians have is whether it is ok to now use non-HIPAA aligned platforms to deliver services or if they should still choose platforms that are HIPAA aligned. It is our professional opinion, that despite this temporary allowance, there are important reasons even now, during this critical time, to comply with HIPAA laws and try to protect patients’ privacy and confidentiality to the best of our ability, whenever possible. This is actually reinforced in this governmental notification, if one reads it in its entirety.
Here are the main reasons why using a secure or HIPAA aligned telehealth solution or platform is, in our opinion, still preferred even during COVID-19:
- Secure telehealth solutions and platforms offer an important security feature, end-to-end (point-to-point) data encryption. Through this mechanism, secure platforms also protect the clinician’s privacy and confidentiality! We don’t often think about that, but that is an important consideration.
- Secure systems also do not require network administrator permissions, and thus there are fewer opportunities for administrators to listen in to the sessions.
- Secure systems do not require the creation of a public profile by the user, further protecting both users.
- Critically, the aforementioned loosened HIPAA regulation does not apply to all insurance agencies and coverage. Clinicians should check with the payor/agency of their patients before reinforcing this new regulation. Also, state regulations about security and privacy may also be different and need to be checked.
- Finally, this enforcement discretion is temporary. If clinicians decide to continue to use telehealth beyond the COVID-19 period, and we suspect some will, starting with a secure and ethical baseline will enable much easier transitions at that later time.
Telehealth videoconferencing platforms
Likely the next most frequent question in social media these days is “What platform should I use?” and “Which platforms are HIPAA aligned?” The choices are many. Here we provide only a few examples and we caution that this list is NOT exhaustive (see Box below). The website EverythingSLP.com which specializes in telepractice trainings and consultations has started compiling a very helpful comparative list of several telehealth platforms and their characteristics. These are also known as either business class or software based solutions.
Examples of videoconferencing platforms with HIPAA aligned versions
The exact platform one utilizes may also depend on the patient’s insurance coverage or the facility where the clinician works. Some insurance agencies and facilities have specific mandates on what platform to use. Although this may sound restrictive, it may be best in terms of security, privacy, and confidentiality. This is another detail that needs to be clarified before services are offered to ensure proper coverage and training.
Quick Note about terminology: In this resource guide you will see that we use the term “HIPAA aligned” instead of “HIPAA compliant” when we talk about secure software and hardware telehealth solutions. This is because “compliance” is a term that relates to persons and institutions. Software programs cannot be “compliant”, but can be HIPAA aligned.
Quick Note regarding Zoom security: Security issues with Zoom (non HIPAA aligned version) and other platforms were reported by the FBI, as well as steps to alleviate these issues (FBI Warning of Teleconferencing Hijacking). Since this story was published, several ways to increase Zoom security have been suggested. For those interested in these measures, visit the Zoom website or see the following links for more information: Zoom Information
Currently, speech-language pathologists and audiologists are required to be licensed in both the state where they are physically located and the state where the patient is located (ASHA Telepractice Portal, n.d.) (Cohn, Brannon, & Cason, 2011). At this time, there is no interstate licensure reciprocity except for governmental employees, such as clinicians working in the VA systems. However, ASHA has initiated significant efforts to promote the Audiology and Speech-Language Pathology Interstate Compact (ASLP-IC) (Audiology and Speech-Language Pathology Interstate Compact (ASLP-IC), 2019). The Interstate Compact is an occupational licensure agreement that can authorize both telehealth and in-person service delivery across state lines for the states that participate in the compact (ASLP-IC, 2019). The ASLP-IC can become operational when 10 states approve relevant legislation. As of late March 2020, three states have passed the Interstate Compact (West Virginia, Utah, and Wyoming) and many more have introduced similar bills for this legislative season. This will be an important step towards provision of services across state lines and it should be happening soon for some states. Given the COVID-19 situation, other states are now becoming actively involved in introducing this initiative in their upcoming legislative agendas. Click here to see ASHA's take action page for telehealth and the Interstate Compact.
Also, due to expectance of shortage of medical professionals, several states are passing temporary laws/executive orders to allow health care workers from other states to practice in their state during this crisis. Again, clinicians need to keep being informed by following updates on the new ASHA website (ASHA Coronavirus Updates), the Center for Connected Health policy website (CCHPCA) and their state associations. This is another issue that will likely keep being updated for the next few weeks/months.
At this time, no special certification or licensure is required to use telehealth for dysphagia and speech pathology services. This relates back to the point that telehealth is not a service per se, but a service delivery model. Training and consultation with experts is highly encouraged. We hope this webpage will offer some initial education for our field at this very challenging time, but does not replace training, experience, and expert consultations. The American Telemedicine Association has accredited few programs that offer telehealth training and several other webinars and trainings are now available (see Additional Resources page) (American Telemedicine Association).
3. Reimbursement and Billing
Reimbursement and billing have been and continue to be the most convoluted issues in providing telehealth services in general and for SLPs specifically (Ranganathan & Balaji, 2020). This has somehow improved now, during this public health emergency. Before this crisis, Medicaid and some private insurance companies in select states covered some SLP telehealth services, but rules and laws for what exactly was covered varied greatly. Reimbursement policies are now changing almost weekly. Recently, major health plans (United Health Care and Cigna) expanded their policies to include telehealth coverage for speech-language pathology services nationwide, and Tricare announced coverage for specific eastern regions (Major Health Plans Expand Telepractice Coverage and Reimbursement: UHC, Cigna, Tricare, n.d.).
Also, several states have now issued executive orders that allow coverage of SLP telehealth services under Medicaid coverage. Checking with your state Association and the Medicaid office of your state will be important to ensure if this applies to your state.
GOOD NEWS ON MEDICARE!
Regarding Medicare, ASHA announced on April 30th 2020 that the Centers for Medicare & Medicaid Services (CMS) will now temporarily (during this Public Health Emergency) cover telehealth services provided by SLPs via the waiver authority it was granted by the Coronavirus Aid, Relief, and Economic Security (CARES) Act (P.L. 116-136). See the detailed announcement by ASHA here. Also, see the CMS document here. Unfortunately the swallowing evaluation and treatment codes were not included in this allowance, but ASHA is very actively continuing to advocate in this direction. Stay tuned!
In addition, on April 9th 2020, ASHA posted another update in relation to a CMS clarification regarding the use of audiovisual devices (such as iPads) link to: [ASHA Use of Audiovisual Technology]. According to this clarification, SLPs in skilled nursing facilities are now allowed to provide services using audiovisual devices (when clinically appropriate) and bill these services as in-person services, as long as they are in the same building as the patient. According to CMS, these types of services are not considered an expansion of telehealth coverage. This development will help reduce the virus exposure risk for clinicians and patients, but also needs several practical issues to be considered (see our Practical Guidelines).
At this time ASHA maintains lists (in pdf documents) of state-by-state laws and regulations and insurance policy trackers that will be updated regularly on this website: ASHA Coronavirus Updates. These are great resources that were never before available in such a cohesive and collective manner. In addition, as noted earlier, the Center for Connected Health policy website also includes state-by-state interactive maps regarding these state policies and laws (CCHPCA).
Notably, some insurance agencies (e.g., United Health care) may dictate the online platform to be used for services to be reimbursable. This is another detail that needs to be clarified before services are offered to ensure proper coverage. Before initiating regular service provision using telehealth, it is therefore highly advisable that clinicians check with the payor system for their specific patients and that they do so in close collaboration with their authorization and billing departments, so that all details have been clarified.
4. Legal Safeguards – Consent Forms
Another critical issue to address relates to legal safeguards. Ideally, risk management or legal counsel should be involved especially because telehealth laws and regulations change so often. Before now, it was difficult to find legal experts that could advise us on telehealth. This will likely change within the next few weeks or months, as legal firms and risk management or legal teams of institutions are obligated to become familiar with this changing face of health care. This is another potential positive outcome of the current situation.
For what parameters risk management or legal consultation may be needed?
1. Currently telehealth coverage is included in some but not all liability insurance plans for SLPs. Being knowledgeable of the risks associated with this service delivery model, including risks of confidentiality and data breach, and ensuring that liability insurance covers telehealth related services will be critical (Malandraki & Kantarcigil, 2017). Clinicians should check with their liability insurance plan holders and their employers about this issue.
2. According to the ATA Principles for Delivering Telerehabilitation Services (Richmond et al., 2017), and to ASHA recommendations (ASHA Telepractice Portal, n.d.), it is advisable that all patients participating in telehealth services should sign a relevant informed consent. In addition to these organizations, several states require informed consent for their Medicaid programs or as a requirement in the statute.
A telehealth consent form should inform patients about the potential benefits and risks relating to tele-provision of services and should be written in easy to understand language (Gough et al., 2015). Patients and families should acknowledge and accept the risks in order to participate in tele-sessions. Although several templates of consent forms are available online, clinicians should make sure that their forms are developed and reviewed by their own risk management team or legal counsel to ensure that the form is adjusted to each institution/facility and state laws. Samples of consent forms can also be requested by contacting the Telehealth Resource Center in your area (Telehealth Resource Center). Examples of items to include in a consent form are presented in Table 2 (Click here to download Table 2 as a PDF). Again, these items should be used only as examples and need to be adjusted to your facility/situation/state’s needs and laws.
3. Finally, just like for in-person therapy, a Plan B and an Emergency Plan need to be in place before initiation of tele-services (Turvey et al. 2013; Gough et al., 2015). Devise a Plan B (e.g., having extra computers, use of phones, technical support; use of a different videoconferencing platform; an extra iPad, etc.) to anticipate technical issues and difficulties. Technology will fail at times; having a back up plan will be very important, especially when we are providing services to patients with swallowing disorders. Also, we need to ensure we have devised a detailed Emergency Plan that we have clearly communicated to the patient/family before any tele-encounters have been initiated (e.g., who will call 911 in the case of an emergency; ensuring you know the address of the patient, their emergency contact information, and their local emergency services). These plans should be developed with your risk management or your legal counsel and be specific to your facility and state.
5. Test your knowledge with this self quiz!
1.Fill in the blanks: Telehealth technology solutions cannot be HIPAA ___________, but can be HIPAA ____________.
2. Multiple choice: Why is it important to use a HIPAA aligned/secure telehealth technology solution?
|a. Protect patients’ privacy and confidentiality|
|b. The currently loosened HIPAA regulations do not apply to all insurance agencies and coverage|
|c. Protect the clinician’s privacy and confidentiality|
|d. a and c|
|e. All of the above|
3. What is the Audiology and Speech-Language Pathology Interstate Compact?
4. True or False: All major health plans and insurance agencies include coverage for SLP telehealth services.
5. A telehealth consent form should inform patients, at least, about:
|a. Potential benefits relating to telepractice|
|b. Potential benefits and risks associated with telepractice|
|c. Steps taken to mitigate the risks|
|d. Emergency plans in place|
|e. All of the above|