Telemedicine for Diabetes After the COVID-19 Pandemic: We Can’t Put the Toothpaste Back in the Tube or Turn Back the Clock

Since the COVID-19 pandemic occurred many of us have changed our practice from seeing diabetes patients in person to communicating with patients and sharing remote access to sensor platform dashboards by way of video telemedicine. ¹ The transition has been facilitated by new policies from the US government. I have learned that when the US Department of Health and Human Services (HHS) eased up on regulation of telemedicine, then this practice could thrive. On March 17, 2020, the HHS Office for Civil Rights (OCR) announced a Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications because of the current public health emergency. ² This policy means that OCR will waive potential penalties for Health Insurance Portability and Accountability Act (HIPAA) violations against healthcare providers that serve patients through everyday communication technologies during the COVID-19 nationwide public health emergency. OCR is the government agency that enforces HIPAA, which regulates privacy of protected health information (PHI) at covered entities. ³ Traditionally OCR has regulated strictly to guard privacy; however, because of the COVID-19 pandemic, the agency is allowing some systems to be used without clearly documented privacy controls. Thus, patients and healthcare professionals, who are both quarantined, can now legally communicate using many video or texting systems.

OCR recognizes that during this emergency period (1) healthcare professionals may seek to communicate with patients and provide telehealth services, through remote communication technologies; and (2) some of these technologies may not fully comply with HIPAA. For example, HIPAA compliance requires a communication platform vendor to establish a business associate agreement with the healthcare provider, specifying how the vendor will protect PHI, prevent PHI disclosure, and report PHI breaches. ⁴ The COVID-19 emergency period does not currently have an expiration date. OCR will issue a notice when it is no longer exercising its enforcement discretion.

There are two types of remote communication platforms: public facing and nonpublic facing. ⁵ OCR specified that only nonpublic-facing tools are acceptable. A nonpublic-facing remote communication product allows only the intended parties to communicate. Nonpublic-facing remote communication products include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Skype, WhatsApp video chat, and Zoom. Nonpublic-facing products also include popular texting applications such as Facebook Messenger, Google Hangouts, iMessage, Jabber, Signal, and WhatsApp. ⁶ Typically, these video and texting platforms employ end-to-end encryption, which allows only the two individuals communicating to see what is transmitted. These platforms also support individual user accounts, logins, and passwords to limit access and verify participants. Finally, participants can assert control over particular capabilities, such as whether to record the communication or disable the video or audio signals.

OCR is satisfied that many currently available remote electronic video and texting communication products contain adequate security features to protect electronic PHI transmission between patients and healthcare professionals. ⁷ Therefore, during the emergency period the agency is not requiring proof of security from new applicants. However, OCR has stated that public-facing products, such as Facebook Live, TikTok, Twitch, or public chat rooms, are not acceptable platforms for telemedicine because they are designed to be open to the public or allow wide or indiscriminate access to the communication. ⁶

In the future after the pandemic is over, I predict that telemedicine for diabetes and other diseases will be so widely established that OCR will continue to facilitate its use. New secure communication products that can transmit huge image files with low latency or even permit a remote robotic physical examination will be enabled by the soon-to-launch 5G network. ⁸ Future sensors will integrate with the electronic health record. ⁹ All these products will further stimulate demand for telemedicine. Although there will always be a tension between access and privacy, I expect that HIPAA will be rewritten or reinterpreted to better promote telemedicine care. Federal and state government policies for telemedicine will need to become aligned. ¹⁰ The CONNECT for Health Act introduced to the US Congress in 2019 will lift restrictions on telemedicine. ¹¹

With greater use of wireless communication more health information will be transferred by more users over more video systems. This data tsunami will increase the risks of data breaches and require sound cybersecurity protection. ¹² Better security will require three types of protections known as the security domains triad: cyber (installing computer and network software), physical (safeguarding smartphones, tablets, and computers), and people (establishing procedures for healthcare professionals and staff). ¹³

In conclusion, the COVID-19 pandemic has led to a sea change in the now-widespread adoption of telemedicine. US government regulators have supported this trend. After the pandemic, I expect that to see huge patient demand for this type of service, huge professional willingness to provide this service, wise legislation, and intelligent regulation to support all the stakeholders in telemedicine.