Many medical staffs are wondering whether they may conduct remote peer review committee meetings in the interest of supporting social distancing efforts during the COVID-19 pandemic. While it is certainly reasonable to do so, the medical staff must ensure that they have appropriate safeguards in place prior to conducting such meetings. Below we have provided the answer to some questions that may arise when deciding whether to conduct peer review meetings remotely.
Do the governing documents already allow for meetings to be conducted by telephone or video?
Medical staffs should first consider whether their governing documents, particularly their bylaws, permit meetings to be conducted by telephone or video conference. Medical staff bylaws that have been updated more recently likely include such a provision, which should be followed accordingly. For those medical staffs that do not have such a provision in their bylaws, the medical executive committee should consider passing a motion to allow for such meetings for the duration of the emergency situation.
Will a telephone or video conference meeting vitiate the protections of Evidence Code Section 1157?
California Evidence Code Section 1157 provides that, with some exceptions, neither the proceedings nor the records of medical staff committees having the responsibility of evaluation and improvement of the quality of care rendered in the hospital shall be subject to discovery. While there is reference to persons “in attendance” at a meeting within the exceptions to the statute, there is no basis for concluding that the statute limits 1157 protections to in-person meetings. Accordingly, conducting a peer review committee meeting via video or telephone conference likely does not jeopardize 1157 protections so long as the committee takes the usual measures to protect the confidentiality of the committee’s discussions as well as any documentation reviewed at or materializing from the meeting.
May the committee discuss health information during a peer review meeting conducted by telephone or video conference?
Various health care privacy laws impose obligations upon health care entities to protect the confidentiality of protected health information (PHI). Principally, medical staffs should be conscientious about ensuring they continue to comply with the HIPAA rules when sharing patient PHI during a remotely conducted peer review meeting, although other state privacy laws must be considered as well, particularly in states like California where some privacy laws may be more restrictive in some respects.
The Security Rule applies to health information a covered entity creates, receives, maintains or transmits in electronic form (i.e., ePHI). While the Security Rule does not address videoconferencing per se, it provides that certain comparable transmissions, “including of paper, via facsimile, and of voice, via telephone” are not considered to be transmissions via electronic media “if the information being exchanged did not exist in electronic form immediately before the transmission.” (45 CFR § 106.103). Thus, sharing verbal information by voice or video conference would not be considered ePHI since it is not PHI that existed in electronic format immediately before the transmission.
While the Security Rule likely does not apply to video or phone conferences, medical staffs must still abide by the HIPAA Privacy Rule when conducting remote meetings where PHI is going to be shared. The Privacy Rule requires a covered entity to have in place appropriate administrative, technical, and physical safeguards to protect PHI, including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule.
Generally, entities that perform certain functions or activities that involve the use or disclosure of PHI information on behalf of, or provide services to, a covered entity are considered “business associates” and there must be a business associate agreement (BAA) in place before the business associate may perform those functions. There are, however, certain exceptions that allow covered entities to use certain transmission services without having to enter into a business associate agreement. One exception is when the organization merely acts as a conduit, such that the organization transmits PHI but does not have routine access to the transmitted information and does not store copies of data.
This conduit exception is narrowly construed to cover organizations such as the U.S. Postal Service and certain other private couriers (e.g., UPS) as well as their electronic equivalents. Entities that manages the transmission and storage of PHI, such as a cloud hosting company, or an email or SMS provider, require access to PHI on a routine basis. Therefore, they are considered a business associate and a BAA must be executed.
Video and telephone conference services likely fall within this “conduit” category, since they do not store any information but rather act as a communication transfer point between the parties. However, whether a web conference service will be considered a conduit, rather than a business associate, is fact-specific and will depend on the nature of the services provided and the extent to which the entity accesses the PHI.
What are some recommended best practices for proceeding with remote peer review meetings?
Given the various video and telephone conference services available, medical staffs should work with their IT departments and legal counsel to determine whether the services they use for conducting peer review meeting are compliant with HIPAA and state privacy laws.
- Check with the hospital IT department to determine whether the service the medical staff wishes to use to host the meeting has already been deemed HIPAA compliant. If the service is considered a business associate, confirm that a BAA is in place. (Note: The same process should be followed for medical staffs that plan to share documents for the meeting (i.e., use of internal email or other platforms which host the documents).
- Ensure the web-conferencing service is appropriately configured to protect against retention or further disclosure of the information (e.g., recording and transcribing options are disabled) and that added security messages are enabled (e.g., password or log-in required for every participant). In general, free services are less compliant than paid services and do not provide as many options for configuration.
- Do not use personal email addresses to share written documents that contain peer review information and/or PHI. Email or hosting of documents on a cloud-based site may be appropriate if a BAA has been executed and additional encryption or other security measures are in place.
- At the start of a remote meeting, identify all of the participants, limit the amount of PHI needed for the conversation, and remind all participants to keep the volume of their voices at an appropriate level so that your conversation cannot be overheard. Participants should be discouraged from using speaker phone unless they can ensure their location is private.
- Remind all participants that the same confidentiality rules apply to remote meetings as apply to in-person meetings.
- If the medical staff bylaws do not expressly allow for medical staff meetings to be conducted by video or telephone, the medical executive committee should pass a motion allowing for meetings to be conducted in this manner for the duration of the state of emergency.
- As an alternative, medical staffs may conduct meetings without referencing any PHI and/or table discussions of PHI until the next in-person meeting. However, given the uncertainty of when recommendations for social distancing will end, medical staffs are advised to come up with a protocol to proceed with their peer review function during this time.
Our Health Law Ticker is a one-stop resource for everything new and noteworthy in healthcare law. We cover recent developments in healthcare legislation, healthcare reform, Medicare/Medicaid, managed care, litigation, regulatory compliance, HIPAA, privacy, peer review, medical staffs and general business operations for healthcare companies and licensed healthcare professionals.