OCR Eases HIPAA Enforcement for Telehealth Use During Coronavirus Crisis
HIPAA’s privacy and security protections are the bedrock of the modern health care system. But now, as COVID-19 spreads across the country, lawmakers and regulators are relaxing certain restrictions on health care providers to meet the challenges posed by this pandemic.
On March 23, 2020, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) announced the exercise of enforcement discretion for HIPAA restrictions that might otherwise limit the good faith provision of telehealth services, one of the nation’s most promising weapons in the war on COVID-19. OCR’s action complements action by Congress, to allow the use of a telephone with real-time audio and video interactive capabilities to deliver telehealth services.
OCR’s policy will sunset once the pandemic is behind us. For the time being, here are some of the things you need to know.
1. Can health care providers offer telehealth services during the pandemic without violating HIPAA?
Yes, if the provider follows OCR’s guidance in good faith. Specifically, in its “Notification of Discretion for Telehealth,” OCR stated that health care providers subject to the HIPAA rules may seek to communicate with patients and provide telehealth services through remote communications technologies. This may be done despite the fact that some of these technologies, and the manner in which they are used by HIPAA-covered health care providers, may not comply with the requirements of the HIPAA rules. Recognizing that the threat to public health outweighs the security risks, OCR commits to the exercise of discretion, including foregoing penalties for noncompliance with the regulatory requirements under the HIPAA Privacy, Security and Breach Notification Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
OCR’s FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency offer examples of activities that may involve the bad faith provision of telehealth services to which the exercise of discretion would not apply. These include criminal activity, prohibited re-disclosures, violations of state licensing laws or professional ethics standards, among other activities. HHS, the Office of the Inspector General and the Department of Justice continue to monitor the system for health care fraud and abuse, including potential Medicare coronavirus scams.
2. What health services can be provided using a telehealth platform?
OCR’s policy to relax enforcement standards applies to telehealth services that are provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19. Moreover, the policy applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including patients who receive Medicare or Medicaid benefits, and those who do not.
3. What applications may a health care provider use?
OCR’s guidance limits the good faith exception to the use of non-public facing audio or video communication products and sets forth a nonexclusive list of popular applications that may be used for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. OCR identified the following list of vendors representing that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA: (1) Skype for Business / Microsoft Teams; (2) Updox; (3) VSee; (4) Zoom for Healthcare; (5) Doxy.me; (6) Google G Suite Hangouts Meet; (7) Cisco Webex Meetings / Webex Teams; (8) Amazon Chime; and (9) GoToMeeting. In contrast, OCR cautions covered health care providers not to use public facing applications, like Facebook Live, Twitch, TikTok, and similar video communication applications, to provide services using telehealth.
4. Are there other precautions that a health care provider should take when using audio or video communication services?
OCR encourages providers using third-party applications to notify patients that these applications potentially introduce privacy risks and to enable all available encryption and privacy modes when using them.
5. When does the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications expire?
OCR’s Notification of Enforcement Discretion does not have an expiration date. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.
6. Does the new policy apply to violations of 42 CFR Part 2, the HHS regulation protecting the confidentiality of substance use disorder patient records?
The new policy applies to enforcement of the HIPAA rules but does not relax enforcement of 42 C.F.R. Part 2, which relates to the confidentially of substance use disorder patient records. The Substance Abuse and Mental Health Services Administration (SAMHSA) has issued guidance on COVID-19 and 42 C.F.R. Part 2 acknowledging the increased need for providers to offer telehealth services and permitting the use and disclosure of patient identifying information, even in the absence of written consent, if the provider determines there is a medical emergency.
7. How does state law impact the new policy and a health care provider’s privacy obligations?
The new policy does not and cannot promise immunity from state law enforcement of patient privacy regulations. Thus, providers must know their state’s approach to telehealth in the pre-pandemic world and must look for guidance (like the OCR guidance) on whether enforcement will be relaxed during the pandemic.
CONTACT US
For more information and guidance on the application of HIPAA and related state laws to your health care practice, please contact Michelle Merola (518.736.2917) or Jane Bello Burke (518.433.2404).
Featured
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Partner
- Senior Associate
- Partner
- Partner
- Partner