Skip to main content

OCR Exercises HIPAA Enforcement Discretion for Telehealth Services During the Coronavirus Emergency

The Department of Health and Human Services (HHS) has taken many actions to loosen or waive requirements on the provision of health care during the current coronavirus pandemic, as we discussed yesterday and Tuesday. In addition to HHS’s waiver of certain HIPAA requirements, HHS’s Office for Civil Rights (OCR) recently announced that it will not be imposing penalties for providers who use communication devices or other technologies that do not meet HIPAA’s requirements in order to treat patients via telehealth.

As we discussed on the blog on Tuesday, telehealth is playing a critical role right now not just for patients who need medical care related to COVID-19, but also for those who are trying to seek treatment and other health care services related to other diseases and conditions. In order for more providers to be able to provide telehealth services where appropriate, OCR is now permitting covered health care providers to use any remote communication devices or platforms to provide good-faith telehealth services.  These telehealth services can be for any type of health care service, whether related to COVID-19 or not. 

The only limitation on the type of communication technology is that it must be “non-public facing,” meaning that it cannot share the patient’s information publicly. For example, a covered health care provider could not publicly respond to a patient on Twitter or TikTok. However, providers can use the private messaging functions of social media channels, like Facebook Messenger’s video chat, or other commonly used applications for private video communication, like FaceTime or Skype. These communication methods may not typically meet HIPAA’s stringent privacy and security standards and therefore would normally be prohibited for use in transmitting protected health information. If covered health care providers choose to use these platforms, OCR recommends that they alert patients of the privacy and security risks and take precautions where possible, such as enabling privacy mode.  

If covered health care providers want to use more secure platforms for patient communications during this time (though OCR says that they don’t have to), OCR provided the following list of vendors that claim to sign BAAs with providers and be HIPAA-compliant. However, OCR hasn’t independently verified this information, so providers will have to make their own judgments regarding whether these vendors actually meet HIPAA’s requirements.

  1. Skype for Business
  2. Updox
  3. VSee
  4. Zoom for Healthcare
  5. Doxy.me
  6. Google G Suite Hangouts Meet

Notwithstanding OCR’s enforcement discretion here, covered entities should still consider privacy and security risks on both on the provider’s and the patient’s ends when making the switch to telehealth.  For example, covered health care providers should consider where records of care provided via telehealth will end up – such as on employees’ personal devices – and how to retain and secure those records in accordance with regulatory requirements.  In addition, as we mentioned on Tuesday, these actions by the federal government do not change state laws; rather, states must take specific action to loosen or waive their own requirements. Health care providers using telehealth must remain cognizant of state practice requirements, which may include using secure technology and properly maintaining medical records.

Update: On Friday, March 20, 2020, OCR released FAQs about its announcement, which are available here.

Subscribe To Viewpoints