In an effort to make health care more accessible during these unprecedented times, while we deal with the coronavirus (COVID-19) pandemic, the government is relaxing some rules and regulations when it comes to telehealth. As we discussed in our earlier blog post, on March 17th, The Office of Inspector General issued a policy statement waiving sanctions for providers’ waiver of telehealth cost-sharing amounts during the current Public Health Emergency. On the same day, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”), issued a notification of enforcement discretion for telehealth communication, stating that during the national emergency, OCR will exercise its discretion and will not impose penalties for use of audio and video communication technology for telehealth services that may not meet all of HIPAA requirements.
OCR is responsible for overseeing compliance and enforcement of regulations issued under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to protect the privacy and security of protected health information, namely the HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
HIPAA Rules require that technology used to provide telehealth services meet certain standards, among them being that the technology is secure to ensure the protection of patients’ privacy and personal health information (“PHI”.) Additionally, HIPAA Rules require that the health care practitioner, a covered entity, have a HIPAA business associate agreement (BAA) with any technology vendor used for telehealth.
In order to empower medical practitioners and assist with the access to care for patients, OCR is exercising its enforcement discretion and will not impose penalties against covered entities for using technology to provide telehealth services that may not fully comply with the HIPAA Rules. Meaning, the OCR is temporarily relaxing its enforcement to allow practitioners to use audio and video communication technology, which would normally not be considered to be in compliance with HIPAA.
Specifically, health care providers can use non-public facing audio and video to communicate with patients during the coronavirus nationwide public health emergency. This applies to all telehealth services and does not need to be related to coronavirus. Health care practitioners may choose to examine the patient using a video application of patients who may be exhibiting signs of the coronavirus, but similarly, a health care practitioner may choose to provide treatment for any other medical condition, such as dental, ophthalmological, or psychological and others conditions.
The OCR Notice allows health care practitioners to use video applications without the risk of an enforcement action by the OCR, such as:
However, health care practitioners CANNOT use Facebook Live, Twitch, TikTok, or similar public-facing applications. Additionally, the OCR encourages the practitioners to disclose potential privacy risks to patients, and ask them to enable all available encryption and privacy modes when using the video application.
For those practitioners that may want to utilize a vendor that is HIPAA compliant and is willing to enter into a BAA, the OCR identified the following HIPAA-compliant video communication products (please note that the OCR is not endorsing, certifying or recommending these vendors):
The OCR’s representation that they will not impose penalties for use of a HIPAA noncompliant video communication vendor is applicable only during the coronavirus nationwide emergency.
If you have any questions concerning this post, please contact Sandra Jarva Weiss, Chair of our Health Care & Life Sciences Practice Group, at firstname.lastname@example.org. For more information, visit our Coronavirus (COVID-19) Preparedness Resource Center.