The Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) announced its Notification of Enforcement Discretion (Notification) on March 17, 2020. According to OCR’s Notification, effective immediately, it would exercise its enforcement discretion and waive potential penalties for HIPAA violations against health care providers serving patients through common communications technologies during the COVID-19 nationwide health emergency. As described further below, healthcare providers can use these technologies in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.
Following OCR’s Notification, it issued guidance and FAQs on telehealth and remote communications. (See link below.) For example, OCR defined “telehealth” as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” OCR also explained that the entities covered by its Notification of Enforcement Discretion included all health care providers that are covered by HIPAA and provide telehealth services during the emergency (but not insurance companies). OCR also further clarified that its Notification applies to waiving penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules “that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” There is currently no expiration date for OCR’s Notification until it provides further notice.
Typically, the mode of communication a telehealth provider uses must comply with various HIPAA rules, such as Security Rules meant to protect patients’ electronically stored protected health information (ESPHI), by using appropriate administrative, physical and technical safeguards to ensure the confidentiality and integrity of the information. Accordingly, the HIPAA Security Rule has, until now, prohibited the use of unsecure everyday communications channels. The OCR’s Notification removes concerns over financial penalties that could be assessed, if for example, there was a breach of ESPHI due to lack of HIPAA compliant security measures. By the same token, providers can, for the time being, use everyday available applications without risk that OCR may seek penalties.
According to OCR, covered health care providers “can use any non-public facing remote communication product that is available to communicate with patients.” A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication (typical criteria includes end-to-end encryption, individual user accounts, logins, passcodes, and options to record or mute). In contrast, public-facing products are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. The following chart provides examples of what OCR has indicated are acceptable/”non-public facing” vs. non-acceptable/”public facing” telehealth communication applications.
Acceptable/Non-Public Facing Telehealth Communication Applications:
Apple FaceTime
Facebook Messenger
Google Hangouts
Skype
Signal
Jabber
Skype for Business*
Updox*
VSee*
Zoom for Healthcare*
Doxy.me*
Google G Suite Hangouts Meet*
Cisco Webex Meetings/Webex Teams*
Amazon Chime*
GoToMeeting*
*Service Providers representing they provide HIPAA-compliant video communication products and will enter into Business Associate Agreements with providers in the future.
Non-acceptable/Public Facing Telehealth Communication Applications:
TikTok
Facebook Live
Twitch
Chat room applications such as Slack
Many public agencies are considered covered health care providers who may benefit from OCR’s relaxing of HIPAA compliance rules when providing telehealth under the circumstances. It is important to keep in mind, however, that OCR clarified that its announcement on enforcement discretion only applied to direct providers of health care. Health insurance companies, and by a similar token, self-insured entities, are not covered. Therefore, plan administrators should ensure they continue to follow all applicable HIPAA privacy and security rules for all covered health care transactions. Further, it is worth noting that OCR only encouraged but did not require health care providers to notify patients that the third-party applications potentially poses privacy risks. Regardless, health care providers to the extent possible should notify patients of the potential privacy risks and enable all available encryption and privacy modes settings when using more common applications. Additionally, to date, the State of California has not issued any guidance indicating that it is waiving any enforcement provisions under the CMIA or other state medical privacy laws. As these laws address the release of private information—and not just the handling of records—care should be taken to protect the health information that may be revealed in the course of delivering telehealth services to patients.
For the most part, public education entities will not be affected by OCR’s enforcement discretion announcement. This is because HIPAA does not generally apply to schools because either they are not HIPAA covered entities performing covered transactions such as billing a health plan electronically for services, or if they are, they mostly maintain health information on students that are considered “education records” under FERPA and excepted from the HIPAA Privacy Rule. (See 45 C.F.R. § 160.103.) The public education entity would, however, need to comply with FERPA’s privacy requirements regarding its education records, including obtaining the requisite consent before disclosing such information. However, if a public education entity employs a health care provider, and that provider engages in certain administrative or financial actions such as electronically transmitting health care claims to a health plan for payment, the public education entity is considered a HIPAA covered entity for such purposes and is subject to HIPAA’s Security Rules with regard to the electronic transmission of EPHA. Presumably, in that situation, the public education entity would be able to benefit from OCR’s enforcement discretion announcement.
Related website links are found below:
OCR’s Notification of Enforcement Discretion on telehealth remote communications: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html
OCR’s Guidance and FAQs on Telehealth and HIPAA: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf
OCR’s February 2020 bulletin on HIPAA and COVID-19: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf
Centers for Medicare & Medicaid Services FAQs on Availability and Usage of Telehealth Services through Private Health Insurance Coverage: https://www.cms.gov/files/document/faqs-telehealth-covid-19.pdf
California Board of Behavioral Services Announcement of OCR’s Enforcement Discretion: https://www.bbs.ca.gov/pdf/bbs_stmt_hhs_telehealth.pdf