Following CMS' announcement of expanded Medicare and Medicaid coverage for telehealth, HHS' Office for Civil Rights ("OCR") announced on March 17 that it will exercise its enforcement discretion and will not impose penalties for noncompliance with HIPAA rules against health care providers providing good faith telehealth during the COVID-19 national public health emergency. See more at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

1. Telehealth Technologies

In its notice, OCR sanctions the use by covered health care providers of any non-public facing audio or video remote communication product that is available to communicate with patients to provide telehealth during the public health emergency. And OCR states that it will exercise its enforcement discretion for any good faith provision of telehealth services during the public health emergency, whether for diagnosing and treating COVID-19 and related conditions, or to assess and treat any other medical condition such as a sprained ankle, psychological or dental evaluation, in the exercise of professional judgment.

OCR specifically permits the use of certain popular, public facing video chat applications, including Apple FaceTime, Facebook Messenger video chat, Skype, and Google Hangouts video, which are all available with private, non-public video components. However, OCR also specifically disallows the use of certain other public facing video apps such as TikTok, Facebook live, and Twitch, which should not be used for providing telehealth.

2. Business Associate Agreements

Providers can of course continue to comply with HIPAA and engage technology vendors that are HIPAA-compliant through BAAs, but OCR will not impose penalties against a covered entity for lacking a BAA with a video communication vendor relating to the good faith provision of telehealth during the COVID-19 public health emergency. OCR also published a list of some vendors that are willing to enter a BAA to comply with HIPAA, which is available through accessing the above link.

3. Telehealth - Best Practices

If a provider chooses to utilize a video communication product that may not comply with HIPAA (e.g. Apple FaceTime, Facebook Messenger video chat, Skype, and Google Hangouts video) or for which the vendor will not execute a BAA, we reiterate OCR's suggestion that the provider notify its telehealth patients of the potential heightened risks to privacy. For example, we believe that a verbal notice of potential privacy risks at the start of a telehealth session would suffice. We also remind providers to continue to follow their administrative and physical safeguards to the extent possible, like making sure the provider is not providing telehealth services in a public place or in a location where other non-clinical provider staff would be part of the conversation. Providers can also encourage their telehealth patients to not receive telehealth in a public place, and to be mindful of who else can see and hear their conversation with their health care provider.

3/20/20 - UPDATE:  OCR Issues Guidance (FAQs) on HIPAA Enforcement Discretion for Telehealth

On Friday March 20, 2020, OCR issued guidance following its recent notification of HIPAA enforcement discretion for the provision of telehealth during the COVID-19 public health emergency. The guidance is in the form of Frequently Asked Questions ("FAQs") and addresses which parts of the HIPAA Rules are: (i) included in the enforcement discretion; (ii) which covered entities are excluded from the OCR's enforcement discretion; (iii) whether the enforcement discretion of OCR extends beyond HIPAA to other patient privacy rules; and (iv) clarifies how providers should interpret the guidance. The FAQs can be read in their entirety at: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.

From our perspective, the big new takeaways are as follows:

  • Telehealth services may be provided synchronously or asynchronously using videoconferencing, landline and wireless audio only communication, store-and-forward images, text messaging, and other remote communication technologies. However, be sure that your local regulations, such as for state Medicaid plans, similarly permit the use of such technologies;
     
  • OCR's enforcement discretion only applies to health care providers that are providing telehealth services in good faith during the public health emergency, and not health insurance companies that pay for telehealth services only;
     
  • All HIPAA Rules are included in the enforcement discretion, including the Privacy Rule, the Security Rule, and the Breach Notification Rule;
     
  • OCR's enforcement discretion does not apply to violations of 42 CFR Part 2, and instead providers should consult SAMHSA's guidance regarding the medical emergency exception under Part 2: https://www.samhsa.gov/sites/default/files/covid-19-42-cfr-part-2-guidance-03192020.pdf. This guidance reminds providers that Part 2's medical emergency exception permits the disclosure of patient information to medical personnel, without patient consent, to the extent necessary to a meet medical emergency in which the patient's prior informed consent cannot be obtained; and
     
  • Examples of "bad faith" provision of telehealth services include conduct in furtherance of a criminal act (fraud, identity theft, invasion of privacy), further using or disclosing patient data in violation of the HIPAA Rules (sale of data, use for marketing without authorization), violating state licensing laws or professional conduct standards in the provision of telehealth services, or using public facing remote communication products like TikTok, Facebook live, or Twitch to provide telehealth.

The FAQs also confirmed a number of aspects of the earlier guidance, including:

  • The enforcement discretion applies to the provision of any telehealth services the health care provider believes can be provided during the public health emergency, whether that is for diagnosis and treatment of COVID-19 or not;
     
  • "Non-public facing" remote communications platforms like Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Skype, and commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage are acceptable, because these apps typically employ end-to-end encryption; and
     
  • To the extent possible, providers should always use private locations and patients should not receive telehealth services in public or semi-public settings without patient consent. When this is not possible, providers should remember to keep their voices down, avoid using speakerphone, and recommend to their patients to move a reasonable distance away from others before discussing PHI.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.