The Situation: The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") limits the types of telehealth technologies that covered health care providers may use to provide telehealth services to patients. Those technologies are subject to HIPAA's strict privacy and security requirements, and often business associate agreements are required with the vendors providing the audio, video, or other technology for the telehealth service. Violations can lead to significant penalties.
The Result: In response to the novel coronavirus (COVID-19) nationwide public health emergency, the U.S. Department of Health and Human Services ("HHS"), Office for Civil Rights ("OCR") will temporarily not enforce penalties for using non-HIPAA compliant telehealth technologies when providing telehealth services related to potential COVID-19 exposure or for any other medical condition.
Looking Ahead: Providers that want to use video chat or other remote communication technologies during the current emergency period now have more flexibility to use non-HIPAA compliant technologies, even without a business associate agreement in place with the technology vendor.
On March 17, 2020, OCR announced a "Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency" (Notice). Effective immediately, OCR will not impose penalties under HIPAA in connection with the good faith provision of telehealth services during the COVID-19 national public health emergency. This Notice follows HHS's recent Bulletin waiving sanctions and penalties under HIPAA for covered hospitals under certain limited circumstances.
Under the Notice and during the emergency period, OCR will permit HIPAA-covered health care providers to communicate with patients and provide telehealth services through remote communication technologies, even if the technologies and the manner in which they are used may not be fully HIPAA-compliant. As long as the telehealth service was provided in good faith and meets the requirements of the Notice, OCR will not impose penalties for noncompliance with HIPAA. This Notice applies broadly to telehealth provided for any reason, regardless of whether the use of the telehealth service is for the diagnosis and treatment of health conditions related to COVID-19. OCR expressly intends to allow providers to exercise their professional judgment to request to examine a patient exhibiting COVID-19 symptoms via telehealth technologies to limit the risk that other patients may be exposed to infection during an in-person consultation. At the same time, OCR is permitting the use of similar telehealth services to assess or treat any other medical condition, even if not related to COVID-19, such as "a sprained ankle, dental consultation or psychological evaluation, or other conditions."
While not endorsing or recommending any specific technology or products, the Notice specifically permits covered health care providers to use any non-public facing remote communication product, such as popular applications that allow for video chats, including Apple Face Time, Facebook Messenger video chat, Google Hangouts video, or Skype, without risk that OCR may impose a penalty for noncompliance with HIPAA related to the good faith provision of telehealth during the emergency period. Providers are encouraged to notify patients of the potential privacy risks and to enable all available encryption and privacy modes when using such applications. Under the Notice, OCR states that providers should not use public facing video communication applications, such as Facebook Live, Twitch, and TikTok.
Under the Notice, OCR will not impose penalties against covered health care providers for the lack of a business associate agreement ("BAA") with video communication vendors, or for any other noncompliance with HIPAA that relates to the good faith provision of telehealth services. OCR still encourages covered health care providers that seek additional privacy protections for telehealth while using video communication products to provide services through technology vendors that are HIPAA-compliant, and that will enter into a BAA in connection with the use of their video communication products.
While telehealth services provided in compliance with this Notice will not be at risk for HIPAA penalties, providers' communications with patients could still be subject to other federal and state privacy laws. Additionally, even during the current emergency period, providers' provision of telehealth services and related communications with patients may be subject to such other federal and state laws.
Three Key Takeaways
- OCR's temporary policy of not imposing penalties during this COVID-19 nationwide public health emergency for the use of non-HIPAA compliant telehealth technologies will likely encourage health care providers to increase their use of video chat, text messaging, and other remote communication technologies.
- OCR encourages providers to notify patients that using the non-HIPAA compliant video communication applications potentially introduce privacy risks and enable all available encryption and privacy modes when using such applications.
- Additionally, providers looking to use such non-HIPAA compliant technologies may still be subject to other federal and state laws governing patient privacy and the provision of telehealth services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.