On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance.
“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.”
Here are several “Dos” and “Don’ts” for covered health care providers from the Guidance and FAQs:
DOs:
1. Exercising professional judgment, use a video chat application that connects to the provider’s or patient’s phone or desktop computer to assess or treat a patient in connection with potential COVID-19 infection.
2. Exercising professional judgment, use the video chat application to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle or other ailment and for dental consultations, psychological evaluations and other assessments.
3. Use popular applications that allow for video chats, including Apple’s FaceTime, Facebook Messenger video chat, Google Hangouts video or Skype, to provide telehealth. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
4. If seeking additional privacy protection for telehealth while using video communication products, engage vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of the product, including the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:
- Skype for Business / Microsoft Teams
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
DON’Ts:
1. Use public-facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar video communication applications.
2. Rely on the OCR’s discretion regarding HIPAA enforcement if you are a substance use disorder program subject to Part 2 (see here for Guidance related to Part 2).
3. Expect HIPAA enforcement discretion if you are a covered entity health plan (see FAQ #2).
4. Expect Medicare or Medicaid reimbursement for all telehealth services (see FAQ #1 and CMS Guidance).
5. Expect HIPAA enforcement discretion for activities unrelated to telehealth. The Security Rule, Privacy Rule, and Breach Notification Rule continue to apply in all other contexts.