On March 20, 2020, the Department of Health and Human Services Office for Civil Rights (OCR), issued guidance, in the form of FAQs, following its Notification of Enforcement Discretion on the provision of telehealth during the COVID-19 nationwide pandemic (the “Notification of Enforcement Discretion”).
The Notification of Enforcement Discretion, issued March 17, 2020, advised covered health care providers that OCR will exercise its enforcement discretion under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and waive potential HIPAA penalties for violations against providers that serve patients through remote communication technologies during the COVID-19 pandemic.
The guidance, which is in the form of FAQs, addresses the following points on how covered health care providers can use remote video communication products and offer telehealth to patients:
- Applicability: The Notification of Enforcement applies to all HIPAA-covered health care providers. Under HIPAA, a “health care provider” is defined as “a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” In the FAQ, OCR makes clear that a health insurance company that pays for telehealth services is not covered by the Notification of Enforcement Discretion.
- Covered Telehealth Services: OCR stated in the Notification of Enforcement Discretion enforcement that its enforcement discretion will apply regardless of whether the telehealth service is directly related to COVID-19. The FAQ further affirms that the Notification of Enforcement Discretion covers all services that a health care provider, in their professional judgment, believes can be provided through telehealth in the current emergency. This may include diagnosis or treatment of both COVID-19-related conditions and non-COVID-19 conditions, such as review of physical therapy practices, mental health counseling, and adjustment of prescriptions.
- Scope of Enforcement Discretion: Covered health care providers will not be subject to enforcement for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in connection with the good faith provision of telehealth during the COVID-19 pandemic.
- Security of ePHI: In the FAQ, OCR addresses a scenario in which electronic protected health information (ePHI) is intercepted during transmission and clarifies that it will not impose a penalty for good faith provision of telehealth services. OCR states that it believes many commonly available remote communication technologies include security features to protect ePHI and that video communications vendors familiar with the HIPAA Security Rule often include security capabilities to prevent data interception and provide assurances that they will protect ePHI by signing a HIPAA business associate agreement. While OCR encourages the use of such vendors, the FAQ confirms that OCR will not penalize health care providers that use less secure products in their effort to provide the most timely and accessible care to patients. Consistent with the Notification of Enforcement Discretion, the FAQ encourages providers to notify patients that third-party applications potentially introduce privacy risks and providers should enable all encryption and privacy options when using such technologies.
- Non-Public Communication Technologies: The Notification of Enforcement Discretion emphasizes the use of non-public facing remote communication technologies. The FAQ clarifies that such technologies are those that, by default, allow only the intended parties to participate in the communication and lists specific examples of such technologies. The FAQ notes that these platforms, typically, employ end-to-end encryption and also support individual user accounts, logins, and passcodes to help limit access and verify participants.
- Public Communication Technologies: OCR previously identified specific services in the Notification of Enforcement Discretion as unacceptable forms of remote communications technology. The FAQ restates this position and identifies other technologies as unacceptable forms of remote communication, noting that they are designed to be open to the public or allow wide or indiscriminate access to the communication.
- Clarification of Bad Faith: The Notification of Enforcement Discretion applies to the good faith provision of telehealth during the COVID-19 pandemic. The FAQ states that OCR will consider all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith and, thereby, covered by the Notice and lists the following examples of what would constitute as the bad faith provision of telehealth:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth; or
- Use of public-facing remote communication products.
- Duration of Notification of Enforcement: The Notification of Enforcement Discretion will expire when OCR issues a notice that it is no longer exercising its enforcement discretion.
The FAQs on telehealth remote communications are available.