In response to the COVID-19 global pandemic, on March 17, 2020, the Office of Civil Rights (OCR) at the US Department of Health and Human Services (HHS), the agency charged with enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), issued the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (“Guidance“). On March 20, OCR issued supplemental guidance on provision of telehealth services in the form of a new set of Frequently Asked Questions, in order to further assist covered healthcare providers during the COVID-19 pandemic.
At a high level and to help prevent the further spread of COVID-19 by allowing health care providers to minimize in-person visits where possible, the Guidance allows covered health care providers (covered entities) subject to the HIPAA Privacy and Security Rules to communicate with patients and provide telehealth services through remote communications technologies, even if some of these technologies (and the manner in which they are used) may not be fully compliant with HIPAA requirements, which generally mandates that covered entities must execute business associate agreements (BAAs) with service providers/business associates that have access to Protected Health Information or PHI. Business associates in turn are required to implement comprehensive HIPAA compliance programs to address the security and breach notification obligations under HIPAA. Entities that fail to meet HIPAA’s obligations can face significant penalties (fines that can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for each violation), which therefore has the potential to leave covered entities and service providers that are rushing to provide critical telehealth services in the difficult position of trying to decide how to balance the relative legal and other risks in the course of a global pandemic.
This Guidance directly addresses this issue, such that covered health care providers may now use popular applications that allow for video chats, including FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth services (even without the implementation of BAAs), without having to worry in the immediate term that OCR might seek to impose penalties for noncompliance with HIPAA Rules. However, covered health care providers are not allowed to use public-facing applications (i.e., applications that engage in live-streaming), such as Facebook Live, Twitch, TikTok, and similar video communication applications to provide telehealth services.
The FAQs offer further guidance on what is and is not acceptable when providing telehealth services via popular applications. Specifically, the FAQs clarify that the Guidance only applies to the good faith provision of telehealth services, but does not affect the application of the HIPAA Rules to other areas of healthcare outside of the telehealth context. Further, the FAQs offer guidance on how health care providers can offer telehealth services and stress that such services must be provided in private settings, such as a private office or a clinic. Health care providers must also take reasonable precautions to avoid the unauthorized disclosure of PHI, such as using lowered voices and keeping a reasonable distance from others when discussing PHI. Finally, the FAQs note that some application providers may be open to signing BAAs, and that covered health care providers are encouraged, but not mandated, to use these particular application providers.
The Guidance, FAQs, and the OCR’s Centers for Medicare and Medicaid Services toolkits for providers available here (for general practitioners) and here (for End Stage Renal Disease providers) demonstrate the willingness of the OCR to not only make concessions for the extraordinary circumstances of a global pandemic, but also the OCR’s support of telehealth services during these trying times. Nonetheless, covered health care providers should still be mindful of their patient confidentiality obligations and continue to follow all other HIPAA Rules not included in the scope of the Guidance. They should always be mindful of taking steps to prevent data breaches and other issues that could create significant additional risks for organizations even with this shift in enforcement priorities. Similarly, service providers that may be able to provide services that previously could only be performed by HIPAA business associates with established HIPAA compliance programs should be mindful that these changes are temporary and should begin planning to address their obligations under HIPAA as soon as reasonably possible.