Recognizing the need to make health services available during the current state of emergency, California Governor Gavin Newsom issued Executive Order N-43-20 (the “Order”) on April 3, 2020.
The Order temporarily expands the permitted uses of telehealth services. Specifically, the Order suspends a series of statutory provisions governing state privacy and security laws—including associated penalties for noncompliance.
Among the telehealth requirements the Order suspends or relaxes are state privacy and security laws that relate to:
- Imposition of fines, penalties, civil penalties, criminal penalties, and potential liability for inadvertent, unauthorized access or disclosure of health information;
- Notification to patients and/or the Department of Public Health of a breach of the security system or unauthorized access or disclosure of health information;
- Type of technology employed for telehealth services; and
- Professional disciplinary action by the Medical Board of California.
California's Order Is Mostly Consistent With the Federal Waiver of Certain Privacy and Security Laws.
This Order follows and is similar to the decision of the Department of Health and Human Services (HHS) to waive certain federal privacy and security laws. HHS announced in March that it would not “impose penalties for noncompliance with the regulatory requirements under the [Health Insurance Portability and Accountability Act of 1996 (HIPAA)] Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
The HHS waiver permits the use of a broad range of nontraditional technologies to provide telehealth services during the COVID-19 nationwide emergency without any penalty. For example, HHS identified, but did not otherwise endorse, recommend, or certify the following video chat applications:
- Apple FaceTime;
- Facebook Messenger video chat;
- Google Hangouts video;
- Zoom; or
HHS further warned that public facing applications such as Facebook Live or TikTok should not be used. The agency encouraged covered entities to look for more secure technologies and engage with vendors that offered: (1) to sign a HIPAA business associates agreement, and (2) HIPAA-compliant video communication products. However, penalties will not be imposed upon any covered entity that does not have one or both in place.
Health care providers and contractors providing telehealth services should proceed cautiously to avoid liability.
Important Differences Between Federal and California Waivers.
The effect of HHS’ waiver basically requires that a covered entity endeavor to provide good faith “telehealth services during the COVID-19 nationwide public health emergency.” This “good faith” standard seems to provide a broader exception to potential liability.
In contrast, the California Order suspends fines, penalties, and liability for the “inadvertent, unauthorized access or disclosure of health information during the good faith provision of telehealth services.” The Order imposes a stricter standard that requires covered entities “to implement reasonable safeguards to protect patient information against intentional or unintentional impermissible uses and disclosures.” Accordingly, in California, persons and entities who handle personal health information should consider implementing a process, that at a minimum, vets security measures offered by any technology, software, application, or product it considers using to provide telehealth services. This vetting may include, but should not be limited to, reviewing news sources to identify both the positive or negative aspects of certain technology platforms.