Dos And Don’ts From OCR’s Guidance And FAQs On Telehealth And HIPAA

Fox Rothschild LLP

Fox Rothschild LLP

On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) published Guidance and a list of FAQs related to the provision of telehealth and HIPAA compliance

“OCR will exercise enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  This notification is effective immediately.”

Here are several “Dos” and “Don’ts” for covered health care providers from the Guidance and FAQs:


1.  Exercising professional judgment,  use a video chat application that  connects the provider’s or patient’s phone or desktop computer to assess or treat  a patient in connection with potential COVID-19 infection.

2.  Exercising professional judgment, use the video chat application to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.

3.  Use  popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth   Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

4.  If seeking additional privacy protection for telehealth while using video communication products, engage vendors that will enter into HIPAA business associate agreements (BAAs) in connection with the provision of the product, including the following vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.

  • Skype for Business / Microsoft Teams
  • Updox
  • VSee
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet


1.   Use public facing video communication applications, such as  Facebook Live, Twitch, TikTok, and similar video communication applications.

2.  Rely on the OCR’s discretion regarding HIPAA enforcement if you are substance use disorder program subject to Part 2 (see here for Guidance related to Part 2).

3.  Expect HIPAA enforcement discretion if you are a covered entity health plan  (see FAQ #2).

4.  Expect Medicare or Medicaid reimbursement for all telehealth services (see FAQ #1 and CMS Guidance).

5.  Expect HIPAA enforcement discretion for activities unrelated to telehealth.  The Security Rule, Privacy Rule, and Breach Notification Rule continue to apply in all other contexts.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.