Telehealth is an essential tool in addressing the COVID-19 pandemic as well as in treating other ailments during this time. The Department of Health and Human Services' Office for Civil Rights (OCR) recently issued a Notification of Enforcement Discretion during the COVID-19 Nationwide Public Health Emergency followed by guidance in the form of FAQs (Guidance) to reduce some of the HIPAA red tape concerning telehealth communications.

In the Guidance, OCR announced that it will exercise its enforcement discretion – and will not seek to impose penalties – with respect to noncompliance with HIPAA by covered healthcare providers in connection with their good-faith provision of telehealth and remote communications during the pandemic. OCR recognizes that during this emergency, covered healthcare providers may need to communicate with patients – and provide telehealth services – through remote electronic communications technologies. Some of these technologies and the way covered entities use them may not fully comply with all of

HIPAA's Requirements

According to the Guidance, the healthcare provider may use any non-public facing remote communication product that is available to communicate with patients (even if no business associate agreement is in place). Permitted telehealth communications need not relate to COVID-19 but may cover any healthcare issue, such as review of physical therapy practices, mental health counseling, and adjustment of prescriptions, among many others.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks. Additionally, providers should enable all available encryption and privacy modes when using remote communication applications.

Applicability of the Guidance

The Guidance applies to all healthcare providers that are covered by HIPAA and provide good-faith provision of telehealth services during the COVID-19 pandemic. Further, the Guidance does not limit the type of patients who may be served with telehealth services. Therefore, providers may serve all patients with telehealth services, including those who receive Medicaid and Medicare services.

However, a health insurance company that provides individuals with coverage for telehealth services does not fall under the scope of the Guidance. The Guidance also does not seem to apply to health insurance companies to the extent that they are offering telehealth services themselves, such as nurse hotlines. Therefore, these health insurance companies must continue to comply with HIPAA's Privacy, Security, and Breach notification rules (HIPAA Rules).

Examples of Telehealth Services

Some services that can be provided to patients include long-distance clinical healthcare, patient and professional health-related education, and public health and health administration. Providers may even take a patient's temperature or other vitals remotely.

Examples of Bad Faith Provision of Telehealth Services

The Guidance states that OCR will use its enforcement discretion in connection with the good-faith provision of telehealth during the COVID-19 pandemic. OCR did not provide a specific definition of what it considers to be "good faith." Instead, the Guidance provides several examples for what it considers to be bad-faith provision of telehealth, including:

1. Using protected health information (PHI) to conduct or further a criminal act;
2. Using and disclosing PHI in a manner otherwise prohibited by HIPAA, such as selling PHI, or using or disclosing PHI for marketing;
3. Violations of state licensing laws or other professional ethical standards that result in disciplinary actions related to the treatment offered or provided through telehealth; and
4. Using public-facing video products, as described more below.

Settings Where Telehealth Can Be Conducted

The Guidance recommends that telehealth be conducted in private settings. For example, doctors in a clinic or office can connect to a patient who is calling from home or even from another doctor's office. Absent patient consent or exigent circumstances, healthcare providers should not provide telehealth services in public or even semi-public settings.

Where telehealth providers cannot provide service in a private setting, providers should continue to use reasonable HIPAA safeguards, when possible, to reduce the incidental uses and disclosures of PHI, such as speaking in lowered voices, not using speakerphone, and suggesting that the patient move a reasonable distance from others when discussing PHI.

Types of Technology That Can Be Used

Providers may use popular applications that allow for non-public facing communications such as applications that permit for a private video chat, store-and-forward imaging, streaming media, and landline and wireless communications. OCR provided a list of some acceptable and unacceptable vendors in the Guidance.

OCR noted that non-public facing applications typically have certain safeguards in place that will help further protect PHI, such as end-to-end encryption and separate individual accounts, logins, and passcodes to help limit access and verify participants. OCR encouraged healthcare providers to seek additional privacy protections while using non-public facing communications. For example, providers could use vendors that have HIPAA compliance programs and will sign a HIPAA Business Associate Agreement.

Providers may not use applications that are public facing. Public-facing applications are those that permit the public to access or view the transmission, such as those applications that permit live-streaming or posting of videos onto a public space. Healthcare providers who choose to use public-facing applications will not receive the protections under the Guidance.

Portions of the HIPAA Rule Affected by the Guidance

OCR will use its enforcement discretion and not enforce penalties for violations of the HIPAA Rules during the COVID-19 pandemic as a result of the good-faith provision of telehealth services. For example, although OCR encouraged covered healthcare providers to use vendors who are HIPAA compliant and will sign a business associate agreement, OCR states that healthcare providers will not be penalized for using less secure products in their efforts to provide timely and accessible care to patients during the COVID-19 pandemic.

In another example, if a healthcare provider experiences a breach as a result of good-faith provision of telehealth services, then OCR, using its enforcement discretion, may choose not to pursue any penalties against the provider with respect to the breach event after examining the facts and circumstances of the breach. The healthcare provider, however, still would need to comply with its breach-reporting obligations under HIPAA.

OCR clarified that the Guidance does not affect the application of the HIPAA Rules to other areas of healthcare outside of the telehealth emergency. As stated in previous guidance related to COVID-19, most of HIPAA continues to apply during the pandemic, just as it applies to non-telehealth situations.
Effective and End Date for the Notification

OCR's enforcement discretion within the Guidance became effective on March 17, 2020, and currently does not have an expiration date. OCR will issue a notice upon the expiration of OCR's enforcement discretion, at which time covered healthcare providers will be expected to bring all of their telemedicine and remote communications services back within HIPAA requirements.

Some Takeaways

• OCR provides considerable assistance and flexibility to healthcare providers in delivering telehealth services
• The Guidance and Notification applies to all covered health providers and their patients – not just to Medicare and Medicaid patients – but does not apply to health insurance providers who pay for telehealth services
• State attorneys general who also have the authority to enforce HIPAA are not subject to the Guidance (although we hope they would use discretion in enforcement as well)
• After establishing remote communications services, healthcare providers need to circle back after the emergency abates to bring all of their telemedicine and remote communications services back within HIPAA requirements.

[View source.]