In response to the COVID-19 pandemic, on March 17, 2020, the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) issued a notification of enforcement discretion, announcing that it would not impose civil penalties for HIPAA violations “against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency” (the “Notification”). The Notification is important because, ordinarily, providing telehealth services does not modify a covered entity’s obligations under HIPAA. That is, normally, if a covered entity’s provision of telehealth services involves protected health information (“PHI”), that entity must meet the same HIPAA Privacy, Security, and Breach Notification requirements that apply to in-person health services. OCR’s Notification is clear that “this exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” The Notification supplements an earlier OCR bulletin detailing the application of the HIPAA Privacy Rule during an outbreak of infectious disease.
On March 20, 2020, OCR issued further guidance on the Notification in the form of FAQs clarifying how OCR will apply its discretion (the “Guidance”). The Guidance details, among other things, which entities are covered under the Notification; which HIPAA rules are implicated by the Notification; where providers can conduct telehealth services; what may constitute the “bad faith” provision of telehealth; and how OCR will exercise its discretion in cases involving PHI hacked during the provision of telehealth services. Notably, the Guidance does not provide an expiration date. OCR will publicly announce when the Notification is no longer in effect “based upon the latest facts and circumstances.”
Covered Providers and Telehealth Services
OCR’s Guidance applies the definition of telehealth used by HHS’ Health Resources and Services Administration: the “use of electronic information and telecommunication technologies to support long-distance clinical health care, patient and professional health-related education, public health, and health administration.”
The Notification applies to all “health care providers” that are (i) covered by HIPAA and (ii) provide telehealth services during the public health emergency. Under HIPAA, a “health care provider” is “a provider of medical or health services” or “any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” A health care provider is a “covered entity” under HIPAA if it “transmits any health information in electronic form in connection with a” covered transaction. The Guidance provides that the Notification does not cover a health insurance company that “merely pays” for telehealth services.
According to OCR’s Guidance, the Notification covers all “services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency.” This includes the diagnosis and treatment of conditions unrelated to COVID-19.
The Notification Applies to Three Specific HIPAA Rules
According to OCR’s Guidance, covered health care providers “will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” Generally, these three rules establish national, minimum standards for the protection of PHI and require covered entities and their business associates to provide notification following a breach of PHI. The Notification does not affect the application of these HIPAA rules outside the context of telehealth services provided during the COVID-19 pandemic.
Appropriate Settings for Conducting Telehealth Services
The Guidance sets forth OCR’s expectation that telehealth services will be provided in private settings (e.g., a doctor in an office connecting to an at-home patient), rather than public or semi-public settings, absent patient consent or exigent circumstances. In the event telehealth cannot be provided in a private setting, the Guidance states that providers should implement reasonable precautions such as using lowered voices, not using speakerphone, or recommending that the patient move a reasonable distance away from others when discussing protected health information.
Bad Faith Provision of Telehealth Services
According to the Guidance, OCR will “consider all facts and circumstances when determining whether a health care provider’s use of telehealth services is provided in good faith and thereby covered by” the Notification. The Guidance identifies the following as examples of “bad faith” provision of services that will not be covered by the Notification:
- criminal conduct or intentional invasion of privacy;
- prohibited uses of patient data transmitted during a telehealth communication (e.g., sale of data or use of data for marketing without authorization);
- violations of state licensing laws or professional ethical standards;
- use of public-facing communication platforms such as TikTok, Facebook Live, Twitch, or Slack.
Non-Public Facing Communication Platforms
In contrast to OCR’s identification of inappropriate “public-facing” platforms, the Guidance specifies that “non-public facing” communication platforms—products that, as a default, allow “only the intended parties to participate in the communication”—may be used for telehealth services covered by the Notification. The Guidance provides that such non-public facing platforms typically employ end-to-end encryption, individual logins, and user access limitations. OCR identifies the following platforms as potentially appropriate for the provision of telehealth services covered by the Notification:
- Apple FaceTime;
- Facebook Messenger;
- Google Hangouts;
- WhatsApp;
- Zoom;
- Skype;
- Signal;
- Jabber; and
- iMessage.
Unauthorized Interception of PHI During Provision of Telehealth Services
Notably, the Guidance is explicit that if “a covered health care provider uses telehealth services during the COVID-19 outbreak, and electronic protected health information is intercepted during transmission,” OCR will not impose a penalty on the provider for violating the HIPAA Security Rule, so long as the provision of telehealth services is deemed to be in good faith. By way of example, the Guidance states that, “if a provider follows the terms of the Notification and any applicable OCR guidance,” that provider “will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.”
In addition, OCR suggests the following to providers using remote electronic communication products:
- use video communication vendors that are familiar with the Security Rule requirements and that will sign appropriate HIPAA business associate agreements;
- notify patients that certain third-party applications potentially introduce privacy risks; and
- enable all available encryption and privacy modes when using third-party applications.
* * * * *
We will continue to monitor these developments and relevant guidance regarding cybersecurity and privacy enforcement during the COVID-19 pandemic.
