The Office for Civil Rights (OCR) announced last week it was exercising its enforcement discretion to temporarily waive certain HIPAA penalties against healthcare providers. This change will allow for the more flexible good faith provision of telehealth services during this national public health emergency through a notification (the “Notification”).
OCR released a follow up of frequently asked questions to serve as guidance for the Notification. Below is a list of key points from this guidance to help you better navigate telehealth services during the national public health emergency. As always, we recommend consulting with a Woods Rogers Health Law Attorney when navigating the evolving landscape of telehealth.
1. OCR clarified that under the Notification, telehealth services may be provided through a variety of technologies, including audio, text messaging, or video communication technology.
- For reimbursement, certain payors (including Medicare and Medicaid) can still impose restrictions on the type of technologies that can be used, but those restrictions on reimbursement will not limit the scope of the OCR’s enforcement discretion under the Notification.
2. The Notification applies to all health care providers that (a) are covered entities under HIPAA, and (b) provide telehealth services during the emergency. Health insurance companies that pay for telehealth services are not covered by the Notification because they are not engaged in the provision of health care.
3. The Notification applies to all HIPAA-covered entities, without limitation on the patients they serve with telehealth (including Medicare or Medicaid beneficiaries).
4. Under the Notification, HIPAA-covered entities will not be subject to penalties associated with violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the emergency.
- OCR further clarified this Notification does not affect the application of HIPAA rules to other areas outside of telehealth.
5. The Notification does not address telehealth in the context of patient identifying information associated with a substance use disorder under 42 CFR Part 2, it only addresses the enforcement of HIPAA rules.
- SAMHSA (Substance Abuse and Mental Health Services Administration) posted its own guidance regarding the applicability of 42 CFR Part 2 during the emergency (pdf).
6. The Notification does not have an expiration date. OCR will update a public notice when it expires.
7. Providers should take steps to ensure that all telehealth services are provided, and received, in a private setting.
- If telehealth services cannot be provided in a private setting due to emergency circumstances, OCR indicates that providers should use reasonable precautions such as lowering voices, not using speakerphone, and advising the patient move away from others when discussing PHI.
8. All services from a provider that, in their professional judgment, the provider believes can be administered through telehealth during the emergency are covered by the Notification.
- This includes services associated with COVID-19, and services unrelated to COVID-19.
9. All telehealth services provided under the Notification must be provided in good faith.
- OCR will look to all facts and circumstances to deem whether services are being provided in bad faith including but not limited to:
- furtherance of criminal activity,
- further disclosures of patient data that are prohibited by the HIPAA privacy rule,
- violations of state licensing laws or professional ethical standards, use of public-facing communications such as TikTok, Facebook Live, Twitch, or Slack.
10. All telehealth services under the Notification must be provided through a non-public facing communication product, which OCR defines as a product, that “as default, allows only the intended parties to participate in the communication.” OCR indicates that such products would include: Apple FaceTime, Facebook messenger video chat, Google Hangouts, WhatsApp video chat, Skype, or common private texting applications (e.g. iMessage).
11. If electronic PHI is intercepted during telehealth services provided pursuant to the Notice, OCR indicates it will “exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.” OCR will consider all the facts and circumstances to determine if the telehealth services were provided in good faith. Telehealth services should be provided in accordance with the Notification and other applicable OCR guidance.
- OCR encourages practitioners to use video communication vendors who will sign a Business Associate Agreement, but will not penalize practitioners who use less secure products in accordance with the Notification and subsequent guidance.