Share this article on:
Following on from the announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed, OCR has issued guidance on telehealth and remote communications.
Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be provided through the use of text, audio, or video via secure text messaging platforms, over the internet, using video conferencing solutions, or via landlines and wireless communications networks.
The Notification of Enforcement Discretion covers “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the remote diagnosis and treatment of patients. The Notification of Enforcement Discretion only applies to “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
OCR has confirmed that its Notification of Enforcement Discretion only applies to HIPAA-covered healthcare providers, not other HIPAA-covered entities that are not engaged in the provision of health care.
OCR explains that during the public health emergency, telehealth services can be provided to all patients, not only those that receive benefits under Medicare and Medicaid. Telehealth services can be provided to patients regardless of their health compliant, not only those with symptoms of COVID-19.
There is currently no expiration date for the Notification of Enforcement Discretion. This is a fluid situation and likely to be a long-term public health emergency. OCR will issue a public notice when the enforcement discretion no longer applies, and that decision will be based on circumstances and facts.
In the guidance OCR explains that telehealth services can be provided from healthcare facilities, including other clinics, offices, and from the home. To protect patient privacy, the services should be provided in a private setting where conversations cannot be overheard. Public locations and semi-public settings should be avoided, unless consent is given by patients or in exigent circumstances. In all cases, safeguards must be implemented to protect against incidental uses and disclosures of patients’ protected health information.
OCR has also provided clarification on the good faith and bad faith provision of telehealth services. The Notification of Enforcement Discretion only applies to good faith provision of telehealth services.
Bad faith provision of telehealth services includes:
- Use of PHI for criminal purposes or furtherance of a criminal act
- Uses of PHI transmitted during a telehealth communication for purposes not permitted by the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing purposes without first obtaining authorization
- Violations of state licensing laws
- Violations of professional ethical standards that would result in disciplinary action
- The use of public-facing communications products
Public and Non-public Facing Communications Platforms
The Notification of Enforcement Discretion only applies to the use of non-public facing communications tools. These include HIPAA-compliant communications solutions, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities within those applications. These non-public facing applications typically use end-to-end encryption, which helps to ensure PHI is not intercepted in transit. These solutions have access controls and give users control over certain aspects of communications, such as recording and muting conversations.
Public-facing communications platforms are not covered by the Notification of Enforcement Discretion and MUST NOT be used. These communications platforms have been developed to allow wide or indiscriminate access and are open to the public. Public-facing platforms include Facebook Live, Twitch, and TikTok, as well as chatroom platforms such as Slack.
You can view the OCR guidance on telehealth and HIPAA during the COVID-19 nationwide public health emergency on this link (PDF).