Coronavirus Pandemic: OCR Publishes Guidance on Telehealth and HIPAA

HHS’ Office for Civil Rights (OCR) has released guidance on telehealth and remote communications. This comes in the aftermath of the OCR announcement that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has been relaxed.

Telehealth is referred by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be administered using text, audio, or video via secure text messaging platforms, across the internet, using video conferencing solutions, or using landlines and wireless communications networks.

The Notification of Enforcement Discretion incorporates “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the remote diagnosis and tending to of patients. The Notification of Enforcement Discretion only applies for “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

OCR has said that its Notification of Enforcement Discretion only refers to HIPAA-covered healthcare providers, not other HIPAA-covered groups that are not participating in the provision of health care.

OCR has confirmed that during the public health emergency, telehealth services can be given to every patient, not only those that receive Medicare and Medicaid. Telehealth services can be provided to patients regardless of their health compliant, not only those with that may have COVID-19.

There is currently no end date for the Notification of Enforcement Discretion. This is a constantly-developing situation and likely to be a long-term public health emergency. OCR will release a public notice when the enforcement discretion no longer applies, and that decision will be based on hard evidence.

In the guidance OCR confirms that telehealth services can be provided from healthcare facilities, including other clinics, offices, and from their home. To safeguard patient privacy, the services should be provided in a private setting where conversations cannot be overheard by other people. Public locations and semi-public settings should be avoided, unless permission is given by patients or in exigent circumstances. In all scenarios, safeguards must be in place to protect against incidental uses and disclosures of patients’ protected health information.

OCR has also released  clarification on the good faith and bad faith administering of telehealth services. The Notification of Enforcement Discretion only applies to good faith provision of telehealth services.

Bad faith provision of telehealth services refers to:

  • PHI being used for criminal purposes or furtherance of a criminal act
  • PHI being transmitted during a telehealth communication for purposes not authorized by the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing purposes without first obtaining authorization
  • Breaking state licensing laws
  • Breaching professional ethical standards that would result in disciplinary action
  • Public-facing communications products being implemented

Facing Communications Platforms: Public and Non-public

The Notification of Enforcement Discretion only applies to the implementation of non-public facing communications tools. These incorporate HIPAA-compliant communications solutions, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities inside those applications. These non-public facing applications standardly come with end-to-end encryption, which helps to ensure PHI is not intercepted in transit. These solutions have access management and give users control over certain elements of communications, such as recording and muting conversations.

Public-facing communications platforms are not governed by the Notification of Enforcement Discretion and MUST NOT be implemented. These communications platforms have been designed to allow wide or indiscriminate access and are open to the public. Examples of public-facing platforms include Facebook Live, Twitch, and TikTok, as well as chatroom platforms such as Slack.

You can view the OCR guidance on telehealth on this link (PDF).

HIPAA Violation Penalties

Most Common HIPAA Violations Causes