Coronavirus Pandemic HIPAA Guidance on Telehealth Issued by OCR

After the initial announcement from the HHS’ Office for Civil Rights that enforcement of HIPAA compliance in relation to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency has has restrictions removed, OCR has released guidance on telehealth and remote communications.

Telehealth is classified by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and encourage long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be supplied through the use of text, audio, or video through secure text messaging platforms, over the internet, using video conferencing softwares, or over landlines and wireless communications networks.

The Notification of Enforcement Discretion includes “All services that a covered health care provider, in their professional judgement, believes can be provided with telehealth in the given circumstances of the current emergency,” which incorporates the remote diagnosis and treatment of patients. The Notification of Enforcement Discretion only is relevant for “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

OCR has stated that its Notification of Enforcement Discretion only applies to HIPAA-covered healthcare suppliers, not other HIPAA-covered groups that are not engaged in the provision of health care.

OCR says that during the public health emergency, telehealth services can be provided to all patients, not only those that receive advantages under Medicare and Medicaid. Telehealth services can be given to patients regardless of their health compliant, not only those displaying symptoms of COVID-19.

There is, at present, no expiration date for the Notification of Enforcement Discretion. This is an ever-evolving situation and likely to be a long-term public health emergency. OCR will issue a public notice when the enforcement discretion no longer is valid, and that decision will be based on circumstances and facts.

In the advice provided OCR explains that telehealth services can be provided from healthcare centers, including other clinics, offices, and from the home. To safeguard patient privacy, the services should be provided in a private setting where conversations cannot be heard by others. Public locations and semi-public settings should be avoided, unless consent is provided by patients or in exigent circumstances. In all instances, safeguards must be implemented to protect against incidental uses and sharing of patients’ protected health information.

OCR has also given a clarification on the good faith and bad faith provision of telehealth services. The Notification of Enforcement Discretion only applies to good faith provision of telehealth services.

Bad faith provision of telehealth services incorporates:

  • Use of PHI for criminal reasons or to complete of a criminal act
  • Uses of PHI shared during a telehealth communication for purposes not allowed under the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing purposes without first obtaining authorization
  • Breaches of state licensing laws
  • Breaches of professional ethical standards that would lead to disciplinary action
  • The use of public-facing communications software

Public and Non-public Facing Communications Channels

The Notification of Enforcement Discretion only applies to the use of non-public facing communications utilities. These include HIPAA-compliant communications software, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities within those applications. These non-public facing applications normally use end-to-end encryption, which helps to ensure PHI is not intercepted on the move. These solutions have access controls and give users management of certain aspects of communications, such as recording and muting conversations.

Public-facing communications platforms are not included in the Notification of Enforcement Discretion and MUST NOT be used. These communications platforms have been created to permit wide or indiscriminate access and are open to the public. Public-facing platforms incorporate Facebook Live, Twitch, and TikTok, as well as chatroom platforms such as Slack.

You can read the OCR guidance on telehealth and HIPAA during the COVID-19 nationwide public health emergency on this link (PDF).