Relaxed HIPAA requirements for telehealth encounters during the COVID-19 national emergency

On March 13, 2020, the Trump Administration announced regulatory flexibilities to help health care providers and states to respond to and contain the spread of coronavirus. Included in the announcement was that CMS will activate blanket waivers in an effort to ease certain requirements and to prevent gaps in access.

One of these waivers is to expand telehealth services. Under this new waiver, Medicare can pay for office, hospital and other visits furnished via telehealth across the country, including in patient's places of residence starting March 6, 2020.  A range of providers, such as doctors, nurse practitioners, clinical psychologists, and licensed clinical social workers, will be able to offer telehealth to their patients.

Medicare beneficiaries will be able to receive a specific set of services through telehealth including evaluation and management visits (common office visits), mental health counseling and preventive health screenings. This will help ensure Medicare beneficiaries, who are at a higher risk for COVID-19, are able to visit with their doctor from their home, without having to go to a doctor's office or hospital which puts themselves and others at risk.

These telehealth encounters can occur through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules.

On March 19, 2020, the Office of Civil Rights announced that it will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.

A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.

For example, a covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID- 19 symptoms, using a video chat application connecting the provider's or patient's phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a covered health care provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.

Under this notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.  Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Under this notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.

Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.

• Skype for Business / Microsoft Teams
• Updox
• VSee
• Zoom for Healthcare
• Doxy.me
• Google G Suite Hangouts Meet

Note: OCR has not reviewed the BAAs offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA BAA with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Under this notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

OCR has published a bulletin advising covered entities of further flexibilities available to them as well as obligations that remain in effect under HIPAA as they respond to crises or emergencies.

Kelly Grahovac is the general managed for The van Halem Group.