Healthcare Law Alert: DHHS OCR Issues Notification of Enforcement Discretion to Enhance Telehealth Communications During COVID-19 Crisis
On March 17, 2020, the U.S. Department of Health & Human Services, Office for Civil Rights (OCR), the HIPAA enforcement agency, issued a Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 National Public Health Emergency. In the Notification, OCR Director Roger Severino stated, “We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
The OCR noted that, during the COVID-19 national emergency, HIPAA-covered healthcare providers may seek to communicate with patients, and provide telehealth services, through remote communication technologies, some of which may not be fully HIPAA compliant. In light of this national public health emergency, OCR is exercising its enforcement discretion and will not impose penalties for non-compliance with HIPAA in connection with the “good-faith provision” of telehealth during the national public health emergency, including telehealth services unrelated to COVID-19.
A healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency may use any non-public-facing remote communication product that is available to communicate with patients. The OCR provided the following example:
A covered healthcare provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a covered healthcare provider may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation, or psychological evaluation, or other conditions.
OCR further stated:
Covered healthcare providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
However, the following public-facing applications are not permitted: Facebook Live, Twitch, TikTok, and similar public-facing communication applications.
For healthcare providers seeking additional protections, the OCR offered (but did not endorse) the following list of vendors that represent they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement: Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me and Google G Suite Hangouts Meet. Although such vendors state they will enter into business associate agreements, OCR will not impose penalties against healthcare providers for the lack of a business associate agreement with such vendors “or any other noncompliance with the HIPAA rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
Note that, once the public health emergency is declared to be ended, the OCR will resume its normal HIPAA enforcement processes, and HIPAA-covered healthcare providers will need to ensure they return to full HIPAA compliance at that time.