OCR Issues New Guidelines for Telehealth Services Under HIPAA in Response to COVID-19
On March 17, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services issued new guidance that OCR will follow regarding the enforcement of HIPAA privacy protections against covered health care providers. This guidance explained that OCR will use increased discretion and will waive potential penalties when enforcing HIPAA violations specifically in the context of the treatment of patients through everyday, common telecommunications and videoconferencing platforms during the COVID-19 public health emergency.
This increased discretion and penalty waiver policy apply to the use of common communications platforms or particular uses of such platforms that may not otherwise be HIPAA compliant. The only requirement that a HIPAA-covered health care provider must satisfy to fall under the discretionary enforcement and penalty waiver policy is that the technology must be used in good faith for any telehealth treatment or diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.
As a result of this announcement, a covered health care provider may now use any non-public-facing communication technology that is currently available to communicate with patients for the diagnosis or treatment of any medical condition, including conditions unrelated to COVID-19 such as sprained ankles, diabetes, and dental and psychological conditions. Covered health care providers may now use any non-public-facing technology to conduct a good faith examination of symptoms related to medical conditions through a patient’s phone or computer. One of the essential goals of this flexible approach to HIPAA enforcement is to mitigate the spread of COVID-19 by mitigating the risk of infection through potential exposure caused by in-person medical assessments.
Under this new guidance, covered medical care providers may now use the following communication applications in good faith to conduct medical assessments or deliver medical treatment: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Skype, WhatsApp, or any other similar non-public-facing platforms. Covered health care providers, however, should be careful to avoid public-facing communications technologies – such as TikTok, Facebook Live, Twitch, or other live streaming services or publicly accessible platforms when interacting with patients. The use of public-facing communications technologies will not be subject to OCR’s new policy of discretionary HIPAA enforcement and penalty waiver policy.
For extra protection, a covered health care provider may also use a communications service that offers HIPAA business associate agreements to safeguard protected patient information. A BAA is an agreement between a HIPAA-covered entity and a person or entity that performs functions or services on behalf of the covered entity laying out the contours of how that person or entity will comply with HIPAA privacy guidelines. OCR has provided a non-comprehensive list of telecommunications vendors that represent that they offer HIPAA-compliant communications services with a BAA to ensure HIPAA compliance. This list includes Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet. Although OCR has promulgated this list, it has not specifically endorsed any of these services. Additionally, under the new guidance, OCR will not impose penalties against covered entities for good faith use of these or other non-public-facing services for lack of a BAA.
If you have any questions regarding the COVID-19 outbreak and its effects on the health care industry or data privacy enforcement, please contact your Much attorney.