Loosening of HIPAA Requirements
Permit providers subject to HIPAA to communicate with
patients and provide telehealth services through certain remote communications
technologies
Written by Caleb Knight, Flaherty Sensabaugh Bonasso PLLC
The Office for Civil Rights (“OCR”) at the Department of
Health and Human Services (“HHS”) has taken steps to permit covered health care
providers subject to the HIPAA Rules to seek to communicate with patients and
provide telehealth services through remote communications technologies. Some technologies and the manner in which
they are used may not comply with the requirements of HIPAA; however, OCR
announced that it will exercise its enforcement discretion and will not impose
penalties for noncompliance with the regulatory requirements under HIPAA rules
against covered health care providers in connection with the good faith
provision of telehealth during the COVID-19 nationwide public health emergency.
For example, a covered health care provider, in the exercise
of their professional judgment, may request to examine a patient exhibiting
COVID- 19 symptoms using a video chat application to assess a greater number of
patients while limiting the risk of infection. Likewise, a covered health care
provider may provide similar telehealth services, in the exercise of their
professional judgment, to assess or treat other medical conditions unrelated to
COVID-19, such as a sprained ankle, dental consultation, or psychological
evaluation, or other conditions.
Under OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency issued March 17, 2020, covered health care providers may use
popular applications that allow for video chats, including Apple FaceTime,
Facebook Messenger video chat, Google Hangouts video, or Skype, to provide
telehealth without the risk that OCR might seek to impose a penalty for
noncompliance with the HIPAA Rules related to the good faith provision of
telehealth during the COVID-19 nationwide public health emergency. Providers
are encouraged to notify patients that these third-party applications
potentially introduce privacy risks, and providers should enable all available
encryption and privacy modes when using such applications.
Under this Notice, however, Facebook Live, Twitch, TikTok,
and similar video communication applications are public facing. They should not
be used in the provision of telehealth by covered health care providers.
Covered health care providers that seek additional privacy protections
for telehealth while using video communication products should provide such
services through technology vendors that are HIPAA compliant and will enter
into HIPAA business associate agreements (BAAs) in connection with the
provision of their video communication products. The list below includes some
vendors that represent that they provide HIPAA-compliant video communication
products and that they will enter into a HIPAA BAA.
- Skype for Business
- Updox
- Zoom for Healthcare
- Google G Suite Hangouts Meet
For additional information review this information included in CR’s Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency issued March 17, 2020:
The Notification of Enforcement Discretion on telehealth remote communications may be found at: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
For more information on HIPAA and COVID-19, see OCR's February 2020 Bulletin: https://www.hhs.gov/sites/default/files/february-2020-hipaa-and-novel-coronavirus.pdf - PDF
No comments:
Post a Comment