Monday, March 23, 2020

COVID: Loosening of HIPAA Requirements

Loosening of HIPAA Requirements

Permit providers subject to HIPAA to communicate with patients and provide telehealth services through certain remote communications technologies
Written by Caleb Knight, Flaherty Sensabaugh Bonasso PLLC

The Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“HHS”) has taken steps to permit covered health care providers subject to the HIPAA Rules to seek to communicate with patients and provide telehealth services through remote communications technologies.  Some technologies and the manner in which they are used may not comply with the requirements of HIPAA; however, OCR announced that it will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.

For example, a covered health care provider, in the exercise of their professional judgment, may request to examine a patient exhibiting COVID- 19 symptoms using a video chat application to assess a greater number of patients while limiting the risk of infection. Likewise, a covered health care provider may provide similar telehealth services, in the exercise of their professional judgment, to assess or treat other medical conditions unrelated to COVID-19, such as a sprained ankle, dental consultation, or psychological evaluation, or other conditions.

Under OCR’s Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency issued March 17, 2020, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without the risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Under this Notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing. They should not be used in the provision of telehealth by covered health care providers.

Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. The list below includes some vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA.
  • Skype for Business
  • Updox
  • Zoom for Healthcare
  • Google G Suite Hangouts Meet

The Notification of Enforcement Discretion on telehealth remote communications may be found at:
For more information on HIPAA and COVID-19, see OCR's February 2020 Bulletin: - PDF

No comments: