After the announcement made by the HHS’ Office for Civil Rights that enforcement of HIPAA compliance linked to the good faith provision of telehealth services for the duration of the COVID-19 pandemic has been relaxed, OCR has published guidance on telehealth and remote communications.
Telehealth is defined by the HHS’ Health Resources and Services Administration (HRSA) as “the use of electronic information and telecommunications technologies to support and assist long-distance clinical health care, patient and professional health-related education, and public health and health administration.” These services can be supplied using text, audio, or video over secure text messaging platforms, over the internet, using video conferencing solutions, or using landlines and wireless communications networks.
The Notification of Enforcement Discretion includes “All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency,” which includes the remote diagnosis and treatment of patients. The Notification of Enforcement Discretion only applies to “Penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”
OCR has stated that its Notification of Enforcement Discretion only applies to HIPAA-covered healthcare delivery organizations, not other HIPAA-covered entities that are not providing healthcare services.
OCR says that during the public health emergency, telehealth services can be supplied to all patients, not only those that receive benefits under Medicare and Medicaid. Telehealth services can be supplied to patients regardless of their health compliant, not only those displaying symptoms of COVID-19.
There is, at present, no expiration date for the Notification of Enforcement Discretion. This is an ever-evolving situation and likely to be a long-term public health emergency. OCR will release a public notice when the enforcement discretion no longer applies, and that decision will be based on circumstances and facts.
In the guidance OCR says that telehealth services can be supplied from healthcare centers, including other clinics, and from offices or from individuals’ home. To safeguard patient privacy, the services should be administered in a private setting where conversations cannot be overheard. Public places and semi-public settings should be avoided, unless consent is provided by patients or in exigent circumstances. In all instances, safeguards must be implemented to protect against incidental uses and disclosures of patients’ protected health information.
OCR has also given clarification on the good faith and bad faith provision of telehealth services. The Notification of Enforcement Discretion only applies in relation to good faith provision of telehealth services.
Bad faith provision of telehealth services refers to:
- Use of PHI for criminal purposes or committing a criminal act
- Uses of PHI transmitted during a telehealth communication for purposes not allowable by the HIPAA Privacy Rule e.g. sale of PHI; use of PHI for marketing reasons without first obtaining authorization
- Breaches of state licensing laws
- Breaches of professional ethical standards that would lead to disciplinary action
- The use of public-facing communications products
Public and Non-public Facing Communications Platforms
The Notification of Enforcement Discretion is only relevant to the use of non-public facing communications platforms. These include, but are not limited to, HIPAA-compliant communications solutions, Facebook Messenger video, WhatsApp, Apple FaceTime, Skype, Google Hangouts video, and texting facilities within those specific applications. These non-public facing applications normally use end-to-end encryption, which helps to make sure PHI is not captured by unauthorized individuals during transmission. These solutions have access controls and allocate user control over various aspects of communications, like recording and muting conversations.
Public-facing communications platforms are not included in the Notification of Enforcement Discretion and MUST NOT be used. These communications platforms have been created to allow wide or indiscriminate access and are available to the public. Public-facing platforms include Facebook Live, Twitch, and TikTok, as well as chatroom platforms like Slack.
You can read the OCR guidance on telehealth and HIPAA during the COVID-19 nationwide public health emergency on this link (PDF).