OCR Notification of Enforcement Discretion – Violations of HIPAA Privacy, Security and Breach Notification Rules In Connection With Use of Applications for Telehealth Purposes

Consistent with its response to the public health emergency, the U.S. Department of Health and Human Services – Office for Civil Rights (OCR) published a notification on March 17, 2020 and clarifying guidance on March 20, 2020, that it will be exercising its discretion and refraining from imposing penalties on covered health care providers for noncompliance with HIPAA’s Privacy and Security Rules in the good-faith provision of telehealth services, with the intended goal being limiting the risk and spread of infection to those who would be exposed from in-person appointments.  The relaxation of the HIPAA Rules for telehealth services comes closely on the heels of the Centers for Medicare and Medicaid Services’ expansion of Medicare coverage to include telehealth visits. 

According to OCR, many remote communication technologies sought to be used by covered health care providers for the provision of telehealth services, and the manner in which they intend to use such technologies, may not fully comply with the requirements of the HIPAA Rules.  However, the OCR notification and clarifying guidance allow covered health care providers to use any non-public facing audio or video remote communication product for the good faith provision of telehealth services to patients during the public health emergency; OCR will not impose penalties for noncompliance with the HIPAA Privacy, Security or Breach Notification Rules in connection with the provision of telehealth services through such modalities.  Further, this exercise of OCR’s discretion will apply to the provision of telehealth services for any reason, regardless of whether the provider is diagnosing or treating health conditions related to COVID-19.  Thus, a covered health care provider can now request to examine a patient exhibiting symptoms of COVID-19, or any other medical condition, using video chat applications connected to the provider’s or the patient’s phone or desktop computer. OCR indicated that the provider may use its professional judgment to determine whether telehealth is appropriate for the provision of such services, but explicitly cited as examples in the guidance physical therapy services, mental health counseling services and the adjustment of prescriptions.

Under the notice, OCR specifically named several popular video and text messaging platforms as applications covered health care providers may now use for the provision of telehealth services.  Of note, OCR warned that video and messaging applications that are accessible for viewing by the public should not be used in the provision of telehealth.

Should a covered health care provider desire additional privacy protections for telehealth while using video communication products, OCR provided a list of companies in its guidance that have represented that they have the capability of entering into HIPAA business associate agreements (BAA) in connection with the provision of their video products.

The guidance further specified that telehealth should be conducted in private settings when feasible, and that providers should continue to take precautions to safeguard patient PHI including using an appropriate volume when speaking, refraining from using speakerphone when speaking with patients and recommending that patients, themselves, seek out a private place when discussing their own PHI with the provider.

If you have additional questions or need further assistance, please feel free to reach out to Alessandra Swanson or your Winston relationship attorney.

View all of our COVID-19 perspectives here. Contact a member of our COVID-19 Legal Task Force here.