On March 20, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance on telehealth remote communications following its Notification of Enforcement Discretion during the COVID-19 nationwide public health emergency.
The Notification, issued earlier this month, announced, effective immediately, that OCR is exercising its enforcement discretion to not impose penalties for HIPAA violations against healthcare providers in connection with their good faith provision of telehealth using communication technologies during the COVID-19 nationwide public health emergency.
The new guidance is in the form of frequently asked questions (FAQs) and clarifies how OCR is applying the Notification to support the good faith provision of telehealth. Some of the FAQs include:
What covered entities are included and excluded under the Notification?
- What patients can a covered healthcare provider treat under the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications, and does it include Medicare and Medicaid patients?
This Notification applies to all HIPAA-covered healthcare providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.
- Which parts of the HIPAA Rules are included in the Notification?
Covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
- When does the Notification expire?
The Notification of Enforcement Discretion does not have an expiration date. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.
- Where can healthcare providers conduct telehealth?
OCR expects healthcare providers will ordinarily conduct telehealth in private settings, such as a doctor in a clinic or office connecting to a patient who is at home or at another clinic. Providers should always use private locations and patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances. If telehealth cannot be provided in a private setting, covered health care providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information (PHI). Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI.
- What is a “non-public facing” remote communication product?
A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication. Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or 5 iMessage. Typically, these platforms employ end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted. The platforms also support individual user accounts, logins, and passcodes to help limit access and verify participants. In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point.
In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a chat room like Slack are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. For example, a provider that uses Facebook Live to stream a presentation made available to all its patients about the risks of COVID-19 would not be considered reasonably private provision of telehealth services. A provider that chooses to host such a public-facing presentation would not be covered by the Notification and should not identify patients or offer individualized patient advice in such a livestream.
The Notification of Enforcement Discretion issued by the HHS Office for Civil Rights (OCR) applies to all healthcare providers that are covered by HIPAA and provide telehealth services during the emergency.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” said Roger Severino, OCR Director. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
The FAQs on telehealth remote communications may be found at: https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf - PDF
The press release on telehealth remote communications may be found at: https://www.hhs.gov/about/news/2020/03/17/ocr-announces-notification-of-...
The Notification of Enforcement Discretion on telehealth remote communications may be found at: https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-pre...