OCR Temporarily Eases HIPAA Privacy Restrictions for Telehealth Practice

In furtherance of its social distancing strategy, the federal government is temporarily allowing labs and other health care providers to use communication technologies like Facetime or Skype for any telehealth treatment or diagnostic purpose, even if not directly related to COVID-19. And now the HHS Office of Civil Rights (OCR) has announced that, effective immediately, it will waive potential HIPAA penalties against providers that, acting in good faith, use everyday communications technologies to serve patients during the COVID-19 public health emergency, even though some of these technologies and the manner in which they’re used, may not fully comply with normal HIPAA Privacy Rules.

Telehealth HIPAA Relief

During public health emergencies (PHEs), restrictions that impair care delivery may get aside and providers get license to do things they’re not allowed to do during times of normalcy. Using communications technology to practice telehealth is a striking example. But to make it work, the government must temporarily waive not only care quality and practice restrictions but also HIPAA requirements limiting the collection, use and disclosure of protected health information (PHI). And as the principal enforcer of federal HIPAA privacy requirements, it falls to the OCR to temporarily rewrite the rules.

Permissible & Impermissible Technologies

HIPAA relief isn’t new but, like the COVID-19 pandemic itself, the scope of the new latitude is wider than it’s ever been. Thus, for as long as the PHE remains in effect, a lab or other covered health care provider can provide telehealth services for any reason related to the good faith diagnosis and treatment of patients, not just for the diagnosis and treatment of health conditions related to COVID-19. Just as empowering is that providers may use any available non-public facing remote video communication product to communicate with patients, including, among others:

• Apple FaceTime;
• Facebook Messenger video chat;
• Google Hangouts video; and
• Skype

What remains off-limit for telehealth services use, however, are public facing video communications technologies, such as Facebook Live, Twitch and TikTok.

Recommended Privacy Precautions for Telehealth

OCR recommends that providers recognize and take measures to minimize the privacy risks associated with telehealth practice, including:

• Notifying patients that these third-party communications applications carry potential privacy risks;
• Enabling all available encryption and privacy modes when using such applications;
• Use technology vendors that are HIPAA compliant and willing to enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. (See the box below.)

HIPAA-Compliant Vendors

The following are vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA BAA:

• Skype for Business
• Updox
• VSee
• Zoom for Healthcare
• me
• Google G Suite Hangouts Meet

However, OCR has indicated that it will not impose penalties against providers for not having a BAA with video communication vendors.