OCR Issues Notification of Enforcement Discretion for Telehealth Remote Communications During COVID-19 Nationwide Public Health Emergency

On March 17, 2020, the Office for Civil Rights (“OCR”) issued a notification regarding enforcement discretion for telehealth remote communications that may not fully comply with applicable HIPAA Rules (the “Notification”). The Notification provides that OCR will not impose penalties on covered health care providers for noncompliance with regulatory requirements under the HIPAA Rules in connection with the good faith provision of telehealth services via everyday communications technology during the COVID-19 nationwide public health emergency (the “COVID-19 Emergency”).

REQUIREMENTS

Pursuant to the Notification, covered health care providers may utilize widely available non-public facing remote communication products (e.g., Apple FaceTime, Facebook Messenger video chat; Google Hangouts video; or Skype) to provide telehealth to patients during the COVID-19 Emergency. Note that the Notification explicitly prohibits the use of public facing communication applications (e.g., Facebook Live, Twitch, TikTok and other similar communications products). Prior to utilizing any such audio or video communications, providers should:

  1. Enable all available encryption and privacy modes; and
  2. Notify the patient that the third-party applications pose potential privacy risks.

ADDITIONAL PRIVACY PROTECTION

Should providers wish to seek additional privacy protections for telehealth while using video communication products, they should seek vendors that are both HIPAA-compliant and agree to enter into a HIPAA business associate agreement (“BAA”). The following vendors have indicated that they provide HIPAA-compliant video communication programs and are willing to enter into a BAA:

  • Skype for Business / Microsoft Teams;
  • Updox;
  • VSee;
  • Zoom for Healthcare;
  • me;
  • Google G Suite Hangouts Meet;
  • Cisco Webex Meetings / Webex Teams;
  • Amazon Chime; and
  • GoToMeeting.

Note that OCR will not impose penalties against covered health care providers for the lack of a BAA with a video communications vendor that relates to the good faith provision of telehealth services during the COVID-19 Emergency.

For more information regarding telehealth remote communications and OCR’s Notification, please contact Adrienne Dresevic, Esq., Clinton Mikel, Esq., or Abby Pendleton, Esq. at (248) 996-8510 or by email at adresevic@thehlp.com, cmikel@thehlp.com, and apendleton@thehlp.com.