The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) wants to make it easier for individuals to reach a healthcare provider, including those most at risk (older persons and persons with disabilities). Effective immediately, during the COVID-19 nationwide public health emergency, OCR announced it will not enforce noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth.
In short, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communications technologies, some of which may not fully comply with the requirements of the HIPAA Rules, without the threat of enforcement.
A couple of key points about this announcement:
- covered health care providers that want to use audio or video communication technology to provide telehealth in good faith to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
- The announcement applies to telehealth provided for any reason, not just services related to the diagnosis and treatment of health conditions related to COVID-19.
In the exercise of their professional judgement, for example, a covered health care provider may request to examine a patient exhibiting COVID- 19 symptoms using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. The provider may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth.
However, OCR advises providers to take some precautions:
- notify patients that these third-party applications potentially introduce privacy risks,
- enable all available encryption and privacy modes when using such applications,
- public facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar should not be used in the provision of telehealth,
- where applicable, use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. OCR listed some vendors that represent that they provide HIPAA-compliant video communication and that will enter into a HIPAA BAA (Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet), but has not endorsed any of these or their BAAs.
The OCR’s guidance extends to BAAs in this context. It will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors relating to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.
This is welcomed news and should help facilitate the availability of care, particularly to those most at risk.