Pramote Lertnitivanit/istock via

OCR Clarifies HIPAA Liability on Telehealth Use During COVID-19

Two days after OCR announced it would lift penalties around telehealth use during the COVID-19 pandemic, its officials released clarifications around HIPAA compliance to ease concerns.

The Department of Health and Human Services’ Office for Civil Rights released a list of frequently asked questions to common concerns raised about its recent move to lift certain HIPAA penalties around telehealth use during the COVID-19 pandemic.

OCR announced it would not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the regulation, following the Trump Administration’s expansion of telehealth services and HHS’ waiver of some HIPAA sanctions.

The OCR notification of enforcement discretion applies to all HIPAA-covered healthcare providers that use telehealth services during the emergency. However, the notice explained that a health insurance company that pays for telehealth services is not covered by the enforcement discretion.

Under HIPAA, healthcare providers define both those who provide mental and health services, but also those who furnish, bill, or are paid for healthcare in the normal course of business, ranging from nurses and clinics, to home health aides and laboratories.

“By contrast, a health insurance company that merely pays for telehealth services would not be covered by the Notification of Enforcement Discretion because it is not engaged in the provision of healthcare,” officials explained.

According to the notice, telehealth is defined as electronic and telecommunication technology used to support and promote long-distance healthcare, patient and professional health education, and public health and health administration work.

Those technologies can include internet-based platforms, videoconferencing, store-and-forward imaging, streaming media, and other wireless and landline communications, as well as audio, text messaging, or video communication.

Providers are told to use a “non-public facing” remote communication, which is a platform that only allows intended parties to participate as a default. The initial notice provided some examples, including Google Hangouts video, Whatsapp video chat, or Skype.

For texting applications, providers can use those platforms or other products, iMessage. These platforms should use end-to-end encryption, which allows only an individual and the person with whom the individual is communicating to see what is transmitted.

These platforms also have individual user accounts and credentials, which will help providers limit access and verify the participants.

“In addition, participants are able to assert some degree of control over particular capabilities, such as choosing to record or not record the communication or to mute or turn off the video or audio signal at any point,” the notice explained.

“In contrast, public-facing products such as TikTok, Facebook Live, Twitch, or a chat room like Slack are not acceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication,” it added. “A provider that chooses to host such a public-facing presentation would not be covered by the notification and should not identify patients or offer individualized patient advice in such a livestream.”

Under the enforcement discretion, OCR will not impose a penalty on the provider if electronic protected health information is intercepted during the telehealth transmission. OCR will consider all facts and circumstances of the good faith provision, and if the provider follows applicable OCR guidance, it will not face HIPAA penalties.

Many remote electronic communication products have security features able to protect ePHI. The notice explained that video communications vendors with familiarity with HIPAA, may often have stronger security protections to prevent data interception and can offer assurances through a signed HIPAA business associate agreement.

OCR encourages providers to seek those products and vendors, but will not penalize providers for using less secure products to provide timely and accessible care during the national emergency. Providers should notify patients about the risk posed to their data through these third-party applications, while enabling all available encryption and privacy modes when using such applications.

“For purposes of reimbursement, certain payors, including Medicare and Medicaid, may impose restrictions on the types of technologies that can be used,” officials wrote. “Those restrictions do not limit the scope of the HIPAA Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications.”

Further, providers do not have a limit to the patients they can serve using telehealth during the pandemic, including those who receive Medicare or Medicaid benefits.

Under the enforcement discretion, providers are expected to conduct telehealth in private settings, like in an office or clinic. OCR stressed that patients should not receive these services in a public or semi-public setting, “absent patient consent or exigent circumstances.”

“If telehealth cannot be provided in a private setting, covered healthcare providers should continue to implement reasonable HIPAA safeguards to limit incidental uses or disclosures of protected health information,” according to the notice.

“Such reasonable precautions could include using lowered voices, not using speakerphone, or recommending that the patient move to a reasonable distance from others when discussing PHI,” it adds.

Further, the tech can be used for a range of healthcare issues, not just those related to the Coronavirus. When considering whether a provider is using telehealth in good faith, OCR will consider all facts and circumstances.

The notice provided key areas that would be considered bad faith use:

• Conducting or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.

• Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (i.e., sale of the data, or use of the data for marketing without authorization).

• Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a healthcare licensing or professional ethics board).

• Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR identified as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.

However, the enforcement discretion does not apply to 42 CFR Part 2, the regulation regarding how the data of substance use disorder patients are shared. The Substance Abuse and Mental Health Services Administration (SAMHSA) released its own guidance in light of the pandemic.

SAMHSA noted the Coronavirus has rapidly increased the use of telehealth, which means that providers may not be able to obtain the needed written consent from patients to disclose substance use disorder records.

Under 42 CFR Part 2, “patient identifying information may be disclosed by a part 2 program or other lawful holder to medical personnel, without patient consent, to the extent necessary to meet a bona fide medical emergency in which the patient’s prior informed consent cannot be obtained.”

“Information disclosed to the medical personnel who are treating such a medical emergency may be re-disclosed by such personnel for treatment purposes as needed,” SAMHSA officials wrote. “We note that Part 2 requires programs to document certain information in their records after a disclosure is made pursuant to the medical emergency exception.”

“We emphasize that, under the medical emergency exception, providers make their own determinations whether a bona fide medical emergency exists for purposes of providing needed treatment to patients,” they added.

OCR reminded covered entities that although it will not be enforcing penalties for HIPAA noncompliance around telehealth, HIPAA rules will still be applied and enforced for all other areas outside of telehealth use. The current OCR enforcement discretion does not currently have an end date. Officials will submit a notice once the rules have ended.

Next Steps

Dig Deeper on HIPAA compliance and regulation