Getty Images/Tetra images RF

OCR Lifts HIPAA Penalties for Telehealth Use During COVID-19

Following HHS' lead, OCR announced it won’t impose penalties for noncompliance against covered providers who use telehealth vendors that may not fully comply with HIPAA during COVID-19.

The Department of Health and Human Services’ Office for Civil Rights announced it will not impose penalties for noncompliance with HIPAA regulations against providers leveraging telehealth platforms that may not comply with the privacy rule during the COVID-19 pandemic.

The announcement followed the expansion of telehealth services by the Trump Administration that would reimburse providers for virtual care at the same rate as in-person visits.

Given the nationwide public health emergency, healthcare providers may potentially seek to communicate with patients through telehealth and other remote capabilities. For example, Massachusetts mandated payers cover medically necessary coronavirus telehealth testing and treatment.

However, some of these technologies and their use may not fully comply with HIPAA requirements. But given the severe circumstances, OCR is exercising enforcement discretion under the good faith provision of telehealth, effective immediately.

“We are empowering medical providers to serve patients wherever they are during this national public health emergency,” OCR Director, Roger Severino, said in a statement. “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

Under the provision, covered healthcare providers can use any non-public facing remote, audio or video communication product available to provide telehealth and communicate to patients during the public health emergency.

OCR will not impose penalties for HIPAA noncompliance for those covered entities that use those tools during the Coronavirus pandemic. It applies to all uses of telehealth provided for any reason, regardless of whether the service is directly related to the diagnosis or treatment related to COVID-19 health conditions.

“OCR will not impose penalties against covered healthcare providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency,” according to the notice.

“For example, a covered health care provider in the exercise of their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation,” OCR explained.

In the same manner, covered entities can provide other telehealth services to treat and assess other medical conditions, even if unrelated to the virus, including sprained ankles or dental consultation, among other conditions.

Healthcare providers will be able to use any popular applications that allow for video chats, which includes Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth services without risk that OCR will impose a penalty for HIPAA noncompliance.

“Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications,” OCR explained.

Facebook has been involved with a number of privacy-related complaints, including being accused of exposing user health data through its platform. In response, it launched several privacy features for its health groups and topics. And under its July settlement with the Federal Trade Commission for $5 billion, the platform must disclose its health data use.

As a result, Facebook Live, Twitch, TikTok, and other similar public-facing video communication applications should not be used under the telehealth provision by covered providers.

“Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements in connection with the provision of their video communication products,” OCR stressed.

There several vendors able to provide HIPAA-compliant video communication products and will enter into BAAs, including Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts Meet.

The notice follows a similar announcement from HHS that they will waive some HIPAA sanctions around patient data sharing to improve care coordination and care management.

Next Steps

Dig Deeper on HIPAA compliance and regulation