OCR Gives Providers More Leeway to Use mHealth, Telehealth Tools

With isolation and separation at the top of the to-do list, federal regulators are looking to make it easier for care providers to use telehealth and mHealth to treat patients. That includes removing barriers to using smartphones and video platforms.

(For more coronavirus updates, visit our resource page, updated twice daily by Xtelligent Healthcare Media.)

On March 17, the Health and Human Services Department’s Office for Civil Rights moved to allow providers to use services like Skype, FaceTime and Google Hangouts. The OCR published a Notice of Enforcement Discretion related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which closely regulates how health information is relayed from provider to other parties.

"We are empowering medical providers to serve patients wherever they are during this national public health emergency," OCR Director Roger Severino said in the announcement. "We are especially concerned about reaching those most at risk, including older persons and persons with disabilities."

Under HIPAA, providers and other “covered entities” must take precautions to protect information passed on to other parties – a condition that prevented them from using many connected health platforms that don’t have stringent security protections. Under last week’s notice, the OCR said it would “exercise enforcement discretion and not impose penalties for noncompliance with regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

“What this means is that healthcare providers may use Skype, FaceTime, Zoom, Doxy.me, Updox, VSee, Google G Suite Hangouts Meet, and similar technologies for real-time audio/video communications with their patients, without fear that OCR might levy a penalty,” Jeffery P. Drummond, a partner with the Jackson Walker law firm, recently wrote in JD Supra.

“The general rule remains that HIPAA does not go away during a crisis or emergency,” Drummond added. “To seasoned HIPAA professionals, OCR’s action actually highlights the flexibility that is inherent in HIPAA: what is a reasonable safeguard in normal times might be too tight a restriction during an emergency. While providers could have been using Skype in certain circumstances (i.e., telehealth communication was extremely urgent and no other safer technology could be reasonably implemented), OCR’s action allows more providers to at least feel comfortable with using these technologies.”

Drummond advises providers to consider several factors before jumping onto Skype:

• The new rules apply only to provider-patient communications and must be about telehealth, though not necessarily about Coronavirus treatment;
• These conversations are still subject to existing standards and rules;
• Providers need consent from their patients to use the technology, after advising them of the risks of using these platforms, and after laying out all other options;
• The platform must be private, rather than public-facing (thus excluding services like Facebook Live, TikTok and Twitch);
• Encryption and privacy setting must be set as high as they can go;
• Though not necessary, covered entities should obtain a BAA with app providers when possible; and
• The new rules only apply while the national public health emergency is in effect.

For those seeking more information, the OCR issued additional guidance on its order on Friday, detailing frequently asked questions like:

• What covered entities are included and excluded?
• Which parts of the HIPAA rules are included?
• Does the notification apply to violations of 42 CFR Part 2, the HHS regulation that protects the confidentiality of substance use disorder patient records?
• When does the notification expire?
• Where can health care providers conduct telehealth?
• What is a “non-public facing” remote communication product?

The goal of these actions is to give providers more leeway to connect and collaborate with patients without having to be in the same room, thus improving access to care and reducing the risk of spreading the virus.

It also gives telehealth advocates – who have long argued that HIPAA was crafted before the advent of this technology – the opportunity to prove that these channels can be used for care management and coordination, provided they’re used correctly.