OCR Announces HIPAA Telehealth Security Waiver in Response to COVID-19 Pandemic
By: Sean B. Hoar
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS), which is the body responsible for enforcing certain regulations pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), is exercising its enforcement discretion to meet the needs of healthcare providers and patients during the COVID-19 (coronavirus) public health emergency.
Suspension of Penalties
In its recent Notification, OCR announced that effective immediately, it will not impose penalties for noncompliance with HIPAA’s telehealth requirements. Specifically, the OCR will permit patients and their physicians to communicate through remote technologies that do not fully comply with HIPAA requirements. OCR’s notification provides that a “covered healthcare provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.” Moreover, OCR’s suspension of penalties during this time applies to telehealth provided for any reason, regardless of whether the service relates to the diagnosis and treatment of the coronavirus, or to other health conditions.
Pursuant to OCR’s Notification, healthcare providers are permitted to use applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype. They may not, however, use public facing video communications systems such as Facebook Live, Twitch, TikTok, or the like. As OCR recommends, it is important that healthcare providers notify patients that the third-party communication platforms that they are using to communicate may introduce privacy risks.
Additionally, OCR advises that certain technology vendors that are HIPAA compliant and that will enter into HIPAA business associate agreements (BAAs) may provide additional privacy protections for the provision of telehealth. These vendors include Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Hangouts Meet by Google.
Telehealth Data Privacy Issues
Although OCR is easing requirements during this public health emergency, healthcare providers must nevertheless take steps to ensure the privacy of their patients’ medical information. First and foremost, as described above, providers should advise patients of the potential security risks that telemedicine poses. In addition, healthcare providers should ensure that all of their existing cybersecurity safeguards are properly in place.
Providers may also consider expanding their cybersecurity efforts to the extent possible during this time when the provision of telehealth services will undoubtedly increase. For example, providers may consider (1) extending encryption technology to portable devices, (2) conducting training specific to telemedicine, and (3) adjusting patient authorization and informed consent documents for telemedicine services.
Each state maintains its own laws and regulations regarding the documentation that is required to practice telemedicine. As such, providers should consult the state-specific requirements that apply to their institutions and practices to ensure that they are in compliance with them. These laws and regulations pertain to matters including licensure, prescribing, and insurance issues in connection with the provision of telehealth services.
The attorneys in Lewis Brisbois’ Data Privacy & Cybersecurity Practice stand ready to advise on telehealth issues arising from the coronavirus public health emergency. If you have any questions, please contact the authors of this post or visit our Data Privacy & Cybersecurity Practice page to find an attorney in your area.