This news came via email from the Office for Civil Rights, the HIPAA enforcement agency, to the OS OCR PrivacyList email group, and is not in the form of posted guidance yet (as far as I can tell). But providers may use "Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance . . . related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency."
Full text of the email follows. And watch this blog for further discussion and analysis of HIPAA in times of Coronavirus.
March 17, 2020
Notification of Enforcement Discretion for
Telehealth Remote Communications during the COVID-19 Nationwide Public Health
Emergency
We are
empowering medical providers to serve patients wherever they are during this
national public health emergency. We are especially concerned about reaching
those most at risk, including older persons and persons with disabilities. –
Roger Severino, OCR Director.
The
Office for Civil Rights (OCR) at the Department of Health and Human Services
(HHS) is responsible for enforcing certain regulations issued under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA), as amended by the
Health Information Technology for Economic and Clinical Health (HITECH) Act, to
protect the privacy and security of protected health information, namely the
HIPAA Privacy, Security and Breach Notification Rules (the HIPAA Rules).
During
the COVID-19 national emergency, which also constitutes a nationwide public
health emergency, covered health care providers subject to the HIPAA Rules may
seek to communicate with patients, and provide telehealth services, through
remote communications technologies. Some of these technologies, and the
manner in which they are used by HIPAA covered health care providers, may not
fully comply with the requirements of the HIPAA Rules.
OCR
will exercise its enforcement discretion and will not impose penalties for
noncompliance with the regulatory requirements under the HIPAA Rules against
covered health care providers in connection with the good faith provision of
telehealth during the COVID-19 nationwide public health emergency. This
notification is effective immediately.
A
covered health care provider that wants to use audio or video communication
technology to provide telehealth to patients during the COVID-19 nationwide
public health emergency can use any non-public facing remote communication
product that is available to communicate with patients. OCR is exercising
its enforcement discretion to not impose penalties for noncompliance with the HIPAA
Rules in connection with the good faith provision of telehealth using such
non-public facing audio or video communication products during the COVID-19
nationwide public health emergency. This exercise of discretion applies
to telehealth provided for any reason, regardless of whether the telehealth
service is related to the diagnosis and treatment of health conditions related
to COVID-19.
For
example, a covered health care provider in the exercise of their professional
judgement may request to examine a patient exhibiting COVID- 19 symptoms, using
a video chat application connecting the provider’s or patient’s phone or
desktop computer in order to assess a greater number of patients while limiting
the risk of infection of other persons who would be exposed from an in-person
consultation. Likewise, a covered health care provider may provide
similar telehealth services in the exercise of their professional judgment to
assess or treat any other medical condition, even if not related to COVID-19,
such as a sprained ankle, dental consultation or psychological evaluation, or
other conditions.
Under
this Notice, covered health care providers may use popular applications that
allow for video chats, including Apple FaceTime, Facebook Messenger video chat,
Google Hangouts video, or Skype, to provide telehealth without risk that OCR
might seek to impose a penalty for noncompliance with the HIPAA Rules related
to the good faith provision of telehealth during the COVID-19 nationwide public
health emergency. Providers are encouraged to notify patients that these
third-party applications potentially introduce privacy risks, and providers
should enable all available encryption and privacy modes when using such
applications.
Under
this Notice, however, Facebook Live, Twitch, TikTok, and similar video
communication applications are public facing, and should not be
used in the provision of telehealth by covered health care providers.
Covered
health care providers that seek additional privacy protections for telehealth
while using video communication products should provide such services through
technology vendors that are HIPAA compliant and will enter into HIPAA business
associate agreements (BAAs) in connection with the provision of their video
communication products. The list below includes some vendors that
represent that they provide HIPAA-compliant video communication products and
that they will enter into a HIPAA BAA.
- Skype for Business
- Updox
- VSee
- Zoom for Healthcare
- Doxy.me
- Google G Suite Hangouts Meet
Note: OCR
has not reviewed the BAAs offered by these vendors, and this list does not
constitute an endorsement, certification, or recommendation of specific
technology, software, applications, or products. There may be other technology
vendors that offer HIPAA-compliant video communication products that will enter
into a HIPAA BAA with a covered entity. Further, OCR does not endorse any
of the applications that allow for video chats listed above.
Under
this Notice, however, OCR will not impose penalties against covered health care
providers for the lack of a BAA with video communication vendors or any other
noncompliance with the HIPAA Rules that relates to the good faith provision of
telehealth services during the COVID-19 nationwide public health
emergency.