HIPAA Blog

[ Friday, March 20, 2020 ]

OCR issues the FAQs to flesh out its bulletin on enforcement discretion for uses of Skype and related apps. One thing to keep in mind: OCR isn't saying use of these apps doesn't violate HIPAA (they're also not saying it does, and people who categorically say that using Skype and FaceTime in any situation violates HIPAA, no matter what, are incorrect); use of those less-than-perfectly-secure apps, when there are safer, more secure apps that could be used without any adverse effect, may well violate HIPAA in most cases, even now. What they are saying is that OCR won't levy fines if you use those apps during this time of crisis.

Other high points:

Applies to all patients.
Applies to treatment, not payment, operations, or other uses/disclosures.
Only applies to healthcare providers, not health plans or business associates.
Part 2 still applies (don't use these apps for Part 2, no matter what).
There's no expiration date, but OCR will pull the plug when appropriate.
Must be good faith (can't be used to commit fraud, sell PHI, or violate licensing laws).
Signal, WhatsApp, Jabber, and other texting apps are covered, too.
The FAQs say "typically, these platforms employ end-to-end encryption;" encryption isn't required to get the benefit of the enforcement discretion, but it played into OCR's decision to grant it.

Jeff [10:31 PM]

Comments: Post a Comment

http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template