On April 21, 2020, the United States Secretary (the “Secretary”) for Health and Human Services (“HHS”) published a “Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency” in the Federal Register. In it, the Secretary is exercising his discretion in the application of the Privacy, Security, and Breach Notification Rules (the “HIPAA Rules”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) during the COVID-19 nationwide public health emergency.
Specifically, the Secretary indicates that, as part of his enforcement discretion, the HHS Office for Civil Rights (“OCR”) will not impose penalties for noncompliance with the HIPAA Rules against covered health care providers as it relates to their good faith provision of telehealth during the COVID-19 pandemic. The HIPAA Rules contain strict requirements for covered health care providers to protect the privacy and security of protected health information (“PHI”) of their patients and some forms of remote communication technologies may not fully comply with them. OCR’s temporary stay of enforcement will apply to the use of telehealth services for any reason, regardless of whether the service is related to the diagnosis and treatment of COVID-19. This enforcement safe harbor will last until the Secretary declares the public health emergency no longer exists, or upon the expiration date of the declared public health emergency (including extensions), whichever occurs first.
By taking this action, HHS hopes to encourage more good faith use of telehealth by health care providers to treat their patients until this crisis is over. In order to operate within the enforcement safe harbor, covered health care providers may use any non-public facing audio or video remote communication technology or product available to communicate with their patients. Some specific communication technologies or products identified as allowable in the notice include popular video chat services, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype. Facebook Live, Twitch, TikTok, and similar video communications are considered public-facing and would not qualify for the safe harbor. In addition, even when using acceptable applications, health care providers are encouraged to inform their patients of the potential privacy risks, and should do their best to enable all available encryption and privacy modes when using such applications.
Interestingly, the notice includes a list of video communication products that may provide “additional privacy protections” for health care providers seeking them, but also states that OCR has not reviewed the HIPAA business associate agreements (“BAA”) offered by these vendors, and does not endorse their HIPAA compliance. Vendors listed include Skype for Business, Microsoft Teams, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet, Cisco Webex Meetings/Webex Teams, Amazon Chime, GoToMeeting, and Spruce Health Care Messenger. OCR does, however, state that it will not impose penalties against health care providers who use any of these vendors based on the lack of a BAA or any other non-compliance with the HIPAA rules.