United States Department of Health and Human Services Provides More Information on HIPAA Exceptions for Telehealth During COVID-19 Public Health Emergency
Following up on the Notification of Enforcement Discretion (Notification) issued last week by the United States Department of Health and Human Services (HHS), HHS has issued an FAQ providing more information on how HIPAA applies to telehealth during the current public health crisis. HHS considers telehealth the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. It relies on technologies like videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications.
Who is covered by the Notice and FAQ?
The FAQ clarifies that the Notice, in which HHS announced it would not penalize providers for using some popular video chat applications in good faith to provide telehealth services during the COVID-19 emergency, applies to all health care providers that are covered by HIPAA and provide telehealth services during this crisis. However, an entity not engaged in the provision of health care, like a health insurance company that only pays for telehealth services is not covered by the Notice.
What patients does the Notice apply to?
Although the Notice is in effect during the COVID-19 pandemic, its telehealth provisions are not limited to COVID-19 patients. All patient services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the current emergency are covered by the Notice.
What applications are acceptable to use in telehealth services during the COVID-19 crisis?
Non-public facing remote communication products are acceptable. They include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, and Skype (as well as commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage). The FAQ states these products are acceptable because they employ end-to-end encryption and allow only an individual and the person with whom the individual is communicating to see what is transmitted.
Public-facing remote communications products are not acceptable for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. These products include TikTok, Facebook Live, Twitch, Slack, and other chat room applications.
Where can telehealth sessions be conducted?
Health care providers should conduct telehealth in private settings, such as in a clinic or office, with patients located at their homes or another clinic. Public or semi-public locations should not be used for telehealth unless the patient consents or there is an emergency situation. However, even when a public or semi-public location is used, health care providers should continue to use reasonable safeguards, such as lowering voices, avoiding a speakerphone, and recommending that the patient move a reasonable distance away from other people when discussing personal health information.
What happens if a covered health care provider accidentally violates HIPAA during the public health crisis?
Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the current public health emergency. In the event of a breach of electronic protected health information (ePHI) during telehealth services, HHS will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the pandemic. Video communication vendors familiar with the requirements of the HIPAA Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement. Providers seeking to use video communication products are encouraged to use such vendors.
In the event of an investigation of a provider’s use of telehealth services, HHS would consider all facts and circumstances when determining whether the telehealth use was in good faith and covered by the Notice. Examples of actions that HHS would consider bad faith include further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule, use of public-facing remote communication products, and violations of state licensing laws or professional standards that result in disciplinary actions related to the treatment offered or provided via telehealth.
Does the Notice affect other areas of health care beyond telehealth?
The Notice does not affect the application of the HIPAA rules to other areas of health care outside of telehealth during the current public health emergency, nor does it affect the enforcement of other laws governing telehealth, although there may be advisories addressing those laws. For example, the Substance Abuse and Mental Health Services Administration (SAMHSA) has issued similar guidance addressing the HHS rule that protects the confidentiality of substance use disorder patient records (42 C.F.R. Part 2).
When does the Notice expire?
Per the FAQ, the Notice does not have an expiration date, but HHS will issue a follow up advisory when the Notice is no longer in effect.