Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

HHS Provides More Information on HIPAA During COVID-19 Crisis

Written by: John Weaver

3/24/2020

United States Department of Health and Human Services Provides More Information on HIPAA Exceptions for Telehealth During COVID-19 Public Health Emergency

Following up on the Notification of Enforcement Discretion (Notification) issued last week by the United States Department of Health and Human Services (HHS), HHS has issued an FAQ providing more information on how HIPAA applies to telehealth during the current public health crisis. HHS considers telehealth the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration. It relies on technologies like videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications.

Who is covered by the Notice and FAQ?

The FAQ clarifies that the Notice, in which HHS announced it would not penalize providers for using some popular video chat applications in good faith to provide telehealth services during the COVID-19 emergency, applies to all health care providers that are covered by HIPAA and provide telehealth services during this crisis. However, an entity not engaged in the provision of health care, like a health insurance company that only pays for telehealth services is not covered by the Notice.

What patients does the Notice apply to?

Although the Notice is in effect during the COVID-19 pandemic, its telehealth provisions are not limited to COVID-19 patients. All patient services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the current emergency are covered by the Notice.

What applications are acceptable to use in telehealth services during the COVID-19 crisis?

Non-public facing remote communication products are acceptable. They include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, and Skype (as well as commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, and iMessage). The FAQ states these products are acceptable because they employ end-to-end encryption and allow only an individual and the person with whom the individual is communicating to see what is transmitted.

Public-facing remote communications products are not acceptable for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication. These products include TikTok, Facebook Live, Twitch, Slack, and other chat room applications.

Where can telehealth sessions be conducted?

Health care providers should conduct telehealth in private settings, such as in a clinic or office, with patients located at their homes or another clinic. Public or semi-public locations should not be used for telehealth unless the patient consents or there is an emergency situation. However, even when a public or semi-public location is used, health care providers should continue to use reasonable safeguards, such as lowering voices, avoiding a speakerphone, and recommending that the patient move a reasonable distance away from other people when discussing personal health information.

What happens if a covered health care provider accidentally violates HIPAA during the public health crisis?

Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the current public health emergency. In the event of a breach of electronic protected health information (ePHI) during telehealth services, HHS will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the pandemic. Video communication vendors familiar with the requirements of the HIPAA Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement. Providers seeking to use video communication products are encouraged to use such vendors.

In the event of an investigation of a provider’s use of telehealth services, HHS would consider all facts and circumstances when determining whether the telehealth use was in good faith and covered by the Notice. Examples of actions that HHS would consider bad faith include further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule, use of public-facing remote communication products, and violations of state licensing laws or professional standards that result in disciplinary actions related to the treatment offered or provided via telehealth.

Does the Notice affect other areas of health care beyond telehealth?

The Notice does not affect the application of the HIPAA rules to other areas of health care outside of telehealth during the current public health emergency, nor does it affect the enforcement of other laws governing telehealth, although there may be advisories addressing those laws. For example, the Substance Abuse and Mental Health Services Administration (SAMHSA) has issued similar guidance addressing the HHS rule that protects the confidentiality of substance use disorder patient records (42 C.F.R. Part 2).

When does the Notice expire?

Per the FAQ, the Notice does not have an expiration date, but HHS will issue a follow up advisory when the Notice is no longer in effect.

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.