The U.S. Department of Health and Human Services Will Exercise Discretion in Enforcing HIPAA Privacy Rule for Telehealth Communications

The Office for Civil Rights (OCR) at the Department of Health and Human Services announced that during the COVID-19 public health emergency, healthcare providers subject to the HIPAA Privacy Rule may communicate with patients and provide telehealth services through remote communication technologies.

Telehealth connects patients to healthcare providers through videoconferencing, electronic consultations and virtual communications and will reduce the strain on the doctors’ time and resources during the pandemic.

The OCR, in turn, will exercise its enforcement discretion and will not impose penalties for non-compliance with regulatory requirements under the HIPAA Rules against the providers in connection with the good faith provision of telehealth services.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.  The Privacy Rule requires that healthcare entities provide satisfactory assurances from its contractors (“business associates”) that they will appropriately safeguard the protected health information they receive or create on behalf of the healthcare entities.  These satisfactory assurances must be in writing, typically in the form a Business Association Agreement between the provider and the contractor.

According to the OCR Notification, healthcare providers that want to use audio or video communication technology to provide telehealth to patients during the COVID-19 crisis can use any non-public facing remote communication product that is available to communicate with patients.  Specifically, the health care providers are permitted to use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger, Google Hangouts video, or Skype, to provide telehealth without the risk of having penalties imposed for noncompliance with the HIPAA Rules. For example, the OCR will not impose penalties against the health care providers for the lack of a Business Associate Agreement with these services.

Notably, the enforcement discretion is not limited to the diagnosis and treatment of COVID-19 but applies to telehealth assessment or treatment of any other medical condition.  This provision will allow to further limit in-person visits to the healthcare facilities during the pandemic.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653