By Jeff Drummond
On March 17, the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS), the enforcement agency for the Health Insurance Portability and Accountability Act of 1996 (HIPAA), published a Notice of Enforcement Discretion relating to the use of telehealth remote communications by healthcare providers. The regulations issued under HIPAA require all “covered entities” (health plans, healthcare clearinghouses, and most healthcare providers) to impose administrative, physical, and technical safeguards to reasonably protect medical information they use or disclose. This means that covered entities must ensure the confidentiality and security of patient information. While HIPAA does not specifically require encryption or explicitly prohibit use of certain technologies, most HIPAA covered entities recognize that the lack of security protections (including encryption) strongly discourage the use of unsecured audio/video communications apps. In other words, while it’s not technically true that HIPAA prohibits use of Skype, FaceTime, and similar modalities, most providers have determined that their HIPAA safeguards and standards would not allow it.
The March 17 notice from OCR states that OCR will “exercise enforcement discretion and not impose penalties for noncompliance with regulatory requirements under the HIPAA rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.” What this means is that healthcare providers may use Skype, FaceTime, Zoom, Doxy.me, Updox, VSee, Google G Suite Hangouts Meet, and similar technologies for real-time audio/video communications with their patients, without fear that OCR might levy a penalty.
The guidance points out several salient factors to consider:
- The guidance only applies to provider-patient communication, and the communication must be about the provision of telehealth (i.e., treatment). The communication need NOT be about treatment of COVID-19; a provider can use Skype to treat a patient for a sprained ankle. The idea is to use the communication technology to enable social distancing and keep patients out of the waiting room.
- Provider-to-provider communications continue to be subject to existing standards and rules.
- Providers should get the consent of patients before using the technology. The consent should be obtained only after the provider advises the patient of the risks involved in using less-secure technologies.
- The decision to use the technology must be in good faith, which means after considering the availability of safer alternatives.
- The technology must be private, and cannot be public-facing; Facebook Live, Twitch, TikTok, and the like are not covered by this enforcement discretion.
- Providers who use these apps should enable encryption and set privacy settings to the highest practical level.
- While the requirement to obtain a BAA with the app provider is also waived, covered entities should obtain BAAs with those app providers if possible.
- The enforcement discretion is limited to the time the COVID-19 national public health emergency is in effect, and will expire when the pandemic threat has passed.
The general rule remains that HIPAA does not go away during a crisis or emergency. To seasoned HIPAA professionals, OCR’s action actually highlights the flexibility that is inherent in HIPAA: what is a reasonable safeguard in normal times might be too tight a restriction during an emergency. While providers could have been using Skype in certain circumstances (i.e., telehealth communication was extremely urgent and no other safer technology could be reasonably implemented), OCR’s action allows more providers to at least feel comfortable with using these technologies.
This follows an announcement by HHS on March 16 that provided all relief from certain other HIPAA requirements in limited situations. The HHS announcement was specifically limited: it only applies to HIPAA-covered hospitals (1) in the emergency area identified in the public health emergency declaration, (2) that have instituted a disaster protocol, and (3) for up to 72 hours from the time the hospital implements its disaster protocol. Additionally, it only waives five specific HIPAA obligations:
- the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
- the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
- the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
- the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
- the patient’s right to request confidential communications. See 45 CFR 164.522(b).
The governmental response to the COVID-19 crisis continues to evolve, and more changes may come in the future. You can keep up with the latest COVID-19 legal news on the Jackson Walker Coronavirus microsite and can follow breaking HIPAA news anytime on Jeff Drummond’s HIPAA blog.
Meet Jeff
Jeffery P. Drummond represents hospitals, physicians, laboratories, surgery centers, and other healthcare providers in transactional and regulatory matters. He is best known for his experience in HIPAA and medical record privacy, as well as other data privacy and security issues. Since 2002, Jeff has written a weblog on HIPAA matters at hipaablog.blogspot.com, and he regularly tweets about HIPAA @JeffDrummond. In recognition of his practice, Jeff has been recognized among The Best Lawyers in America in the area of Healthcare Law since 2018 and has been ranked in Texas for Healthcare by Chambers USA: America’s Leading Lawyers for Business.
Related Resources:
Please note: This article and any resources presented on the JW Coronavirus Insights & Resources site are for informational purposes only, do not constitute legal or medical advice, and are not a substitute for legal advice from qualified counsel. The laws of other states and nations may be entirely different from what is described. Your use of these materials does not create an attorney-client relationship between you and Jackson Walker. The facts and results of each case will vary, and no particular result can be guaranteed.