News & Press: COVID-19

New Rules and FAQs Regarding HIPAA and Telehealth/Virtual Consults

Monday, March 23, 2020  
Share |
Early last week, the Office for Civil Rights (OCR) notified covered entities, including physicians, that it would exercise enforcement discretion for physicians using telehealth. OCR has issued new FAQs on this notice, which we wanted to bring to your attention. Additionally, SAMHSA has issued an FAQ on 42 CFR Part 2, seeking to ensure that substance use disorder treatment services are uninterrupted during this public health emergency. 

In light of the COVID-19 nationwide public health emergency, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion and, effective immediately, will not impose penalties on physicians using telehealth in the event of noncompliance with the regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA).
 
Physicians may seek to communicate with patients and provide telehealth services through remote communications technologies. Some of these technologies, and their use, may not fully comply with the requirements of the HIPAA Rules. 
 
However, today’s announcement means that physicians who want to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing service that is available to communicate with patients. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
 
For example, a physician, using their professional judgement, may request to examine a patient exhibiting COVID-19 symptoms using a video chat application connecting the physician’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a physician may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions. 
 
Under this Notice, physicians may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. Physicians should not use Facebook Live, Twitch, TikTok or other public facing communication services. Physicians are encouraged, but not required, to notify patients of the potential security risks of using these services and to seek additional privacy protections by entering into HIPAA business associate agreements (BAA). HHS also noted that while it hasn’t confirmed such statements, Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts have said that their products will help physicians comply with HIPAA and that they will enter into a HIPAA BAA.
 
Additional information can be found at this notice from Department of Health and Human Services (HHS).