March 18, 2020
On March 17, 2020, the Health and Human Services Office of Civil Rights (“OCR”) published an announcement that it would temporarily suspend HIPAA enforcement to support telehealth service expansion efforts. The OCR’s announcement coincided with the Centers for Medicare and Medicaid Services’ (“CMS”) waiver of Medicare telehealth requirements to allow health care providers to remotely treat patients to contain the spread of COVID-19. The OCR’s announcement applies only while the COVID-19 public health emergency remains in effect.
The OCR stated that, effective immediately, it will decline to impose penalties for noncompliance with HIPAA’s existing regulatory requirements for telehealth services, provided that the telehealth services delivered in good faith during the COVID-19 public health emergency. During that time, providers may use any non-public facing, audio and video remote communication to telecommunicate with patients. Examples of non-facing applications that may be utilized include Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, and Skype. Although providers will not face penalties for non-compliance with HIPAA while using such applications, OCR has nonetheless encouraged providers to notify patients of associated privacy risks with using these popular applications.
Additionally, while OCR has encouraged providers that seek additional privacy protections to use communication vendors and products that are HIPAA compliant, and enter into business associate agreements (“BAAs”) when required, OCR will not impose penalties against providers for the lack of a BAA during the public health emergency. In light of OCR lessening these restrictions, providers must still comply with applicable state laws governing the privacy and security of protected health information. The OCR published a bulletin with additional information relating to this announcement.