March 23, 2020
On March 20, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) published a new FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency (the “FAQ”). The OCR clarifies guidance provided in its Notification of Enforcement Discretion for telehealth remote communications during the COVID-19 nationwide public health emergency published on March 17, 2020.
The FAQ states that health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the public health emergency. The enforcement discretion of OCR, however, does not apply to health insurance companies that pay for telemedicine services. The enforcement discretion of OCR applies to telemedicine services used to diagnose or manage COVID-19 as well as those unrelated to COVID-19, such as the review of physical therapy practices, mental health counseling, or adjustment of prescriptions.
The FAQ further states that health care providers can use any non-public facing remote communication product that is available to communicate with patients. The OCR gave examples of acceptable forms of technology for telemedicine, including: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, or Skype. Such products also would include texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp or iMessage. Even with these applications, the providers should enable all available encryption and privacy modes if using the services for telemedicine.
The OCR will not allow Facebook Live, Twitch, TikTok, Slack, and similar video communication applications. If a provider were to conduct a presentation on one of these public-facing applications, the provider should not identify patients or offer individualized patient advice.
In addition to using acceptable forms of technology, providers should also only provide such services to patients from private locations. Patients should not receive telehealth services in public or semi-public settings, absent patient consent or exigent circumstances. If telehealth cannot be provided in a private setting, health care providers should take reasonable precautions, such as using lowered voices, not using speakerphone, or recommending that the patient move a reasonable distance from others during the telemedicine encounter.
OCR also clarified its statement that health care providers must render telemedicine services in good faith in order to be subject to the enforcement discretion. OCR provided examples of what would qualify as the bad faith rendering of telemedicine services, which included things such as violation of state laws or professional ethical standards that result in disciplinary action and the use of public facing communications, such as TikTok. Please contact Stephanie T. Eckerle or Meghan M. Linvill McNab with any questions