By Joseph J. Lazzarotti, Principal
The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) wants to make it easier for individuals to reach a health care provider, including those most at risk (older persons and persons with disabilities). Effective immediately, during the COVID-19 nationwide public health emergency, OCR announced it will not enforce noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good-faith provision of telehealth.
In short, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communications technologies, some of which may not fully comply with the requirements of the HIPAA Rules, without the threat of enforcement.
A couple of key points about this announcement:
- Covered health care providers that want to use audio or video communication technology to provide telehealth in good-faith to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
- The announcement applies to telehealth provided for any reason, not just services related to the diagnosis and treatment of health conditions related to COVID-19.
In the exercise of their professional judgement, for example, a covered health care provider may request to examine a patient exhibiting COVID-19 symptoms using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. The provider may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth.
However, OCR advises providers to take some precautions:
- Notify patients that these third-party applications potentially introduce privacy risks.
- Enable all available encryption and privacy modes when using such applications.
- Public facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar should not be used in the provision of telehealth.
- Where applicable, use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. OCR listed some vendors that represent that they provide HIPAA-compliant video communication and that will enter into a HIPAA BAA (Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet), but has not endorsed any of these or their BAAs.
The OCR’s guidance extends to BAAs in this context. It will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors relating to the good-faith provision of telehealth services during the COVID-19 nationwide public health emergency.
This is welcomed news and should help facilitate the availability of care, particularly to those most at risk.
For additional guidance on this topic, please confer with your legal counsel.
LawTalk is a monthly feature from HCA’s counsel at Jackson Lewis. Please note that LawTalk articles are for general, informational purposes, are not legal “advice,” and do not create an attorney-client relationship. Because each case is unique, the information provided should be considered to be general in nature, and should never be considered a substitution for legal counsel. Readers should not take, or refrain from taking, any action based on information in this article without first seeking legal advice from competent counsel.