OCR Issues HIPAA Telehealth FAQs

On March 20, 2020, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) issued guidance in the form of FAQs in follow up to its Notification of Enforcement Discretion for good faith provision of telehealth during the COVID-19 nationwide public health emergency (for further details on the Notification, see our previous Client Alert here).

The press release and FAQs are available here. Providers should review the FAQs and other recent guidance carefully, especially as they work to implement new telehealth solutions during the COVID-19 pandemic. Providers should also remember that these FAQs are limited to the applicability of HIPAA to telehealth services. Other laws come in to play and should be considered as well, such as Medicare, Medicaid, and state licensure law.

A few key excerpts from the OCR FAQs include:

1. No penalties for HIPAA violations from good-faith telehealth services. Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
2. All patients are eligible for telehealth. This Notification applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.
3. All services appropriate for telehealth are eligible. All services that a covered health care provider, in their professional judgement, believes can be provided through telehealth in the given circumstances of the current emergency are covered by this Notification. This includes diagnosis or treatment of COVID-19 related conditions, such as taking a patient’s temperature or other vitals remotely, and diagnosis or treatment of non-COVID-19 related conditions, such as review of physical therapy practices, mental health counseling, or adjustment of prescriptions, among many others.
4. “Bad Faith” includes violation of state law and use of public-facing services. Among the examples given of what would constitute “bad faith” conduct, OCR included:
   • Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth (i.e., based on documented findings of a health care licensing or professional ethics board).
   • Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
5. Providers are “encouraged” to use secure apps and alert patients to unsecure connections. OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
6. No end-date yet announced. The Notification of Enforcement Discretion does not have an expiration date. OCR will issue a notice to the public when it is no longer exercising its enforcement discretion based upon the latest facts and circumstances.

Federal agencies and states are issuing waivers and other guidance rapidly; providers should consult qualified counsel if they are unsure whether or how a particular law or waiver applies during the COVID-19 emergency.

For more information, contact Madison M. Pool.