OCR to Turn a Blind Eye to HIPAA Non-Compliance for Telehealth

Today, the Department of Health and Human Services (DHHS) announced that its Office for Civil Rights (OCR), which enforces HIPAA, will not enforce requirements that are a barrier to making telehealth services available.  According to DHHS, OCR will exercise “enforcement discretion and will not impose penalties for noncompliance” with certain HIPAA requirements “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”  Importantly, the use of telehealth need not be directly related to COVID-19 treatment since access to care unrelated to the virus is a major concern. 

DHHS is permitting the use of “any non-public facing remote communication product that is available to communicate with patients.”  This includes the use of applications such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to deliver telehealth.  DHHS was clear that public facing applications such as Facebook Live, Twitch and TikTok, cannot be used for telehealth.  Such public facing applications pose too great a risk to privacy.

Prior to DHHS’ announcement, business associate agreement requirements and the HIPAA Security Rule were major hurdles to using readily available and free or low-cost communication services for the provision of telehealth.  Typically, providers need a signed business associate agreement with a vendor that has access to protected health information (such as a video communication company).  Most free or low-cost systems like FaceTime and Skype, however, typically will not enter into business associate agreements.  DHHS made clear that OCR will not impose penalties against providers for lack of a business associate agreement with such vendors. 

In addition, under normal circumstances, the HIPAA Security Rule requirements would prohibit the use of many of the free or low-cost video communication applications because most do not provide adequate security measures.  If providers use one of these applications, DHHS encourages them to inform patients of the increased risks to privacy and also directs providers to configure the applications to enable any available encryption or privacy modes.

DHHS’ pledge to turn a blind eye to HIPAA non-compliance related to telehealth will not last forever.  It will direct OCR to return to normal enforcement activities when it determines that the emergency situation no longer exists.  As a result, there may be some benefit to ensuring that providers set up a HIPAA-compliant telehealth program at the outset, if possible.

Notably, today’s enforcement discretion notice from DHHS comes at the same time as guidance from CMS on relaxed rules around the provision of telehealth services under Medicare.  In addition, states like Connecticut also recently announced that Medicaid reimbursement is available for telehealth services.  Many private insurers are following suit. 

Finally, if you are considering implementing a telehealth program, do not overlook the consent, licensing and other requirements that may exist under state law relating to telehealth.