OCR Issues FAQs on Relaxed HIPAA Enforcement for Telehealth

Late Friday, the Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA as a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during the COVID-19 emergency. The FAQs provide useful information about the types of applications that can be used for telehealth as well as examples of bad faith conduct.

Businesses Seeking Delay of CCPA Enforcement

Earlier this week, more than 30 businesses sent a letter to California’s Attorney General requesting a temporary deferral in enforcement of the California Consumer Privacy Act (CCPA) until January 1, 2021 due to the COVID-19 pandemic and the lack of final regulations. CCPA enforcement is set to begin on July 1, 2020. But regulations directing the implementation of the CCPA remain incomplete and continue to change substantively. The regulations are not likely to be finalized for several weeks, which, under normal conditions, would leave businesses scrambling to comply before the enforcement deadline. But there is nothing normal about current conditions.

CT Expands Telehealth via Telephone to Other Providers and Addresses HIPAA Compliance

By executive order late yesterday, Governor Ned Lamont expanded permission to offer “audio-only” telehealth services to commercial insurer’s in-network providers furnishing covered telehealth services. Two days ago, the Governor granted this permission to Medicaid providers serving Medicaid beneficiaries. The Executive Order also addresses licensure and location requirements and conditions for other providers wishing to offer telehealth services. Additionally, the order assures providers that compliance with federal agency guidance on HIPAA is adequate to meet state law.

CT DSS Announces that Medicaid will Cover Telehealth Services Delivered Via Telephone

Just one week ago, Medicaid in Connecticut did not cover telehealth services. Then, DSS issued Provider Bulletins 2020-09 and 2020-10 providing for emergency temporary telehealth coverage in response to the Covid-19 pandemic. Today, the Connecticut Department of Social Services (DSS) issued Provider Bulletin 2020-14, which further expands Medicaid reimbursement to include telehealth delivered via telephone.

DHHS Waives Certain Compliance Requirements for Providers

DHHS announced waivers of various compliance requirements for providers to ease administrative and operational burdens during this pandemic. I think the theme here is that providers just need to do the best that they can during these challenging times. Those that prioritize patient care, act reasonably and in good faith and do not commit fraud or abuse will be spared from enforcement actions.

Final Rules on Interoperability and Information Blocking Released

Yesterday, the Centers for Medicare and Medicaid Services (CMS) and the Office of the National Coordinator of Health Information Technology (ONC) released their long-awaited final rules on interoperability and information blocking.

First HIPAA Enforcement Action of 2020: Provider Size Does Not Matter but the Content of Its Breach Report Does

Lessons from the first enforcement action of 2020: (1) No covered entity is immune from HIPAA enforcement. (2) Craft factual breach reports that leave no unanswered questions and do not unnecessarily grab OCR’s attention.

Variations on Ransomware Tormenting Law Firms and Women

A relatively new kind of ransomware is targeting law firms and publicly shaming them into paying the ransom or risk having the firm’s data dumped on the internet. In other ransomware news, instead of money, some hackers are demanding photos of women’s body parts.