Late Friday, the Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA as a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during the COVID-19 emergency. The FAQs provide useful information about the types of applications that can be used for telehealth as well as examples of bad faith conduct.
Category Archives: HIPAA
By executive order late yesterday, Governor Ned Lamont expanded permission to offer “audio-only” telehealth services to commercial insurer’s in-network providers furnishing covered telehealth services. Two days ago, the Governor granted this permission to Medicaid providers serving Medicaid beneficiaries. The Executive Order also addresses licensure and location requirements and conditions for other providers wishing to offer telehealth services. Additionally, the order assures providers that compliance with federal agency guidance on HIPAA is adequate to meet state law.
Just one week ago, Medicaid in Connecticut did not cover telehealth services. Then, DSS issued Provider Bulletins 2020-09 and 2020-10 providing for emergency temporary telehealth coverage in response to the Covid-19 pandemic. Today, the Connecticut Department of Social Services (DSS) issued Provider Bulletin 2020-14, which further expands Medicaid reimbursement to include telehealth delivered via telephone.
Today, the Department of Health and Human Services announced that its Office for Civil Rights, which enforces HIPAA, will not enforce requirements that are a barrier to making telehealth services available.
DHHS announced waivers of various compliance requirements for providers to ease administrative and operational burdens during this pandemic. I think the theme here is that providers just need to do the best that they can during these challenging times. Those that prioritize patient care, act reasonably and in good faith and do not commit fraud or abuse will be spared from enforcement actions.
Lessons from the first enforcement action of 2020: (1) No covered entity is immune from HIPAA enforcement. (2) Craft factual breach reports that leave no unanswered questions and do not unnecessarily grab OCR’s attention.
Just over a week ago, a federal district court invalidated part of HHS’s 2016 guidance on the fees a covered entity can charge for patient records. The court found that HHS exceeded its authority when it declared that only a limited fee could be charged for records sent to a third party at a patient’s direction.
It appears that the 2019 HIPAA enforcement year is over with a lot less fanfare (and cash) than last year but it did provide important insights into enforcement trends. *Distributed by Law360 on January 22, 2020 and included in its Health Law and Cybersecurity and Privacy Law. newsletters.
It appears that the 2019 HIPAA enforcement year is over with a lot less fanfare (and cash) than last year. The total in settlements and penalties for 2019 is $12.2 million, which is substantially less than OCR’s highest ever total of $28.7 million just one year ago.
Earlier this year, the Department of Health and Human Services’ Office for Civil Rights (OCR) announced a Right of Access Enforcement Initiative, which would focus on ensuring that patients were getting timely access to their records without being overcharged. Prior to this announcement, enforcement actions against providers for denying a patient the proper right of access were rare. Since announcing the initiative, OCR has swiftly pursued claims resulting in two settlements within months of each other.