OCR Issues FAQs on Relaxed HIPAA Enforcement for Telehealth

Late Friday, March 20, 2020, the Department of Health and Human Services’ (DHHS) Office for Civil Rights (OCR) issued FAQs on telehealth and HIPAA during the COIVD-19 emergency.   This guidance is a follow up to DHHS’ announcement that OCR would use “enforcement discretion” for HIPAA non-compliance related to the good faith roll out of telehealth services during this pandemic.    

In the FAQs, OCR defines telehealth, explains that the enforcement discretion applies to HIPAA-covered healthcare providers delivering all healthcare services via telehealth, and that enforcement is effective only during the COVID-19 emergency.  Further, OCR emphasizes that providers should implement reasonable safeguards to limit incidental use or disclosure of health information regardless of the setting in which the telehealth services are delivered.   

The final three FAQs provide the most useful information.  FAQ #9 provides examples of bad faith conduct, which would not be subject to enforcement discretion.  Such bad faith conduct includes criminal activity, improper use of health information transmitted during a telehealth session, violations of other laws, or the use of public-facing communication products to deliver telehealth.

FAQ #10 distinguishes between public-facing and non-public facing communication products.  It defines a “non-public facing” remote communication product as one that, by default, “allows only the intended parties to participate in the communication.”  OCR identifies Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, or Skype as examples of such non-public facing communication platforms.  OCR also approves of the use of several commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage are acceptable as they employ end-to-end encryption.  All of these options require a user account with an individual login, which limits access and give the user control over security features. 

On the other hand, the use of public-facing communication products is not permissible and will be subject to enforcement.  OCR identifies public-facing applications like TikTok, Facebook Live, Twitch, or a chat room like Slack as unacceptable because they are designed to be open to the public.

FAQ #11 provides assurance that if health information is compromised while using a non-public facing application to deliver telehealth and the use of telehealth was in good faith, OCR will not initiate an enforcement action against the provider.  OCR encourages providers to use vendors that are familiar with HIPAA and will sign a business associate agreement, but failure to do so will not result in penalties during this emergency if the provider acts in good faith. 

Notably, OCR makes clear that its enforcement discretion does not apply to compliance with 42 CFR Part 2, which protects the confidentiality of substance use disorder information and applies to federally funded substance use disorder treatment programs.  Such treatment programs may still rely on the enforcement discretion related to their HIPAA compliance obligations but must be sure to comply fully with any requirements under 42 CFR Part 2.