Responding to OCR’s Notice of Enforcement Discretion for Telehealth Remote Communications

Responding to OCR’s Notice of Enforcement Discretion for Telehealth Remote Communications

By, Wes Morris, Managing Principal Consultant and Dawn Morgenstern, Senior Principal Consultant

The Office for Civil Rights (OCR) has issued a Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Public Health Emergency. The purpose is to advise that OCR will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered entity healthcare providers who, in good faith, use remote communications technologies that may not fully comply with the requirements of the HIPAA Rules.

The enforcement discretion is being applied during this emergency to ensure that health care providers can exercise their professional judgement to examine or assess a greater number of patients while limiting the risk of infection created by in-person consultations.

The text of the notice may be found here. Contained within it is a Frequently Asked Questions section that we encourage you to read before engaging in telehealth remote communications.

Under this notice covered health care providers may use popular applications that allow for non-public facing video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Non-public facing remote communications are products that, by default, allow only the intended parties to participate in the communication.

Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.

Applications such as Facebook Live, TikTok and Twitch are not acceptable platforms, since these are public facing video communications applications, and would not meet the intent of good faith provision of services.

We emphasize that this notice of enforcement discretion specifically pertains to health care providers that are covered by HIPAA and provide telehealth services during the emergency. It excludes health insurance companies that pay for telehealth services, since the health insurance company would not be engaged in the provision of health care. The notice also does not apply to violations of 42 CFR, Part 2 – the regulations covering Confidentiality of Substance Use Disorder patient records. Similar guidance has been released by the Substance Abuse and Mental Health Services Administration (SAMHSA).

As we have advised in previous postings, this notice applies only for the duration of the emergency, does not supersede state laws or other regulations requiring higher levels of protection, and should not be taken as an opportunity to stop considering privacy and security protections. In the course of normal business, OCR would expect that covered entities engage in establishing Business Associate Agreements (BAAs) with telecommunications providers, as well as using technologies and vendors that have been vetted for compliance. We encourage providers to remain as closely aligned to the HIPAA Rules as possible in order to minimize the amount of change required when normal operations resume.

For providers seeking a more permanent and compliant solution, OCR provides a listing of vendors that will enter into BAAs, and that represent that they provide HIPAA-compliant video communications products for those providers that seek additional privacy protections for telehealth, although OCR has not reviewed the BAAs, nor do they endorse a specific technology or product.

We also encourage leaders to communicate with their workforce to train and reinforce the importance of maintaining organizational standards of excellence even during a public health emergency, especially in the face of unprecedented transitioning to telework and telehealth environments.

OCR has provided an index of topics related to COVID-19 and responsibilities for professionals in this link: https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html. Covered entities and business associates that can do so should bookmark the link and check it regularly.

Clearwater remains committed to providing up-to-date information and guidance on COVID-19 concerns, and we have created a dedicated COVID-19 page on our website to provide healthcare organizations with insight and resources specific to the crisis.

Newsletter

Sign up for our monthly newsletter discussing hot topics and access to invaluable resources.


Related Blogs

Perspective on the Proposed Health Infrastructure Security and Accountability Act

Perspective on the Proposed Health Infrastructure Security and Accountability Act

The Health Infrastructure Security and Accountability Act (HISAA) introduced in the U.S. Senate on September 26 is another good step forward in addressing key factors contributing to the healthcare sector’s deficiency in establishing and maintaining adequate cybersecurity controls and risk management programs. While there are many in the sector that are already implementing recognized standards, having mandated standards would help to make sure everyone is playing by the same rules.

Connect
With Us