Sustainable Telehealth: HIPAA

By Jim Tate, EMR Advocate
Twitter: @jimtate, eMail:
Host of The Tate Chronicles#TateDispatches

The national Emergency Declaration due to the COVID-19 pandemic came suddenly and without warning. Healthcare providers found it necessary to acquire, implement, and begin using telehealth technology in a matter of weeks. Workflows that typically take years to develop were thrown together without time to properly perform due diligence on telehealth products or develop processes for appropriate use.

The U.S. Department of Health and Human Services (HHS), in an effort to support telehealth use during the Emergency, announced a “relaxation of HIPAA enforcement” entitled the Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency. The HIPAA Rule itself has not been modified, only the temporary enforcement in certain areas of HIPAA. I have received many questions by email and during telehealth presentations related to this initiative by HHS and now is a good time to answer those questions in a broad forum. There is widespread confusion about what the HIPAA enforcement discretion allows, and just as importantly, what it does not. Below are the questions I am asked most frequently, and the answers supplied by HHS.

Why was the Notification of Enforcement Discretion necessary?
“During the COVID-19 national emergency, which also constitutes a nationwide public health emergency, covered health care providers subject to the HIPAA Rules may seek to communicate with patients, and provide telehealth services, through remote communications technologies. Some of these technologies, and the manner in which they are used by HIPAA covered health care providers, may not fully comply with the requirements of the HIPAA Rules… OCR (Office of Civil Rights) will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.“

Who is affected?
“The Notification of Enforcement Discretion issued by the HHS Office for Civil Rights (OCR) applies to all health care providers that are covered by HIPAA and provide telehealth services during the emergency.”

What parts of the HIPAA Rules are included in the Notification related to COVID-19 and telehealth?
“Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.”

Which patients are covered?
“This Notification applies to all HIPAA-covered health care providers, with no limitation on the patients they serve with telehealth, including those patients that receive Medicare or Medicaid benefits, and those that do not.”

Does the Notification address specific types of telehealth technology that are considered “bad faith” and therefore not covered by Enforcement Discretion?
“Use of public-facing remote communication products, such as TikTok, Facebook Live, Twitch, or a public chat room, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication… Non-public facing remote communication products would include, for example, platforms such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Whatsapp video chat, Zoom, or Skype. Such products also would include commonly used texting applications such as Signal, Jabber, Facebook Messenger, Google Hangouts, Whatsapp, or iMessage.”

What is not covered by the Notification?
“This enforcement discretion does not extend to other requirements or prohibitions under the Privacy Rule, nor to any obligations under the HIPAA Security and Breach Notification Rules applicable to business associates and covered entities.”

When does the Notification Expire?
“The Notification of Enforcement Discretion went into effect on March 17, 2020, and will remain in effect until the Secretary of HHS declares that the public health emergency no longer exists, or upon the expiration date of the declared health emergency, including any extensions, whichever occurs first.”

This article was originally published on Medivisum and is republished here with permission.