After the HHS’ Office for Civil Rights announcement that HIPAA compliance enforcement has been relaxed in relation to the good faith provision of telehealth services all through the COVID-19 national public health emergency, OCR released guidance on telehealth and remote communications.
The HHS’ Health Resources and Services Administration (HRSA) defined telehealth as the usage of electronic data and telecommunications technologies for promoting long-distance clinical healthcare, patient and health-related learning, and public health administration. These services may be given by using text, video or audio through secure text messaging programs, over the web, making use of video conferencing programs, or using landlines and wireless communications networks.
All services which a covered healthcare provider, in their expert judgment, thinks may be offered via telehealth in the given conditions of the present emergency are covered by the Notification of Enforcement Discretion. The remote diagnosis and treatment of patients are covered. The Notification of Enforcement Discretion is only applicable to penalties for HIPAA Security, Privacy, and Breach Notification Rules violations that happen in the good faith provision of telehealth throughout the COVID-19 national public health emergency.
OCR affirmed that its Notification of Enforcement Discretion is only applicable to HIPAA-covered healthcare providers and not other HIPAA-covered entities not involved in providing health care.
OCR clarifies that throughout the public health emergency, telehealth services may be given to all patients, not just those Medicare and Medicaid beneficiaries. Telehealth services may be given to patients irrespective of their health compliance, not just those having COVID-19 symptoms.
There is no expiration date yet for the Notification of Enforcement Discretion. This is a flexible situation and a long-term public health emergency is probable. OCR is going to give a public notice if the enforcement discretion does not apply anymore, and that decision is going to depend on current situations and information.
OCR explains in the guidance that telehealth services may be made available from healthcare facilities, such as offices, clinics, and from the home. To safeguard patient privacy, it is necessary to provide the services in a private environment where no one can listen in on conversations. Public places and semi-public locations must be avoided, except if the patients give their consent or in urgent situations. In all instances, security ought to be enforced to avoid circumstantial uses and disclosures of the PHI of patients.
OCR has additionally clarified the telehealth services’ good faith and bad faith provisions. The Notification of Enforcement Discretion is just applicable to good faith provision of telehealth services.
The following are included in the bad faith provision of telehealth services:
- Using PHI for criminal reasons or promotion of a criminal act
- Using PHI transmitted during a telehealth communication for reasons not allowed by the HIPAA Privacy Rule for example selling of PHI; usage of PHI for advertising reasons without first getting authorization
- State licensing laws violations
- Violations of professional ethical requirements that would bring about disciplinary action
- Using public-facing communications programs
- Public and Non-public Facing Communications Programs
The Notification of Enforcement Discretion is just applicable to using non-public facing communications programs. These consist of HIPAA-compliant communications programs, Facebook Messenger video, Apple FaceTime, WhatsApp, Google Hangouts video, Skype, and texting facilities in those programs. These non-public facing programs usually employ end-to-end encryption, which makes sure there is no interception of PHI in transit. These programs have access controls and provide users with command over specific elements of communications, like recording and muting discussions.
The Notification of Enforcement Discretion does not cover public-facing communications programs and these SHOULD NOT be utilized. These communications platforms were made to permit extensive or indiscriminate access and can be accessed by the public. Public-facing programs include Facebook Live, TikTok and Twitch, in addition to chatroom platforms like Slack.
The OCR guidance on telehealth and HIPAA throughout the COVID-19 national public health emergency can be downloaded from this link.