March 18, 2020
Amidst the current national public health emergency for COVID-19 or the Novel Coronavirus, the OCR has released a bulletin regarding the increased use of telehealth services among the medical community. In addition to the bulletin, during a press conference held yesterday, the OCR acknowledged the need for healthcare providers to seek remote communications with their patients and understand that these technologies may not be fully compliant with standard HIPAA regulations.
“We are empowering medical providers to serve patients wherever they are during this national public health emergency.” OCR Director Roger Severino emphasized in a statement, “We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”
Under this update, any healthcare provider has the ability to use any non-public remote communication technology to provide telehealth services. This enforcement discretion applies to telehealth services needed for any reason, not strictly for the diagnosis or treatment of the COVID-19 related health conditions. During this time, the OCR will not impose violations for any noncompliance against healthcare providers under the good faith provision of telehealth during this national emergency.
This provision also allows healthcare providers to defer to their own judgment in requesting to examine a patient showing potential COVID-19 symptoms using technology such as video chat applications. This allows providers to assess a larger number of patients as well as limit the risk associated with being exposed to the virus during an in-person consultation. The telehealth services can be provided on any non-public facing communication applications without facing noncompliance penalties. Some acceptable applications include:
- Apple FaceTime
- Google Hangouts
- Skype
Other similar video communication methods such as Facebook Live are considered public-facing and should not be used in the provision of telehealth. Health providers can seek additional privacy protections by providing telehealth services through technology vendors that are HIPAA compliant. They can enter into business associate agreements with these vendors in the provision of their video communication products. Some of the vendors that offer HIPAA-compliant video communication services include:
- Updox
- Zoom for Healthcare
- Skype for Business
- Google G Suite Hangouts Meet
While there will not be any enforcement of HIPAA noncompliance for providers choosing to utilize these methods of communication, it is important to still understand the security risks associated. The OCR recommends that providers notify patients when using these third party applications for these services as they potentially introduce privacy risks and any available encryption and privacy settings should be implemented during use. If as a provider you already have a HIPAA-compliant and secure telehealth application, it is still recommended to use the most secure application available to you.
Even during a public health crisis, HIPAA law still applies and includes specific caveats for sharing PHI in such an emergency. Read our blog article on Handling HIPAA During Public Health Emergencies for more information.