HIPAA Compliance During COVID-19 Emergency

The HHS Office for Civil Rights (OCR) has issued the HIPAA Notification of Enforcement Discretion during the COVID-19 emergency. This notice applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 nationwide public health emergency.

Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

  • Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
  • This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
  • This Notification will remain in place indefinitely.

According to the OCR, the examples below may be considered a bad faith provision of telehealth services:

  • Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.
  • The sale of patient data or use of patient data for marketing without authorization.
  • Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth.
  • The use of unacceptable public facing forms of remote communication for telehealth such as TikTok, Facebook Live, Twitch, or a chat room like Slack.

The table below includes a list of both Acceptable and Unacceptable forms of remote communication to use for telehealth services under the HIPAA Notification of Enforcement Discretion: 

Acceptable Platforms

(Vendor will sign HIPAA agreement) *

Acceptable Platforms

(Under Notification)

Unacceptable Platforms

(Do Not Use)

Non‐Public Facing Remote Communication ProductNon‐Public Facing Remote Communication ProductPublic Facing Communication Product
Skype for Business / Microsoft Teams
Vsee
Zoom for Healthcare
Doxy.me
Google GSuite
Hangouts Meet
Cisco WebEx Meetings / WebEx Teams
Amazon Chime
GoToMeeting
Spruce Health Care Messenger
Apple FaceTime
Facebook Messenger Video Chat
Google Hangouts Video
WhatsApp Video Chat
Zoom
Skype
TikTok
Facebook Live
Twitch
Chat rooms such as Slack

* Note:

OCR has not reviewed the HIPAA agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA agreement with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.

Quick Reminders:

  • OCR will not impose penalties for any noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the nationwide COVID-19 public health emergency.
  • Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
  • If any significant system or network changes have been deployed to support telehealth, please be sure to update your risk assessment accordingly.

Reference:

Department of Health and Human Services Office for Civil Rights. FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency. Retrieved April 1, 2020 from https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf

Disclaimer:

This information is provided as a tool to help you understand the latest changes in HIPAA compliance as a result of the COVID-19 emergency. TriumpHealth employees and staff have created this presentation to the best of their knowledge and ability and make no representation or guarantee that this presentation is error-free. TriumpHealth has no liability or responsibility to any person or entity with respect to any loss of revenue, or indirect damages resulting from the potential use of this information.

by Tiffany Short & Katie Legendre | TriumpHealth