Telehealth is not a new concept, but it has been accelerated to the forefront recently by government mandated social distancing. While all of the "stay-at-home" orders issued across the country to date have included exceptions that permit individuals to leave their homes to seek medical treatment, providers may feel an obligation to offer telehealth services to protect not only their patients, but also the provider's staff, and to support the national effort to "flatten the curve." Telehealth can be a legal and regulatory morass for a provider who has not previously offered telehealth services. Spilman's COVID-19 Task Force is prepared to guide providers through the legal and regulatory challenges, whether the provider intends to operate their telehealth practice for the duration of the national public health emergency or for longer. This client alert focuses on just one area of regulatory concern – the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
On March 17, 2020, the United States Department of Health and Human Services’ Office for Civil Rights (“OCR”) announced that, effective immediately, it will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements of HIPAA against covered health care providers in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. A copy of the Notification of Enforcement Discretion on telehealth remote communications may be found here
. According to Roger Severino, OCR Director, the OCR is "empowering medical providers to serve patients wherever they are during this national public health emergency" and it is "especially concerned about reaching those most at risk, including older persons and persons with disabilities."
Notably, the OCR's enforcement discretion is not limited to telehealth treatment of COVID-19 related cases, but all telehealth services generally. Additionally, the Notice of Enforcement Discretion covers penalties for purported violations of the HIPAA privacy rules, security rules, and breach notification rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency. The Notification of Enforcement Discretion has no expiration date. The OCR will issue a notice to the public when it is no longer exercising its enforcement discretion.
While the OCR is exercising its enforcement discretion, a covered health care provider who wants to use audio or video communication technology to provide telehealth to patients can use any non-public facing remote communication product that is available to communicate with patients. This means a covered health care provider may use popular applications that allow for video chats, such as Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA rules. Providers should notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes while using such applications. Providers may not use any public facing platforms such as Facebook Live, Twitch, or TicTok.
Telehealth sessions should always be conducted in private settings. Providers should conduct the sessions from a clinic or office. Patients should receive telehealth services at home or in another clinic. If the patient is not located in a private setting when they receive the telehealth services, providers should obtain the patient's consent to proceed, absent exigent circumstances, and should implement reasonable safeguards to limit incidental uses or disclosures of protected health information, such as using lowered voices and recommending the patient move to a reasonable distance from others and not use speaker phone.
The Notification of Enforcement Discretion is not a carte blanche waiver of penalties in all circumstances. Providers must provide the services in good faith. OCR has identified the following examples of bad faith provision of telehealth services not covered by the Notice:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy;
- Further uses or disclosures of patient data transmitted during a telehealth communication that are prohibited by the HIPAA Privacy Rule (e.g., sale of the data, or use of the data for marketing without authorization);
- Violations of state licensing laws or professional ethics standards that result in disciplinary actions related to the treatment offered or provided via telehealth (e.g., based on documented findings of a health care licensing or professional ethics board); or
- Use of public-facing remote communication products such as TicTok, Facebook Live, Twitch, or a chat room like Slack, which OCR has identified in the Notification as unacceptable forms of remote communication for telehealth because they are designed to be open to the public or allow wide or indiscriminate access to the communication.
Providers that seek additional privacy protections for telehealth while using video communications products or who are looking to invest in telemedicine for the long term should look for a technology vendor that is HIPAA compliant and will sign a HIPAA business associate agreement in connection with the provision of video communication services. The OCR's Notice of Enforcement Discretion identifies (but does not endorse) 10 vendors that represent they are HIPAA-compliant and will sign a HIPAA business associate agreement. While the Notice of Enforcement Discretion remains in effect, OCR will not impose penalties against covered health care providers for the lack of a business associate agreement with video communication vendors or any other non-compliance with the HIPAA rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. Absent the enforcement discretion, though, a business associate agreement would be required for all telehealth vendors.
Of course, the Notification of Enforcement Discretion does not affect the application of the HIPAA rules to other areas of health care outside of telehealth during the emergency, and full compliance with the HIPAA rules must resume immediately when the OCR announces it will suspend the Notice of Enforcement Discretion.
Spilman's COVID-19 Task Force and the Health Care Practice Group stand ready to assist with your legal concerns as you enter the world of telehealth, whether your questions relate to HIPAA compliance, licensure, physician-patient relationships, informed consent, continuity of care, medical records, or limitations on prescribing in the telehealth context. Please contact us
with any questions you may have about starting your own telehealth practice.