HHS Office of Civil Rights Enforcement Discretion related to HIPAA
March 17, 2020
In light of the COVID-19 nationwide public health emergency, the HHS Office for Civil Rights (OCR) is exercising its enforcement discretion and, effective immediately, will not impose penalties on physicians using telehealth in the event of noncompliance with the regulatory requirements under the Health Insurance Portability and Accountability Act (HIPAA).
Physicians may seek to communicate with patients and provide telehealth services through remote communications technologies. Some of these technologies, and their use, may not fully comply with the requirements of the HIPAA Rules.
However, today’s announcement means that physicians who want to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing service that is available to communicate with patients. This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
For example, a physician using their professional judgement may request to examine a patient exhibiting COVID-19 symptoms, using a video chat application connecting the physician’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation. Likewise, a physician may provide similar telehealth services in the exercise of their professional judgment to assess or treat any other medical condition, even if not related to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions.
Under this Notice, physicians may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules. Physicians should not use Facebook Live, Twitch, TikTok or other public facing communication services. Physicians are encouraged, but not required, to notify patients of the potential security risks of using these services and to seek additional privacy protections by entering into HIPAA business associate agreements (BAA). HHS also noted that while it hasn’t confirmed such statements, Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, and Google G Suite Hangouts have said that their products will help physicians comply with HIPAA and that they will enter into a HIPAA BAA.
Additional information can be found at this notice from Department of Health and Human Services (HHS).
Director, Federation Relations
330 N Wabash
Chicago, IL 60611-5885