FAQs on Telemedicine and HIPAA During the Public Health Emergency

29 March 2021 Health Care Law Today Blog
Author(s): Nathaniel M. Lacktman Aaron T. Maguregui

Throughout the COVID-19 pandemic, federal agencies have sought to allow health care companies more flexibility to use popular technology and applications to better engage with their patients. One example is the Department of Health and Human Services’ Office of Civil Rights (OCR), which issued a notice that it will allow health care providers to use widely-available communications software without fear of violating HIPAA, even if the software does not meet the HIPAA privacy and security requirements. This enforcement discretion allows a covered entity to deliver care via “non-public facing” audio or video communication technology.

OCR has provided a set of Frequently Asked Questions on Telemedicine and HIPAA Waivers, offering helpful guidance and clarification. For example:

11. If a covered health care provider uses telehealth services during the COVID-19 outbreak and electronic protected health information is intercepted during transmission, will OCR impose a penalty on the provider for violating the HIPAA Security Rule?

No. OCR will exercise its enforcement discretion and will not pursue otherwise applicable penalties for breaches that result from the good faith provision of telehealth services during the COVID-19 nationwide public health emergency. OCR would consider all facts and circumstances when determining what constitutes a good faith provision of telehealth services. For example, if a provider follows the terms of the Notification and any applicable OCR guidance (such as this and other FAQs on COVID-19 and HIPAA), it will not face HIPAA penalties if it experiences a hack that exposes protected health information from a telehealth session.

OCR believes that many current and commonly available remote electronic communication products include security features to protect ePHI transmitted between health care providers and patients. In addition, video communication vendors familiar with the requirements of the Security Rule often include stronger security capabilities to prevent data interception and provide assurances they will protect ePHI by signing a HIPAA business associate agreement (BAA). Providers seeking to use video communication products are encouraged to use such vendors, but will not be penalized for using less secure products in their effort to provide the most timely and accessible care possible to patients during the Public Health Emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications. OCR does not endorse the use of or the security capabilities of any particular communications product.

This means companies may use popular applications (e.g., Apple FaceTime, Facebook Messenger, Google Hangouts, Zoom, Skype) that allow for video chats but which might not fully comply with HIPAA requirements. The term “non-public facing” means the application, by default, only allows the intended parties to participate in the communication. In contrast, “public-facing” products (e.g., TikTok, Facebook Live, Twitch) or public video chat rooms would not be acceptable forms of communication for telemedicine services.

This Notice of Enforcement Discretion will remain in effect until the Public Health Emergency expires. Even with the current relaxation of enforcement by OCR, it is widely-accepted that best practices in telemedicine are to use a software communications platform that meets the HIPAA privacy and security requirements. Companies currently using non-HIPAA communications software during the Public Health Emergency should develop plans on how to migrate over to a compliant solution before the waivers expire.

Want to Learn More?

For more information on telemedicine, telehealth, virtual care, remote patient monitoring, digital health, and other health innovations, including the team, publications, and representative experience, visit Foley’s Telemedicine & Digital Health Industry Team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.