OCR announces penalty waivers for telehealth COVID-19 emergency and other treatment
On Tuesday, March 17, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced, effective immediately, that it will exercise its enforcement discretion and will waive potential penalties for Health Insurance Portability and Accountability Act (HIPAA) violations against any health care providers that are treating patients through remote audio or video communication technologies during the COVID-19 nationwide public health emergency.
This exercise of OCR penalty discretion permits physicians to use widely available non-publicly facing applications to assess or treat patients with suspected COVID-19 symptoms or other non-COVID-19 medical conditions such as a sprained ankle, dental consultation, psychological evaluation, or other conditions for convenience and to limit the spread of any possible infections.
- Facebook Messenger video chat
- Google Hangouts
- Facebook Live
- Notify patients prior to using any of these applications that there are potential privacy risks;
- Enable all available encryption and privacy modes when using such applications.
Although penalties are relaxed under the waiver, there remains a concern that the additional forms of communication could increase the chance that protected health information is disclosed in an unauthorized manner. If that happens, covered entities and business associates are still obligated to comply with the Breach Notification Rule. Even though OCR is temporarily waiving the requirement to maintain a Business Associate Agreement (BAA) with the vendor, there may be advantages to entering into a BAA, such as establishing vendor responsibilities and having the BAA in place when the emergency period ends and a BAA may be required.