OCR announces penalty waivers for telehealth COVID-19 emergency and other treatment

On Tuesday, March 17, 2020, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) announced, effective immediately, that it will exercise its enforcement discretion and will waive potential penalties for Health Insurance Portability and Accountability Act (HIPAA) violations against any health care providers that are treating patients through remote audio or video communication technologies during the COVID-19 nationwide public health emergency.

This exercise of OCR penalty discretion permits physicians to use widely available non-publicly facing applications to assess or treat patients with suspected COVID-19 symptoms or other non-COVID-19 medical conditions such as a sprained ankle, dental consultation, psychological evaluation, or other conditions for convenience and to limit the spread of any possible infections.

Permitted Apps:
  • FaceTime
  • Skype
  • Facebook Messenger video chat
  • Google Hangouts
Apps NOT permitted: 
  • Facebook Live
  • Twitch
  • TikTok 
The penalty waiver only applies when used in good faith for any telehealth treatment or other diagnostic purpose, regardless of whether the telehealth service is directly related to COVID-19.
 
Providers should do the following:
  1. Notify patients prior to using any of these applications that there are potential privacy risks;
  2. Enable all available encryption and privacy modes when using such applications. 
The OCR Director, Roger Severino, emphasized the importance of empowering medical providers to serve patients during this public health crisis and noted that health care agencies and providers should be especially focused on those most at risk, including older persons and persons with disabilities. In support of this action, OCR will be providing further guidance explaining how covered health care providers can use remote video communication products and offer telehealth to patients responsibly.

Although penalties are relaxed under the waiver, there remains a concern that the additional forms of communication could increase the chance that protected health information is disclosed in an unauthorized manner. If that happens, covered entities and business associates are still obligated to comply with the Breach Notification Rule. Even though OCR is temporarily waiving the requirement to maintain a Business Associate Agreement (BAA) with the vendor, there may be advantages to entering into a BAA, such as establishing vendor responsibilities and having the BAA in place when the emergency period ends and a BAA may be required. 
 
The Notification of Enforcement Discretion on telehealth remote communications is found here. For more information on HIPAA and COVID-19, see OCR's February 2020 Bulletin. OCR is updating its web site as more information regarding COVID-19 becomes available.
 
Please contact the attorneys below for additional information.
+