Telemedicine: The Impact Of COVID-19 on HIPAA Regulations

  • Medical Malpractice Defense
April 6, 2020

While the COVID-19 virus continues to force us all to stay at least 6-feet apart, telemedicine is helping to bring patients and health care providers together. The practice of using technology to deliver medical care and treatment is an already growing industry and is now more necessary than ever during the current nationwide public health emergency. Fortunately, recent guidance from the federal government has made it easier for health care providers to utilize technology to continue to treat patients safely, efficiently, and at a distance.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) is responsible for enforcing certain privacy and security regulations governed by HIPAA, which are meant to protect a patient’s confidential health information. Recognizing that the current public health emergency demands that patients avoid travel, when possible, to their physicians’ offices, clinics, hospitals, or other health care facilities, OCR has announced it will exercise “enforcement discretion” when it comes to HIPAA violations related to telemedicine. More specifically, under the Notification of Enforcement Discretion, OCR “will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

This means health care providers who want to treat patients utilizing various audio or video communication technology during the COVID-19 emergency can do so, and in doing so, will not be subject to penalties for violations of the HIPAA rules. Under this federal guidance, providers can utilize any non-public facing communication product available without worry that the technology may not fully comply with the requirements of the HIPAA rules. This includes popular applications such as Apple FaceTime, Facebook Messenger, and Skype, which are ordinarily not considered to be HIPAA-compliant but typically employ end-to-end encryption. “Public facing” technology, such as Facebook Live, however, remain unacceptable forms of communication for telemedicine during the emergency because they are designed to be open and accessible by the public.

Because privacy and security are important even in times of national emergency, healthcare providers are still urged to take appropriate measures to ensure confidentiality, including enabling all available encryption and privacy modes when using tech applications. It is also prudent, where possible, to utilize vendors that represent that they provide HIPAA-compliant products, such as Updox, Zoom for Healthcare, or Skype for Business. Additionally, providers are encouraged to advise patients that any third-party applications may potentially introduce privacy risks.

This Notification of Enforcement Discretion does not affect the application of the HIPAA rules to other areas of health care outside of telemedicine during the emergency, so health care providers should continue to observe HIPAA regulations in all other areas of their practice.

There is no expiration date for this Notification, but OCR will issue a second notice to the public when it will no longer exercise discretion for HIPAA violations related to telemedicine. Until then, the OCR’s exercise of discretion applies to telemedicine provided for any reason, regardless of whether the telemedicine service is related to the diagnosis and treatment of health conditions related to COVID-19. This will enable all patients to access timely and convenient medical care without the risk of contracting or spreading the virus, thereby helping our community fight the spread together while still staying at least 6-feet apart.

This information is general in nature and should not be construed as tax or legal advice.