Until recently, telehealth has been slowly growing in healthcare, and with COVID-19 more and more providers are switching to it to see patients. Given the state of emergency and the rapid switch, the Office of Civil Rights has released a Notification of Enforcement Discretion for telehealth usage during the crisis.
What Is Telehealth?
Telehealth is the use of electronic information and telecommunications to support health care, health care related education, and health administration. Telehealth includes:
- Phone calls
- Text messaging
What is the Notification of Enforcement Discretion?
During the COVID-19 crisis, covered healthcare providers will not be penalized for violations of HIPAA that occur in a “good faith provision of telehealth.” This only applies to telehealth – specifically non-public facing communications – and does not apply to any HIPAA violations that may occur outside of the performance of telehealth services. It also does not apply to 42 CFR Part 2 – the Substance Abuse and Mental Health Services Administration (SAMHSA) has their own guidelines here.
Good Faith Telehealth
- Provider and patient are in private settings (home, office, clinic).
- If a private setting cannot be attained:
- Patient consent is required.
- Reasonable HIPAA safeguards should be in place – no speakerphone, hushed voices, move as much as possible from other people, conceal the screen as much as possible.
- Non-public facing communications are used, which use end-to-end encryption:
- Facebook Messenger
- Google Hangouts
Bad Faith Telehealth
- Criminal acts such as fraud, identity theft, invasion of privacy
- Use or disclosure of patient data – sale of data, use of it for marketing without authorization
- Violations of state licensing laws or professional ethical standards
- Use of public-facing remote communications, which are available for anyone to see:
- Facebook or Instagram Live
- Public chat rooms
The Federation of State Medical Boards is tracking state medical licensure waivers for practicing telehealth across state lines here. Right now, 44 states have waivers.
If a breach occurs, OCR will use its enforcement discretion and look at all the facts and context to determine if a provider was acting in good faith or not. They encourage providers to set up BAAs with communications vendors and use vendors who are HIPAA compliant, but won’t be penalized for using a less secure (non-public facing) service in an effort to get up and running and serving patients as quickly as possible.
Basically, if you are on a Zoom call with a patient that somehow gets hacked, you won’t be subject to penalties. However, if you’re using a public chat room to talk to patients about their healthcare needs, you can be penalized. If you’re a healthcare worker using TikTok to share information on health issues, you’re fine… but don’t share anything that contains PHI or specific patient advice.
If you’re a healthcare provider, or a company that is assisting in telehealth for a healthcare provider, be sure that your policies are up to date and include telehealth guidelines. Additionally, employees should be informed as to the guidelines, allowances, and limitations of the Notification on their telehealth work.
The Notification currently does not have an expiration date. As of now, it appears OCR will issue a notice to the public when they consider the Notification no longer valid.