On March 17, 2019, the Department of Health and Human Services, Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against healthcare providers that see patients through non-public communication applications during the COVID-19 nationwide public health emergency.
Background on Security Requirements for Telemedicine providers
Under what is commonly referred to as the HIPAA “Security Rule,” CMS requires organizations to have certain safeguards in place to protect patients’ health information. These safeguards require organizations to comply with certain minimum technical and organizational requirements. Part of the technical requirements is that organizations must have security measures in place “to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This requires providers to utilize telehealth platforms that have, at a minimum, certain encryption and integrity controls in place. Furthermore, as an organizational safeguard, the Security Rule requires that telehealth providers enter into Business Associate Agreements with these platforms to ensure the platform will comply with HIPAA and protect patients’ health information.
OCR noted that during the COVID-19 national emergency, covered health care providers subject to HIPAA can communicate with patients, and provide telehealth services, through remote communications technologies, which may not necessarily comply with the HIPAA Security Rule discussed above. A covered health care provider that wishes to use audio or video communication technology to provide telehealth to patients during the COVID-19 national emergency can use any “non-public facing remote communication product” that is widely available to communicate with patients. These products include, for example, FaceTime, Skype, and Facebook Messenger video chat. Products not included in this waiver are “public facing” applications such as Facebook Live, Twitch, TikTok and other similar applications that are public.
OCR further stated that these remote communication technologies could be used to examine not only patients exhibiting potential COVID-19 symptoms, but also to examine patients for other healthcare conditions. For example, healthcare providers may use these platforms to assess medical conditions unrelated to COVID-19, such as a sprained ankle, dental consultation or psychological evaluation, or other conditions. OCR did note, however, that healthcare providers “are encouraged” to notify patients that these applications potentially introduce privacy risks. Providers should also enable all available encryption and privacy modes when using such applications.
To the extent that providers wish to use HIPAA-compliant application vendors, such as Zoom for Healthcare, Skype for Business, and Updox, OCR will not impose penalties for a lack of Business Associate Agreement between the provider and vendor. Note that under normal circumstances, the healthcare provider and the vendor would have entered into a Business Associate Agreement before using the platform. However, to address the national emergency, OCR has stated that it will not impose penalties if a provider wanted to use these vendors immediately without a Business Associate Agreement in place.
For more information about how COVID-19-related issues are impacting healthcare providers and healthcare law generally, please check out Husch Blackwell’s Healthcare Law Insights blog.