The Department of Health and Human Services, Office of Civil Rights (OCR) recently released guidance and helpful examples illustrating how Covered Entities can comply with HIPAA and the Privacy Rule and still disclose protected health information (PHI) about individuals infected with or exposed to COVID-19 to Essential Providers. Read the full post on our Healthcare
On March 17, 2019, the Department of Health and Human Services, Office of Civil Rights (OCR) announced that it will exercise its enforcement discretion and waive potential penalties for HIPAA violations against healthcare providers that see patients through non-public communication applications during the COVID-19 nationwide public health emergency.
Background on Security Requirements for Telemedicine providers
Under what is commonly referred to as the HIPAA “Security Rule,” CMS requires organizations to have certain safeguards in place to protect patients’ health information. These safeguards require organizations to comply with certain minimum technical and organizational requirements. Part of the technical requirements is that organizations must have security measures in place “to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.” This requires providers to utilize telehealth platforms that have, at a minimum, certain encryption and integrity controls in place. Furthermore, as an organizational safeguard, the Security Rule requires that telehealth providers enter into Business Associate Agreements with these platforms to ensure the platform will comply with HIPAA and protect patients’ health information.