Health Care in the Time of COVID-19: OCR Publishes Telehealth FAQs for HIPAA-Covered Health Care Providers

On March 20, the U.S. Department of Health and Human Services Office for Civil Rights (OCR), which enforces the HIPAA Privacy, Security, and Breach Notification Rules, issued FAQs to guide regulated entities in providing telehealth services during the COVID-19 public health emergency. The FAQs are the latest in a series of statements by OCR that began on March 17 with the agency’s Notification of Enforcement Discretion for Telehealth Remote Communications (Notification).

HHS defines telehealth as the use of electronic information and telecommunications technologies to support and promote long distance clinical health care, patient and professional health-related education, and public health and health administration. Social distancing and other disease-control measures required to combat the COVID-19 crisis will profoundly impact each of these vital activities, and telehealth technologies are an important means of keeping them accessible to patients, providers, and the public. There are four main categories of telecommunications technologies used for telehealth:
 

• Real-time/synchronous: video visits between provider and patient, and video consults between providers (“virtual visit” or “virtual consult”).
• Store-and-forward/asynchronous: online exchange of medical information between provider and patient, or between providers (“eVisit” or “eConsult”)
• Remote patient monitoring (RPM): monitors physiology and behavior, balancing functionality with the least restrictive/least expensive/most preferred environment
• mHealth: mobile health, or the practice of medicine and public health supported by mobile devices

Examples of telehealth technologies include the internet, video conferencing, streaming media, landlines, and wireless communication.

On March 17, OCR announced that, effective immediately, it exercises enforcement discretion and waives potential penalties for HIPAA violations against health care providers that offer telehealth services through “everyday communications technologies” (such as Skype or FaceTime). The FAQs offer several important clarifications regarding the enforcement moratorium described in the Notification:
 

• On one hand … it applies only to health care providers, and not to other covered entities (health plans and health care clearinghouses) or to business associates. Health care providers include a range of persons and entities, such as doctors, laboratories, clinics, nurses, hospitals, that (1) furnish, bill, or are paid for health care in the normal course of business and (2) transmit health information in electronic form in connection with a standard transaction.
• On the other … it applies to all health care providers, with “no limitation on the patients they serve with telehealth …” For example, covered health care providers that serve patients who receive Medicare and Medicaid patients are covered equally with those who serve patients covered by commercial insurance.
• On one hand … it applies to violations of the Privacy Rule, Security Rule, and Breach Notification Rule.[1]
• On the other … it applies only to violations that occur during “good faith provision of telehealth” during the COVID-19 crisis. It does not apply to areas of health care outside telehealth (enforcement for violations is not suspended). It also does not apply to bad faith provision of telehealth, including:
  • Conducting or furthering criminal acts, such as fraud, identity theft, and intentional invasion of privacy. 
  • Using or disclosing patient data transmitted in a telehealth communication in a manner prohibited by the Privacy Rule (for example, selling the data or using it without authorization for marketing).
  • Violating state licensing laws or professional ethical standards related to telehealth services. 
  • Using public facing remote communication products, such as TikTok, Facebook Live, Twitch, or Slack chatrooms, to provide telehealth services. Unlike non-public facing products (see below), public-facing products are designed to be open to the public or to allow wide/indiscriminate access to communications

In the event of an unauthorized disclosure (such as a hack) during the provision of telehealth services, OCR will consider all facts and circumstances to determine whether the HCP provided the services in good faith.
 

• It applies to all health care services “that a covered health care provider, in its professional judgment, believes can be provided through telehealth in the given circumstances of the current emergency,” including services that are related to COVID-19 and those that are not.
• Unless the patient consents or an emergency exists, it applies only to telehealth services conducted in a private setting (doctor in clinic and patient at home, for example). If this is not possible, the enforcement moratorium applies only to violations that occur after the health care provider has used reasonable precautions, such as speaking softly, not using a speakerphone, and asking the patient to move to a more private location, to limit incidental disclosures of health information.
• It applies only to telehealth conducted using a “non-public facing remote communication product.” The FAQs clarify that this means a product “that, as a default, allows only the intended parties to participate in the communication.” These platforms typically employ end-to-end encryption; support individual user accounts, logins, and passcodes; and allow participants to exercise a degree of control over specific capabilities. Examples include:

Video Applications	Texting Applications
Apple FaceTime Facebook Messenger video chat Google Hangouts video Whatsapp video chat Skype	Signal Jabber Facebook Messenger Google Hangouts Whatsapp iMessage

There is no current expiration date for the enforcement moratorium. OCR will issue a public notice when it is no longer in effect.

What about violations of 42 CFR Part 2 resulting from the provision of substance abuse disorder services via telehealth?
OCR’s March 17 Notification and March 20 FAQs do not cover violations of 42 CFR Part 2. Should federally-assisted drug abuse programs and alcohol abuse programs diagnose, treat, and refer patients for substance abuse disorders via telehealth services? In guidance issued March 20, SAMHSA states:
SAMHSA strongly recommends the use of telehealth and/or telephonic services to provide evaluation and treatment of patients. These resources can be used for initial evaluations including evaluations for consideration of the use of buprenorphine products to treat opioid use disorder. Further, these resources can be used to implement individual or group therapies such as evidence-based interventions including cognitive behavioral therapy for mental and/or substance use disorders.
 
SAHMSA has not, however, issued an enforcement moratorium for federally-assisted programs. Such programs should consider this as an important part of the risk/benefit analysis and business decision related to telehealth services. If a Part B program decides to proceed, it should be particularly vigilant with respect to the checklist items below in light of the highly sensitive nature of the anticipated health care communications.

Telehealth Checklist
Providers, ask yourself and document ….

• I have exercised professional judgment and determined I can provide the planned services through telehealth, under the circumstance of the COVID-19 emergency.
• I will use only non-public facing products to provide telehealth services, such as the following, to provide telehealth services:

Video Applications	Texting Applications
Apple FaceTime Facebook Messenger video chat Google Hangouts video Whatsapp video chat Skype	Signal Jabber Facebook Messenger Google Hangouts Whatsapp iMessage

• I will consult with my HIPAA Privacy Officer or Security Officer, or legal counsel as required, to determine whether my platform meets this requirement.
• I will not use public-facing products to provide telehealth services (including but not limited to TikTok, Facebook Live, Twitch, or a chat room like Slack). I will consult with my HIPAA Privacy Officer or Security Officer, or legal counsel as required, to determine whether my platform meets this requirement.
• Unless the patient explicitly consents or an emergency exists, I can and will provide telehealth services in a private setting (for example, I am in a health care facility, and the patient is at home or in another health care facility).
• If I will provide telehealth services in a public or semi-public setting because the patient has explicitly consented or an emergency exists, I will use reasonable precautions to limit incidental disclosures of health information (speaking softly, not using speakerphone, asking the patient to move to a more private location).
• I am not aware of any state licensing law or professional ethical standard that prevents me from providing the planned health care via telehealth.
• If I provide substance use disorder services through a federally-assisted drug abuse program or alcohol abuse program, I am aware that the OCR enforcement moratorium does not apply to uses and disclosures of substance abuse information that violate 42 CFR Part 2. The moratorium should still apply to violations of the HIPAA Rules that result from good-faith provision of telehealth substance use disorder services through a program not subject to 42 CFR Part 2 (i.e., is not a “federally assisted” program as defined by 42 CFR § 2.12(b). If I intend to provide telehealth services with the purposes of diagnosing, treating, or referring for substance abuse disorders, I will confirm whether the services are provided through a “Part 2 program” and adjust the risk/benefit analysis accordingly.
• I will not sell data transmitted during a telehealth communication.
• I will not use data transmitted during a telehealth communication without the patient’s written authorization, and in compliance with my facility’s policies and procedures.
• If I will provide telehealth services by video communication, I will use a vendor that has signed a business associate agreement with me/my facility unless there has been a determination that a less secure provider is necessary to provide the most timely and accessible care during the COVID-19 crisis. If I use a less secure provider, I will:
  • Notify patients that these third-party apps introduce privacy risks; and
  • Enable all available encryption and privacy modes.
• I have confirmed that all necessary insurance policies (including, but not limited to, professional liability insurance) provide coverage for the anticipated telehealth activities. I have also considered whether additional cyber-liability insurance is required or desirable.