The Office for Civil Rights has issued a document titled Notification of Enforcement Discretion for Telehealth Remote Communications during the COVID-19 Nationwide Public Health Emergency that communicates a relaxation in compliance requirements during these challenging times. The document states “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency…This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.”
Health care providers are permitted to use any audio or video applications to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with HIPAA requirements during the public health emergency. However, the OCR does encourage providers to notify patients that use of third-party applications may pose privacy risks.
We recommend that our clients use Form 7.34-Patient Authorization for Disclosure of PHI via Alternative Means* to communicate this risk to patients and to obtain the contact information (cell phone number, email address, etc.) that is needed to initiate the communication.
The OCR document lists several vendors that represent that they provide HIPAA-compliant video communication products and that they will enter into a HIPAA business associate agreement (BAA). These vendors should be used if available to the practice and feasible for the patients involved. However, the OCR notice clearly states that it “will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.”
Your practice may accept the BAA that is provided by video communication vendors or, if none is offered, you may seek to obtain a signature on Form 7.22-Business Associate Agreement*.
Use of encryption is normally required in any transmission of PHI over an open electronic network (i.e. the Internet), and if encryption or other privacy modes are available in a particular application they should be used. However, if these security measures are not available in the particular app that is chosen for telehealth, the OCR will not take enforcement action against the healthcare provider according to the statement in the above paragraph.
Please refer to the OCR document in its entirety here:
* The forms mentioned in this article may be found in the Forms section of Eagle Associates’ HIPAA Policy Manual or in the Member Services area of our website. Forms are provided in Microsoft Word™ format in the Member Services area if you wish to modify the form with a specific telehealth application or other relevant information.
Please note that this enforcement discretion applies only to the provision of telehealth during the current nationwide public health emergency. The OCR will otherwise continue to enforce the Privacy and Security Rules during the emergency.
If you have any questions about telehealth or other compliance matters, our Consultants remain available by phone (800) 777-2337 or email at: firstname.lastname@example.org.