Today, the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) issued the news that enforcement of HIPAA penalties around telehealth, patient communication, and remote communication technologies will be suspended during the Covid-19 National Emergency and will go into effect immediately.
Here’s the official wording from the announcement:
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.
The announcement goes on to specify that healthcare providers can use any “non-public facing” remote communication product to communicate with patients. It goes on to note that the communication or service being provided the patient doesn’t have to be related to the coronavirus or Covid-19. The HIPAA exemption for use of telehealth applies to any healthcare service.
A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients. …This exercise of discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
The announcement offered a few non-HIPAA compliant services that could now be used to communicate with patients including: Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype. They do suggest that healthcare clinicians inform the patients of the privacy risk of using such technologies and that clinicians should make those applications as secure as possible by enabling encryption (done by default on most of these applications) and privacy modes if available.
Under this Notice, covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency. Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
I’m interested to see how healthcare organizations will interpret this since they listed specific popular applications. Plus, they also list popular video applications that are not covered by this enforcement discretion: Facebook Live, Twitch, TikTok, and similar video communication applications are public facing.
Under this Notice, however, Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.
For good measure, the notice does also list a number of vendors who provide HIPAA compliant video options and will sign a HIPAA business associate agreement:
- Skype for Business
- Zoom for Healthcare
- Google G Suite Hangouts Meet
I find it interesting that OCR in this notice only mentioned video applications. There are a whole suite of telehealth messaging applications that seem to fall under this enforcement discretion as well, but it’s hard to say for sure since they didn’t outline it.
In fact, it would have been very helpful if they would have highlighted the most popular communication application, SMS texting, which is not public and is technically not HIPAA compliant without patient approval. (See also this HHS guidance on texting) It’s not clear to me from this announcement whether HIPAA penalties and enforcement actions will be taken if patient communication is done by standard SMS text. It feels like SMS would fall under this as well, but I’m reaching out to see if I can get an answer to this.
That said, I think this was a good move on the part of HHS and OCR. As Stacy Hurt recently said so poignantly in our virtual meetup, patients don’t care about privacy when their life is on the line. Better communication like this could save some people’s lives.