HIPAA and Telehealth FAQ from HHS

We wrote previously about HIPAA enforcement being suspended for telehealth during COVID-19 and more details on how to implement it. Plus, we shared the expansion of Medicare coverage and payment for telehealth. However, there were still many questions.

The good news is that HHS released a HIPAA and Telehealth FAQ that addresses some of those questions.

You can read the full FAQ, but here’s some of the highlights:

Telehealth is defined quite broadly and can include audio, text messaging, or video communication technology, including videoconferencing software. This of course only applies to HIPAA enforcement and not whether the payer will pay for the service. That’s a different question that should be addressed to the payer.

Health insurers that pay for telehealth services are not part of the enforcement discretion. Payment for telehealth services should still follow HIPAA.

Applies to all patients.

The enforcement discretion only applies to telehealth, not other areas that HIPAA covers.

There is currently no end date to the suspension of HIPAA for telehealth, but OCR will issue notice when it’s over.

Providers should provide telehealth in a private area.

“Non-Public Facing” Remote Communication Products that are approved for HIPAA enforcement discretion should follow the following guidelines:

A “non-public facing” remote communication product is one that, as a default, allows only the intended parties to participate in the communication.

Examples include:

  • Apple FaceTime
  • Facebook Messenger video chat
  • Google Hangouts video
  • Whatsapp video chat
  • Skype
  • Signal
  • Jabber
  • Facebook Messenger
  • Google Hangouts
  • Whatsapp
  • iMessage

Note that texting applications that provide end-to-end encryption and individual user accounts are included on this list.

Applications which are “public-facing” which should NOT be used and would still be subject to HIPAA penalties and enforcement are:

  • TikTok
  • Facebook Live
  • Twitch
  • A Chatroom like Slack

Public presentations using these technologies that don’t share an individual patient and PHI on the live stream are ok since they wouldn’t be covered by HIPAA in the first place.

OCR does encourage providers to use telehealth vendors who do comply with the Security Rule and are willing to sign a HIPAA BAA.

What other questions do you have? Let us know in the comments or on Twitter with @hcittoday.

About the author

John Lynn

John Lynn

John Lynn is the Founder of HealthcareScene.com, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference, EXPO.health, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.