By: Sarah Cronan Spurlock and Jennifer Henry Jackson

In response to the unprecedented public health emergency presented by COVID-19, the Department of Health and Human Services, Office for Civil Rights (OCR), responsible for enforcing the HIPAA Privacy, Security, and Breach Notification Rules, issued a notification of enforcement discretion for telehealth remote communications effective immediately.

The notice includes the following statement from OCR director, Roger Severino: “We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.”

The OCR acknowledges that during the COVID-19 national emergency, providers may seek to provide telehealth services using remote connection technologies, some of which may not fully comply with HIPAA requirements.

Effective immediately, the “OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered healthcare providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”

And more specifically, the OCR will not impose penalties against covered healthcare providers for “the lack of a business associate agreement with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services.”

Guidance for Providers

For healthcare providers considering telehealth offerings during the COVID-19 public health emergency, the notification provides helpful guidance, including:

• A covered healthcare provider that wants to use audio or video communication technology to provide telehealth during this time can use any non-public facing remote communication product that is available to communicate with patients.
• The exercise of HIPAA enforcement discretion applies to telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.
• Public facing video communication applications should not be used in the provision of telehealth by covered healthcare providers.
• Providers are encouraged to notify patients that use of certain third-party applications potentially introduce privacy risks. Providers should enable all available encryption and privacy modes when using such applications.
• Although the OCR does not endorse any specific technology vendors, the notification includes a list of vendors that offer and will enter into HIPAA Business Associate Agreements.

Greater Flexibility

The OCR’s announcement is among several recent actions to provide healthcare providers greater flexibility in providing patient care in response to COVID-19.

The Centers for Medicare and Medicaid Services (CMS) has also announced waivers or modifications of certain Medicare, Medicaid and Chip requirements as well as suspension of non-emergency survey activities, “allowing providers to focus on the most current serious health and safety threats, like infectious diseases and abuse.” Additional information on CMS’s response to COVID-19 is available on the CMS web site at https://go.cms.gov/2QIsxvf.

-Sarah Cronan Spurlock and Jennifer Henry Jackson are with Stites & Harbison.