COVID-19 has brought a lot of changes to our everyday lives. Across the globe, many have been working or schooling from home since March with no end in sight. This global pandemic has also changed how we view and seek out medical help. Telehealth is not a new concept but is being seen in a new light because of COVID-19. This quick, almost overnight switch from in-person appointments to virtual ones has come with HIPAA compliance and enforcement changes. How has this global pandemic and the increased need for telehealth changed HIPAA compliance? Let’s break down the declaration on the matter from the Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS).
OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.This expansion allowed healthcare professionals to quickly move from in-person visits to virtual ones without fear of penalty. As stated in the notice:
OCR is exercising its enforcement discretion to not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth using such non-public facing audio or video communication products during the COVID-19 nationwide public health emergency.In other words, medical professionals will face no penalty if they meet with patients virtually with a non-public facing, non-HIPAA compliant tool.
Covered health care providers may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, Zoom, or Skype, to provide telehealth without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 nationwide public health emergency.Healthcare professionals should note the OCR recognizes that not all of the suggested applications are HIPAA compliant. Providers should exercise caution when using these platforms. Some popular video applications are not secure enough to be used nor permitted per this notice:
Facebook Live, Twitch, TikTok, and similar video communication applications are public facing, and should not be used in the provision of telehealth by covered health care providers.These applications are public-facing, meaning any conversation is open to and viewable by the public.
Covered health care providers that seek additional privacy protections for telehealth while using video communication products should provide such services through technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products.However, the OCR will not impose penalties on covered entities who do not enter into a BAA with a business associate .
Under this Notice, however, OCR will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors or any other noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.The OCR also notes that providers should notify patients that using these applications introduces a potential privacy risk . Doctors and their staff should always use a private network, enable any available encryption, turn on any privacy modes with these applications, and make sure all applications are up-to-date.