OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency

The ongoing coronavirus epidemic is poised to launch a period of explosive growth for remote health care providers. The HIPAA Privacy Rule implies that exchanging ePHI remotely is acceptable for direct patient-physician communications; however, existing HIPAA guidelines on telemedicine, which affect physicians and healthcare organizations providing remote services for patients, impose much stricter requirements than most providers realize – until now.

At a March 18 press conference, President Trump announced that “Medicare patients can now visit any doctor by phone or videoconference at no additional cost, including with commonly used services like FaceTime and Skype.” This announcement effectively waives many of the HIPAA restrictions on telemedicine, in that physicians will not be subject to penalties for breaches that result from utilizing unsecured communications platforms. Shortly after the press conference, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services announced that: “effective immediately, [OCR] will exercise its enforcement discretion and will waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.”

Ordinarily, the channel of communication a telemedicine provider selects must be HIPAA compliant. Under the HIPAA Security Rule, providers must use platforms that allow access only to authorized users, securely protect the integrity of ePHI, and are impervious to accidental or malicious breaches. Even under the relatively broad standard of “reasonable and appropriate safeguards,” this rule has, until now, prohibited the use of unsecure communications channels. The HIPAA telemedicine guidelines require platforms to be capable of monitoring and/or remotely deleting ePHI if necessary, as well as automatic logoff mechanisms after a relatively short period of non-use. For these reasons, unsecured channels including SMS, Skype, FaceTime, and email have been unavailable to telemedicine providers; instead, physicians must use relatively more expensive options like Skype for Businesses, which typically charge a monthly fee for encrypting their channels of communication so that messages are unreadable and unusable if intercepted over an unsecure wi-fi connection.

One reason covered entities have had to forego inexpensive options like Skype and FaceTime is that the companies that run those platforms have until now refused to sign Business Associate Agreements (BAAs) with providers. A company that enters into a BAA is then liable for any fines or civil actions in the event of a breach of ePHI due to a lack of HIPAA-compliant security measures or a failure of any existing security systems. The HIPAA Journal notes that the covered entity “would also likely fail any HIPAA audit for failing to conduct a suitable risk assessment – which might also affect receipt of payments under the Meaningful Use incentive share.”

With the OCR’s Notification of Enforcement Discretion (“Notification”), these concerns over financial penalties – the key tool used to deter breaches – will effectively be eliminated. According to the Notification, any covered provider who wishes to use audio or video communication technology to provide telehealth to patients during the COVID-19 nationwide public health emergency “can use any non-public facing remote communication product that is available to communicate with patients.” OCR will “not impose penalties for noncompliance with the HIPAA Rules in connection with the good faith provision of telehealth” using such channels of communication. Significantly, OCR’s enforcement discretion specifically extends to “telehealth provided for any reason, regardless of whether the telehealth service is related to the diagnosis and treatment of health conditions related to COVID-19.” This means that covered providers may use “popular applications […] including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype […] without risk that OCR might seek to impose a penalty for noncompliance with the HIPAA Rules related to the good faith provision of telehealth during the COVID-19 [epidemic].” The only platforms still currently prohibited are those that are “public facing,” such as Facebook Live, Twitch, and TikTok.

Communication products providers will still be required to enter into BAAs, however companies that have been unwilling to enter into such agreements will likely leap at the opportunity to break into an industry on the cusp of potentially significant growth with drastically reduced financial risk. This new, presumably temporary reprieve effectively eliminates large swaths of the HIPAA Security Rule. Indeed, providers are not even required to notify patients that these third-party applications potentially pose privacy risks – rather, they are encouraged to disclose such risks.