HIPAA Compliance During COVID-19 Emergency
HIPAA Compliance During COVID-19 Emergency
The HHS Office for Civil Rights (OCR) has issued the HIPAA Notification of Enforcement Discretion during the COVID-19 emergency. This notice applies to all healthcare providers who HIPAA covers and provides telehealth services during the COVID-19 nationwide public health emergency.
Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
- Covered healthcare providers will not be penalized for violating the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
- This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
- This Notification will remain in place indefinitely.
According to the OCR, the examples below may be considered a bad-faith provision of telehealth services:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.
- The sale of patient data or use of patient data for marketing without authorization.
- Violations of state licensing laws or professional, ethical standards result in disciplinary actions regarding the treatment offered or provided via telehealth.
- The use of unacceptable public-facing forms of remote communication for telehealth, such as TikTok, Facebook Live, Twitch, or a chat room like Slack.
The table below includes a list of both Acceptable and Unacceptable forms of remote communication to use for telehealth services under the HIPAA Notification of Enforcement Discretion:
Acceptable Platforms
(Vendor will sign HIPAA agreement) * |
Acceptable Platforms
(Under Notification) |
Unacceptable Platforms
(Do Not Use) |
Non‐Public Facing Remote Communication Product | Non‐Public Facing Remote Communication Product | Public Facing Communication Product |
Skype for Business / Microsoft Teams Vsee Zoom for Healthcare Doxy.me Google GSuite Hangouts Meet Cisco WebEx Meetings / WebEx Teams Amazon Chime GoToMeeting Spruce Health Care Messenger |
Apple FaceTime Facebook Messenger Video Chat Google Hangouts Video WhatsApp Video Chat Zoom Skype |
TikTok Facebook Live Twitch Chat rooms such as Slack |
* Note:
OCR has not reviewed the HIPAA agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. Other technology vendors may offer HIPAA-compliant video communication products that will enter into a HIPAA agreement with a covered entity. Further, OCR does not endorse any applications that allow video chats, as listed above.
Quick Reminders:
- OCR will not impose penalties for noncompliance with the HIPAA Rules related to the good faith provision of telehealth services during the nationwide COVID-19 public health emergency.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- Please update your risk assessment accordingly if any significant system or network changes have been deployed to support telehealth.
Reference:
Department of Health and Human Services Office for Civil Rights. FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency. Retrieved April 1, 2020 from https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf
Disclaimer:
This information is provided as a tool to help you understand the latest changes in HIPAA compliance due to the COVID-19 emergency. TriumpHealth employees and staff have created this presentation to the best of their knowledge and ability, making no representation or guarantee that it is error-free. TriumpHealth has no liability or responsibility to any person or entity concerning any loss of revenue or indirect damages resulting from the potential use of this information.
by Tiffany Short & Katie Legendre | TriumpHealth
Recent Posts
- Adapting to MIPS 2025: Key Reporting Changes and Impacts for Dermatology Practices
- MIPS 2025: A Guide for Eligible Clinicians and Providers
- The Financial and Operational Impact of Credentialing Errors
- Enhancing Revenue Through Effective Payer Contract Management
- How MIPS Compliance Relates To Value-Based Care
- Six Proactive Medical Billing Tips to Maximize Revenue