HIPAA Compliance During COVID-19 Emergency
HIPAA Compliance During COVID-19 Emergency
The HHS Office for Civil Rights (OCR) has issued the HIPAA Notification of Enforcement Discretion during the COVID-19 emergency. This notice applies to all health care providers that are covered by HIPAA and provide telehealth services during the COVID-19 nationwide public health emergency.
Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?
- Covered health care providers will not be subject to penalties for violations of the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
- This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
- This Notification will remain in place indefinitely.
According to the OCR, the examples below may be considered a bad faith provision of telehealth services:
- Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.
- The sale of patient data or use of patient data for marketing without authorization.
- Violations of state licensing laws or professional ethical standards that result in disciplinary actions related to the treatment offered or provided via telehealth.
- The use of unacceptable public facing forms of remote communication for telehealth such as TikTok, Facebook Live, Twitch, or a chat room like Slack.
The table below includes a list of both Acceptable and Unacceptable forms of remote communication to use for telehealth services under the HIPAA Notification of Enforcement Discretion:
| Acceptable Platforms
(Vendor will sign HIPAA agreement) * |
Acceptable Platforms
(Under Notification) |
Unacceptable Platforms
(Do Not Use) |
| Non‐Public Facing Remote Communication Product | Non‐Public Facing Remote Communication Product | Public Facing Communication Product |
| Skype for Business / Microsoft Teams Vsee Zoom for Healthcare Doxy.me Google GSuite Hangouts Meet Cisco WebEx Meetings / WebEx Teams Amazon Chime GoToMeeting Spruce Health Care Messenger |
Apple FaceTime Facebook Messenger Video Chat Google Hangouts Video WhatsApp Video Chat Zoom Skype |
TikTok Facebook Live Twitch Chat rooms such as Slack |
* Note:
OCR has not reviewed the HIPAA agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. There may be other technology vendors that offer HIPAA-compliant video communication products that will enter into a HIPAA agreement with a covered entity. Further, OCR does not endorse any of the applications that allow for video chats listed above.
Quick Reminders:
- OCR will not impose penalties for any noncompliance with the HIPAA Rules that relates to the good faith provision of telehealth services during the nationwide COVID-19 public health emergency.
- Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
- If any significant system or network changes have been deployed to support telehealth, please be sure to update your risk assessment accordingly.
Reference:
Department of Health and Human Services Office for Civil Rights. FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency. Retrieved April 1, 2020 from https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf
Disclaimer:
This information is provided as a tool to help you understand the latest changes in HIPAA compliance as a result of the COVID-19 emergency. TriumpHealth employees and staff have created this presentation to the best of their knowledge and ability and make no representation or guarantee that this presentation is error-free. TriumpHealth has no liability or responsibility to any person or entity with respect to any loss of revenue, or indirect damages resulting from the potential use of this information.
by Tiffany Short & Katie Legendre | TriumpHealth
Recent Posts
- The Complete Guide To Nephrology Medical Billing
- How to Maximize Revenue with Telemedicine?
- What is MIPS? A Complete Guide for Healthcare Providers
- Proven Strategies to Maximize Patient Retention
- Importance of Provider Credentialing in Establishing a New Medical Practice
- Why Healthcare Providers are Choosing to Outsource Medical Billing and Revenue Cycle Management