All

HIPAA Compliance During COVID-19 Emergency

compliance

HIPAA Compliance During COVID-19 Emergency

HIPAA Compliance During COVID-19 Emergency

The HHS Office for Civil Rights (OCR) has issued the HIPAA Notification of Enforcement Discretion during the COVID-19 emergency. This notice applies to all healthcare providers who HIPAA covers and provides telehealth services during the COVID-19 nationwide public health emergency.

Which parts of the HIPAA Rules are included in the Notification of Enforcement Discretion regarding COVID-19 and remote telehealth communications?

  • Covered healthcare providers will not be penalized for violating the HIPAA Privacy, Security, and Breach Notification Rules that occur in the good faith provision of telehealth during the COVID-19 nationwide public health emergency.
  • This Notification does not affect the application of the HIPAA Rules to other areas of health care outside of telehealth during the emergency.
  • This Notification will remain in place indefinitely.

According to the OCR, the examples below may be considered a bad-faith provision of telehealth services:

  • Conduct or furtherance of a criminal act, such as fraud, identity theft, and intentional invasion of privacy.
  • The sale of patient data or use of patient data for marketing without authorization.
  • Violations of state licensing laws or professional, ethical standards result in disciplinary actions regarding the treatment offered or provided via telehealth.
  • The use of unacceptable public-facing forms of remote communication for telehealth, such as TikTok, Facebook Live, Twitch, or a chat room like Slack.

The table below includes a list of both Acceptable and Unacceptable forms of remote communication to use for telehealth services under the HIPAA Notification of Enforcement Discretion: 

Acceptable Platforms

(Vendor will sign HIPAA agreement) *

Acceptable Platforms

(Under Notification)

Unacceptable Platforms

(Do Not Use)

Non‐Public Facing Remote Communication Product Non‐Public Facing Remote Communication Product Public Facing Communication Product
Skype for Business / Microsoft Teams
Vsee
Zoom for Healthcare
Doxy.me
Google GSuite
Hangouts Meet
Cisco WebEx Meetings / WebEx Teams
Amazon Chime
GoToMeeting
Spruce Health Care Messenger
Apple FaceTime
Facebook Messenger Video Chat
Google Hangouts Video
WhatsApp Video Chat
Zoom
Skype
TikTok
Facebook Live
Twitch
Chat rooms such as Slack

* Note:

OCR has not reviewed the HIPAA agreements offered by these vendors, and this list does not constitute an endorsement, certification, or recommendation of specific technology, software, applications, or products. Other technology vendors may offer HIPAA-compliant video communication products that will enter into a HIPAA agreement with a covered entity. Further, OCR does not endorse any applications that allow video chats, as listed above.

Quick Reminders:

  • OCR will not impose penalties for noncompliance with the HIPAA Rules related to the good faith provision of telehealth services during the nationwide COVID-19 public health emergency.
  • Providers are encouraged to notify patients that these third-party applications potentially introduce privacy risks, and providers should enable all available encryption and privacy modes when using such applications.
  • Please update your risk assessment accordingly if any significant system or network changes have been deployed to support telehealth.

Reference:

Department of Health and Human Services Office for Civil Rights. FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency. Retrieved April 1, 2020 from https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf

Disclaimer:

This information is provided as a tool to help you understand the latest changes in HIPAA compliance due to the COVID-19 emergency. TriumpHealth employees and staff have created this presentation to the best of their knowledge and ability, making no representation or guarantee that it is error-free. TriumpHealth has no liability or responsibility to any person or entity concerning any loss of revenue or indirect damages resulting from the potential use of this information.

by Tiffany Short & Katie Legendre | TriumpHealth